The Importance of HIPAA Technology Compliance
Article by Eric Soto
originally appeared in the San Fernando Valley Dental Society magazine, Spring 2016
The main purpose of the HIPAA security rule is to provide a national standard on how to access, store and transmit electronic patient health information.
Congress passed the HIPAA law in 1996 to require national standards for electronic healthcare transactions and data sets. Since Congress recognized that advances in electronic technology could erode the privacy of health information, they added provisions to the law requiring federal privacy protections for patient health information. These provisions led the government to adopt the HIPAA security and privacy rules. HIPAA regulations had a massive update (Omnibus Rule) in January 2013 which was an overhaul to increase protections on patients’ health information. The new laws more extensively hold second and third party businesses responsible to keep Patient Healthy Information (PHI) private. The focus I’m about to explain is technology solutions to address HIPAA security compliance.
HIPAA Compliance is a journey, not a destination. It requires policies, procedures and system changes, and let’s not forget, lots of training. The HIPAA Breach Notification Rule, 45 CFR § 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured, protected health information. When breaches of health information occur, they can have serious consequences for your dental practice, including reputation and financing harm as well as garb to your patients. Poor privacy and security practices heighten the vulnerability of patient information in your health information system. More practices are being fined than ever before. Here is a link to a website showing some of these offenders: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
I have put together a list of technology based solutions. Don’t be a victim: take action to protect your data! Let’s begin.
A server handles the sharing and storage of all data on the network. This includes your patient information, imaging and documents. A security breach or theft of a server can lead to severe fines, loss of reputation and even result in practice closure due to breach notification requirements. Having an encrypted server would protect you from data breach notification requirements since the data on the server is not accessible. I recommend that you ensure your server is professionally encrypted. (You should also consider physically securing your server.)
Local Backup Encryption
Backup drives are frequently brought offsite for safe keeping; they can be misplaced, broken or even stolen. In the event a backup drive falls into the wrong hands, patients’ data can become compromised. Having encrypted local backup drives would protect you from data breach notification requirements since the data on the drives is not accessible. I recumbent purchasing an encrypted local backup drive. (All old media must be disposed of properly.)
Encrypted Online Backup
Online backup is an essential part of data protection. Often offices are confident that they are backing up when in reality no one is checking the local backup. Online backups are generally automated and occur in the evening. I recommend you find a compliant, encrypted online backup service.
Because of emails’ prevalence, it is easy to unwittingly send patient information to the incorrect recipient, violating HIPAA policy. A compliant email service requires that all recipients fill out a basic form and “check” a box, confirming they are the intended recipient. This releases your practice from liability and further protects your patients’ privacy. Free email services may be encrypted but are not compliant since they offer no verification of the intended recipient. I recommend implementing email encryption.
Upgrading to Windows 7 or Higher
Microsoft has discontinued updating and supporting Windows XP (end of life April 2014). This means that Windows XP machines will no longer receive security updates. Over time, computers still running on Windows XP will become more susceptible to attacks, increasing vulnerability and PC problems. I also recommend upgrading to Windows 7 Professional or higher today. It is often more cost effective to purchase a new computer.
HIPAA Compliant Router
A full 99% of dental practices today do not have a HIPAA compliant router. A compliant router requires a professional firewall to manage internet access ports. Also, it requires the ability to maintain a log file of internet activity. Finally, if you are offering your patients WiFi, a separate guest network feature will be required to protect your patients’ data. I recommend using a SonicWALL network security appliance.
Password Protected Systems
When seeking to ensure patient privacy, every step taken toward safeguarding sensitive data is an additional line of defense in your practice. Password protecting all computers on your network is the front line of protection for user accounts. It is also required to activate “screen saver password protection” so a computer left idle, for a specified time, will automatically lock. Privacy screens are further suggested in areas where patient data is visible to anyone not intended to view it. I recommend:
- Change default passwords.
- Use complex passwords.
- Change your passwords frequently.
- Use different passwords.
- Set session time-outs with passwords.
- Don’t sign on as an administrator to your computer.
A domain contains a group of compeers that are registered with the server to control their actions. Setting up a custom domain also allows the administrator to track individual files that users have accessed or deleted. I recommend server and workstation configured in a domain environment that can implement individual usernames. When a user does anything to a file, it can be tracked and logged.
- Update the operating system (Windows) with the latest patches.
- Update your software with the latest patches.
- Always use a current professional antivirus program.
- Run security reports (Windows MS© Baseline Security Analyzer). I recommend working with an IT provider that has verified that all Windows updates are compatible with your practice management software before deploying them.
Data Breach Insurance
Purchase a data breach protection policy to protect you in the event of a HIPAA (data-related) violation. TDIC offers this policy that can pay for notifying patients, providing credit monitoring and more. I recommend that you contact your practice’s liability insurance provider to add data breach insurance to your policy.
Certified HIPAA Consultant
All practices should contact a certified HIPAA consultant to go over all of the requirements to make your practice HIPAA compliant, though they take no legal responsibility for any fines that may be incurred due to HIPAA violations.
I hope this information helps you and your dental practice. Thank you for reading.
Eric Soto is the CEO of Infinite Computing Technologies (ICT), which offers a variety of dental specific services including: computer sales, new office technology design and installation, help desk phone support, onsite technical support, cabling and network framework, audio and video sales, security camera systems, virus protection and removal, managed encrypted online backup, digital phone sales, and maintenance support programs.
Today, Eric focuses on HIPAA security compliance. He may be reached at (888)472-8725.
Ed. Note: The article appears here as it did in the San Fernando Valley Dental Society magazine, Spring 2016 issue, with slight edits for formatting and consistency.