As a dental practitioner, when was the last time you thought about HIPAA compliance? Are you aware that rules regarding the storing and sharing of protected health information have been changing over the last decade? Do you have a plan in place to address the new laws the Omnibus final ruling in 2013 created? The new laws allow for a $50,000 fine per patient record breach with a maximum fine of $1.5 million per year. These hefty fines could bankrupt a smaller practice and the negative press from a data breach will affect any practice large or small.
HIPAA compliance can be overwhelming if you don’t already have a good plan in place. My experience working as an IT consultant for local dental practices in the Saint Louis, Missouri area has forced me to become familiar with HIPAA laws to be able to provide compliant solutions to my clients. Whether you have an existing HIPAA plan in place or not, I hope I can explain some areas of HIPAA compliance you had not previously considered.
HIPAA stands for the Health Insurance Portability and Accountability Act. As it pertains to technology, we are mainly concerned with the word accountability. Accountability in this context means many things. HIPAA requires that you control access to PHI (protected health information). You must provide proper electronic storage for your PHI. All physical storage spaces must be secure. You and your employees shouldn’t be sending PHI via standard email attachment. Any wired and wireless networks have to be secure. Your IT providers and other contractors must be HIPAA compliant. And finally, a large part of HIPAA compliance is having a written plan in place to address all of these subjects.
When I begin working on a HIPAA plan with a new client, I start with controlling access to PHI. Every employee of your practice must have a unique username and regularly changing password to login to their workstation. This way you have a log of who used which workstation and when they were accessing specific files. Your compliance plan should include a section on what happens when an employee is terminated: which user accounts need to be deleted, if keys and alarm codes need to be changed, and who needs to be notified in the case of a termination (i.e. your IT provider). If an employee is terminated and all employees share the same login, it is difficult to prevent the former employee from accessing your systems. With unique usernames and passwords, it is easy to control access.
It is always a best practice for your users to lock their workstation any time they leave it unattended. However, people can be forgetful. To prevent unintended access to PHI, your workstations should be set to lock automatically after a period of inactivity. Additionally, on computer screens that are visible to people besides your employees, privacy filters should be installed. A privacy filter is a piece of polarized film that is applied to the monitor so that only a person directly in front of the monitor can see what is being displayed. Anyone viewing the monitor from an off-axis angle just sees a black screen. Many times a practice will have computer monitors in the front desk area that are clearly viewable by patients in the waiting room. If this is the case, a snooping patient could be seeing sensitive information. This would be considered a breach under HIPAA rules.
Proper storage of PHI is commonly an area I see go unaddressed with many of my new clients. PHI should always be encrypted wherever it is being stored. This may sound like an expensive proposition; but it generally doesn’t cost much to implement. All modern Windows Server operating systems have built in encryption software called BitLocker that can be enabled on whichever drives PHI is being stored. Encryption should be enabled on both a server’s internal hard drives and the external backup drives. Encryption also applies to any online or cloud backup software. Most online data backup providers do allow for encryption. But be sure to pick a provider that is HIPAA compliant and doesn’t store your encryption keys anywhere on their servers. Only you should have access to your encryption keys.
Many dental practices do not have a dedicated server room to store their server and backup drives. Some practices have a small closet with a locking door. While other providers place their server and backup drives right out in the open. It is not always practical to build a server closet or a server room in your office. In that case, it is important that your server is physically attached to something. If your office is broken into, you want it to be difficult for a thief to walk away with a server filled with PHI. A cable with a Kensington style lock works with most tower servers to physically attach them to something immovable. And if your server is rack mounted, make sure the server is bolted into the rack. If your external backup drives are encrypted, it is not as important to have them physically attached to something as the data stored on them is useless without the encryption keys. However, if you can’t encrypt them, they should be attached with a Kensington style lock as well. If your server and backup drives sit behind a locked door and are secure from potential thieves, pat yourself on the back; you are already a step ahead of many practices.
Sending PHI via email is something that HIPAA rules have made more difficult. The problem with most email systems is a lack of end to end encryption. If there isn’t encryption all the way from the sender to the intended recipient, PHI can be breached. If you are going to send a client’s PHI via email, you should make use of an encryption service like Virtru or Mail 2 Cloud. These services allow you to send PHI as a secure attachment to an email. The patient or medical provider that you are sending the email to has to create a username and password to download and view the secure attachment. This prevents the data from being intercepted during transmission and from being opened by an unintended recipient on the other end.
Many of my clients provide free WiFi to their patients. This is a great way to keep patients happy while they wait, but it can open a huge security hole if not implemented properly. It is important that both your internal and guest wireless networks are secured and encrypted. But beyond that, it is imperative that they are separated from each other. Internal and guest wireless networks shouldn’t communicate with each other at all. If you’re not sure if your WiFi networks are secure and segregated, you should contact an IT professional to have your networks inspected and secured.
Your wired network must be secured as well. This includes having a proper firewall to protect you from threats outside your network and limiting physical access to network ports inside your network. Business class firewalls can be properly configured to prevent intrusion. And you should never install a network port in an area where patients will be left unattended like your waiting room.
Many dental practices don’t ensure that their sub-contractors are following HIPAA compliance guidelines. To be HIPAA compliant, a practice must have a business associate contract on file with anyone who might have access to the practice’s protected health information. A business associate contract outlines how the business associate is allowed to handle PHI, how they will protect the PHI, and what they will do in the case of a PHI breach. When looking for an IT provider, you should ensure that the provider is familiar with HIPAA compliance laws and following all HIPAA rules when providing service for you. If an IT provider will not sign a HIPAA business associate contract, you should not work with them.
Once a dental practice has decided on a plan to address all areas of HIPAA compliance, that plan should be well documented and available to the US Department of Health and Human Services upon request. In addition, a single employee of the practice should be designated as the HIPAA compliance officer. It is the compliance officer’s job to make sure that all employees are aware of HIPAA rules and are following them. Having a written plan will allow the compliance officer to hold the entire practice accountable and work to prevent PHI breaches. For information on the other aspects of HIPAA that I didn’t cover, please visit the official HIPAA government website.
If after you read this article you can confidently say that you have addressed all of these concerns, I commend you. Many practices don’t have the time or energy to design or enforce a comprehensive HIPAA compliance plan. But a lack of time and energy is an excuse that will not fly with the US Department of Health and Human Services. If you haven’t started your HIPAA plan, you should schedule some time now to meet with your IT provider. You don’t want to be on the receiving end of a hefty fine or the bad press that will come when you are forced to list yourself on the HHS.gov breach list as a provider that has had a PHI breach.
J.J. Micro LLC IT Consulting will provide a free HIPAA consultation for your practice. Please give us a call at 636-556-0009 and ask about our HIPAA checklist.