Patient privacy and data security have been concerns for dental practices in Utah and Idaho since 1996. That’s when HIPAA became a regulation that was strictly enforced by the U.S. Health and Human Services (HHS). In 2009, the HITECH Act was added, and finally, in 2013, the Omnibus Rules were implemented. These resulted in considerable changes in the way dental businesses transmitted and stored electronic Protected Health Information (ePHI), with hefty fines and penalties for those who didn’t comply.
Adhere To These 5 Standards
There are five overarching standards discussed within the HIPAA Technical Safeguards that you must comply with:
- Access Control – giving users rights and/or privileges to access and perform functions using information systems, applications, programs, or files.
- Audit Controls – hardware, software, and/or procedural mechanisms that record and examine information system activity that contains or use ePHI.
- Integrity Controls – implementing policies and procedures for ePHI protection against alteration or destruction.
- Person or Entity Authentication – ensuring a person’s identity before giving him or her ePHI access.
- Transmission Security – guarding against unauthorized ePHI access when data is transmitted over an electronic communications network.
Comply With The HIPAA Security Rule
The HIPAA Security Rule offers a framework to protect ePHI (electronic Protected Health Information). HIPAA regulations mandate that any patient identifiers in written, verbal or electronic form be protected.
The Security Rule was enacted to be flexible in order to apply to all kinds and sizes of healthcare organizations. The rules fall under two categories: Required and Addressable. The Addressable category is sometimes confused as being optional – It’s not.
The US Department of Health & Human Services says:
“a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
For your dental practice to achieve HIPAA Compliance, everything in the Security Rule must be complied with, including the way you handle electronic health information. This means that you should set a high bar if you don’t implement an item that’s Addressable. In this case, you must document your decision for HIPAA.
However, there are many other considerations when it comes to information technology. You could still be in non-compliance when undergoing a data breach investigation or HIPAA audit if you’re not up-to-date with HIPAA Rules.
Comply With These 5 Newer HIPAA Rules
There are many dental practices in Utah and Idaho that aren’t 100 percent compliant. This is because they aren’t informed about the newer rules that must be complied with. The following are newer regulations that you may not be aware of.
1. Encrypt Patient Data.
Encryption is an effective way to protect your data and emails from intruders. It uses an algorithm to encode information. Cloud storage encryption ensures that documents are safely stored so that only authorized users can decrypt them. Even if your data is intercepted by cyber thieves, they won’t be able to read it. By practicing secure encryption key management, your IT service company can ensure that only authorized users will have access to your sensitive data.
However, because HIPAA has defined encryption as an “addressable” concern, meaning, if it’s reasonable and appropriate, you must do it, some don’t believe that this is required –It is.
Encrypting your data is both reasonable and appropriate. Ask your IT Service Provider about best ways to encrypt your patient data. Remember, you must encrypt it when it’s both in transit and at rest.
And, if you lose a laptop that contains ePHI, or one is stolen, you’ll be in noncompliance unless the data AND device are encrypted. If you don’t, it’s mandated that you report the loss to the federal government for investigation and contact all of the patients whose data was stored in the device.
If the data AND device are encrypted, and they’re lost, you won’t have to report this to the authorities nor to your patients. And remember that your IT provider can deploy Mobile Device Monitoring to wipe the data from a lost machine. They can also direct you to laptops that automatically self-encrypt when you turn them off or close the lid.
2. Back Up Patient Data Regularly.
Believe it or not, few dentists realize that there are numerous HIPAA regulations that specifically address the need to back up patient data. Plus, your backups must be encrypted, and you must be able to readily and recover and restore any lost data. ePHI must be backed up offsite, and backups must be tested for reliability on a regular basis. Unless your backups are stored in encrypted hard drives and removed from the office on a regular basis you will be in noncompliance of HIPAA and exposed to data breaches.
Data breaches are devastating for dental practices. When this happens, in addition to notifying the authorities, you will need to notify all patients in writing, and notify the local media. And, your dental practice will be listed on the HHS Breach Portal (Wall of Shame).
3. Don’t Send ePHI Over Email Or In Text Messages.
If you’re using webmail services like G-mail, Hotmail, Yahoo!, or those provided by your Internet Service Provider (ISP), you could be in breach of HIPAA regulations. These solutions aren’t encrypted nor are they secure enough for sending ePHI. That’s because they don’t provide end-to-end email security. When you send an email to another office this way, it doesn’t go directly to that person; it gets sent to multiple servers before reaching the final destination. Nor will these services sign a required Business Associate Agreements (BAA) that HIPAA requires.
To ensure you comply with HIPAA regulations, you need to use either a:
- Secure email solution and server that you own;
- An email encryption service from a provider who will sign a BAA; or
- The communications tools in your secure and certified Electronic Health Record (EHR) system.
Faxes are fine to use with business associates and entities that also comply with HIPAA unless your system converts the fax into an email, but they shouldn’t be sent to a webmail account. And texting isn’t secure or HIPAA-compliant if you use a cellphone carrier’s system. You nor your staff should ever text ePHI or other patient information. And be sure that the answering service you use doesn’t send texts containing patient information. Remember, when your dental practice sends ePHI, you must encrypt your outbound emails. Your IT Service Company can help you do this.
4. Restrict Access To Patient Information.
You must ensure only authorized people can access patient information. And you must keep logs detailing who has access, when they accessed it, what they did with that data, etc.
Make sure that your computers are on Auto-Lock. HIPAA regulations require audit trails to identify which users are accessing and have accessed patient health records. This means that you must enforce security controls like having users log on and off by themselves, prohibiting the sharing of passwords, or piggy-backing (where multiple employees use a computer during a single session).
Automatic Logoff is also in the Addressable category under HIPAA, but the alternatives are expensive and very inconvenient. While you don’t have to do this, you must NEVER leave an unlocked computer when a patient is in the room. A dentist, hygienist or staff member must be in the room at all times when a computer is unlocked and a patient is present.
If Automatic Logoff seems too annoying to you, remember that there are convenient ways to log on. Your Managed IT Provider can help you with this. They can make sure the computers you use have fingerprint readers or proximity cards.
In addition to ePHI, the privacy rule includes non-electronic data. Don’t leave patient charts and files around unattended. Don’t throw away old charts in the trash.
5. Set Up A Business-Grade Firewall
To access the Internet, you need a router or firewall. A router and firewall both direct traffic between two networks–your internal network and the Internet. A firewall also comes with security features. But this doesn’t mean that you should run out and purchase just any firewall.
A business-grade firewall can block unauthorized access. It will also filter the traffic from the Internet to prevent viruses and malware from getting into your computers. This is required for HIPAA compliance.
A Managed IT Service provider can set this up properly, plus they can employ Remote Management and Monitoring that offers continual monitoring and maintenance of your network for security and reliability and apply required updates and patches.
Ensure Your Dental Practice Meets All The New HIPAA Requirements – Work With A Managed IT Service Provider
Practices that are interested in becoming more HIPAA-compliant should consider working with a Managed IT Service Provider who is experienced in what dental practices in Idaho and Utah require.
Managed Service Providers like SymTec offer everything we discussed and more. We specialize in providing HIPAA-compliant IT service and solutions to dental practices in Utah and Idaho. Plus, we will provide a signed Business Associate Agreement which is also mandatory for HIPAA compliance.
Contact the Dental IT Compliance specialists at SymTec to learn more.
In the meantime, stay up to date on all the changes taking place in dental IT today. Check out our Tech Articles. Here are a few to get you going: