Dentists are considered Covered Entities under HIPAA, which means that at the root, rules for privacy, security and enforcement are the same as those of a large health system. This can be an overwhelming fact for a dental practices, as they begin to put together their policies and procedures for meeting compliance.
Many of HIPAA’s addressable requirements can be tailored in a way that makes HIPAA complaince for dentists much more managable than meeting the requirements for larger covered entities.
Here is an overview of how as a dentist, you can meet HIPAA compliance without implementing state-of-the-art security measures needed for larger organizations.
Risk Assessment
The very first thing that any CE or BAA needs to do, before creating policies and procedures, is to begin a Risk Assessment. There are nine components of a risk assessment that need to be met in order for it to be considered complete. Briefly, your risk assessment is an internal process that documents all of your potential risks to data, and outlines processes to mitigate each of the risks.
For dentists, a great template for a risk assessment can be found in the Complete HIPAA Compliance Kit from the ADA. Once you have a template, you can go through the process step by step, and discover what parts of your practice need particular attention to security.
Centralized, Encrypted Data Stores
During our many consultations with dentists, we’ve found that one of the biggest compliance issues resides in patient data being scattered about the office. Having a central server is not enough – many practices will find patient information hiding in Documents, Downloads, Desktops and Emails. Ensuring that data is only housed on the server through shared network resources is the first thing you should do in order to reduce your exposure to data breach.
To meet the letter of the law, any data on the server needs to be encrypted only while in transit, meaning that for compliance sake alone, you do not need to encrypt the entire server except through email, backup, and internal network protocols. However, in practice, full encryption of a server is cheap or free in many cases, and encrypting data at rest comes with a very high recommendation.
Not only is encryption a great idea, you’ll need to limit physical and remote access to the server. Placing the server in a locked closet, braced to the wall, is highly recommended. Cable locks can be as cheap as $40, but are very effective at locking down your central data store.
Encrypt Those Backups!
Another common cause of noncompliance for dentists is seen in the backup process. Many practices use external USB drives to back up their data, but it is very common for these drives to hold free-text data that is not encrypted. HIPAA compliance for dentists means either encrypting your backups through software, or using hardware-encrypted drives such as the Apricorn Padlock which has a physical keypad with a code that must be entered in order for any system to see the data therein.
Cloud backups are also a point of non-compliance for dentists. It is not enough for the cloud backup to be encrypted – it needs to be encrypted before the data leaves the server. Most cloud backup providers do offer some form of encryption, but if it is not encrypted locally first, then it is not secure or compliant.
Employees Shouldn’t Browse the Internet Freely
It is also very easy for a practice to lock down internet use on the workstations, so that only approved websites are allowed. Human error can lead to many breaches, and viruses are found often on PCs that are used to freely browse the internet. Locking down internet use on the workstations is not only a means to compliance, it will save you from unexpected viruses which can disrupt your practice.
Use Supported, Up-to-date Software
It’s important to keep your software up to date, and use only supported software and hardware. Last year, the OCR made it clear that Patch Management is Necessary for HIPAA Compliance. Since viruses often arise from outdated versions of operating systems, Flash, or Java, it’s incredibly important to keep these up to date. It’s easy to do, and it’s often overlooked by dental practices.
Managed Network
This is true in any covered entity – your network needs to be managed in a way that allows for reporting of breaches. HIPAA demands that logs are kept of every time data is accessed, from where, from whom, and what was done on the system. Whether this is set up to be managed internally or outsourced to an IT company, it’s exteremly important – these reports will be asked for by OCR during a HIPAA audit.
Get a Consultation
The above requirements are a part of meeting compliance, but for the big picture, it’s a good idea to get a third party consultation from experts trained in HIPAA Compliance for Dentists.