There are four most common mistakes that dentists make when it comes to HIPAA.
As many of you are aware, patient privacy and data security has taken center stage over the past two decades. It started with HIPAA in 1996, then the HITECH Act in 2009 and the “final” HIPAA law, the Omnibus Rules, that were enacted in March 2013 with a September 2013 deadline.
While many practices have taken some of the steps necessary to become compliant, such as having written policies and procedures, We have yet to find a dental practice that is even close to being totally compliant . The reason is many practices are unaware of many of the newer rules that must be followed. The purpose of this article is to identify four things we see most frequently in dental offices that would not meet the HIPAA regulations.
Not encrypting patient data
There are some many practices that ,unfortunately, don’t understand the need for encryption. HIPAA has defined encryption as an “addressable” concern, meaning, if it’s reasonable and appropriate, you must do it. If it’s not reasonable, then you must either present an alternative or document why you don’t think it’s reasonable. This is NOT a get-out-of-jail-free card! The problem is encrypting your data is both reasonable and appropriate. Always hire a professional IT company such as ClearDental to handle these encryption set ups for you. ClearDental offers complete HIPAA compliant encryption solutions. The costs to encrypt all your data are minimal compared to the fines and loss of patients for breach notification.
Not backing up patient data regularly
While none of us would argue the need for backing up data and having a good disaster recovery plan in place, few practices realize there are numerous HIPAA regulations that specifically address this. The backup must be encrypted, you must be able to restore any lost data, it must be offsite and you must test it on a regular basis. This means the typical dental office that backs up unencrypted hard drives that aren’t removed from the office on a regular basis and aren’t verified are at a very high risk of a breach. Breaches are devastating for a practice, as you need to notify all patients in writing, notify the local media and have your practice listed on the Health and Human Services website, where you’d join the 1,100+ practices as of this writing who are also on that site.
A local image of your server on an encrypted device, combined with online backup (also encrypted), is your best defense against all of this. ClearDental has the very best option for you.
Sending sensitive patient information through email
HIPAA refers to any data that is sent over email or the Internet as “data in motion.” The basic rules say if you send electronic protected health information (ePHI) over the Internet, you must take steps to ensure the data is protected and secure. The problem with most email systems is they are anything but secure!
Most email systems, like Gmail, Yahoo and even Outlook, are not encrypted, which is something HIPAA highly recommends. The other problem is when you send an email to another office, it doesn’t go directly to that person; it gets sent to multiple servers, called hops, before reaching the final destination. And, in most cases, those servers are not secure.
You really have two options. If you are sending ePHI, then you really need to encrypt your outbound emails. ClearDental offers a great solution for this. With a low set up fee and monthly cost, it is easy to set up and will work with your existing email address. The other option is to de-identify the email. For example, you can send a digital X-ray image, but it can’t contain any patient information: No names, no initials, no chart ID, no DOB, no full face photo—nothing that would allow another person to identify who that X-ray image belongs to.
Not restricting access to patient information
While HIPAA involves some technical and physical safeguards, the administrative safeguards make up more than 50 percent of the rules. You need to make sure only specific people can access patient information. You need to log which employees have access, when they accessed it, what they did with that data, etc. Many of these are part of the privacy rule, which includes non-electronic data. Don’t leave charts laying around unattended. Don’t throw old charts in the trash. Secure the charts at night. Be careful what labels and markings you put on the outside of charts. The list goes on and on.
Practices that are interested in becoming more HIPAA-compliant should consider working with a HIPAA professional that can assist them. While 100-percent compliance isn’t realistic, the HIPAA auditors are looking for VDE: visibly demonstrable evidence. In other words, making a good effort and having proof of that effort can go a long way toward mitigating what could potentially be well more than $1.5 million in fines.
If you are concerned about your HIPAA compliance and want to schedule an evaluation with ClearDental, please call us today.