While there’s no fundamental difference in the rules between dental HIPAA compliance for a small practice and compliance for larger entities, adapting the rules to your small dental practice doesn’t have to be as overwhelming a task as it would be in with a larger entity.
The main reason for this is that small dental offices have fewer PCs and employees than larger entities. As such, getting a secure handle on your network is more easily attainable using manual procedures and policies. Security tasks and logging are much easier automated with a smaller number of machines, and proper audit trails and potential security holes can be addressed without enterprise-level hardware.
What is a small dental practice?
First off, let’s define what we consider as a small dental practice. The following recommendations are for offices with 5 or fewer employees or workstations.
If you’ve determined that you have 5 employees and workstations or fewer, then this article is for you.
Hardware firewalls are one aspect of dental HIPAA compliance which are recommended for larger practices, but generally not needed in a small office. For smaller practices, instead of implementing network-wide internet security with a device, you can choose an antivirus with embedded internet controls, and apply strict internet browsing protocols to you small employee base.
For example, BitDefender has a package for applying internet controls that can easily circumvent illicit internet use in your office. Not only is BitDefender a terrific antivirus suite, the added functionality of internet control greatly reduces exposure to viruses. No matter how small your dental practice, you will need business-class antivirus which is licensed for business use.
In addition to blocking internet usage for personal browsing, it’s a good idea to apply an email filter as well. Additionally, you’ll want to keep Flash, Java, browsers, Adobe products, and your OS perform scheduled updates. This way, you can protect against most of the avenues for infection that a hardware firewall can provide, at a much lower cost.
For larger practices, however, it’s more cost effective and more secure to use a hardware device such as a SonicWall – these devices scan each packet of incoming and outgoing data for viruses as an added security measure. However, for your small dental practice, you can achieve security compliance without the added device, and instead focus on localized services which are easier on your budget.
No matter what the size of your practice, a Windows Server is recommended to apply audit trails to your network, and centrally manage the dataflow in your office. There are 2 different setup options for a server however – workgroup, or domain configuration.
A domain adds the ability to manage user passwords, and create network-wide credentials for each user. The largest benefit to a domain server is that each user’s activity is logged and managed network-wide. This is particularly useful if you have more than a few employees, or more than a few workstations. Detailed logging of your network’s usage is required by HIPAA, but for just a few systems, there are software packages out there that can reach the same goal. As more employees or PCs are added to the mix, however, the case for a domain server becomes stronger, and after about 5 PCs or Employees a domain server comes with a high recommendation.
When possible, it is best to institute a domain with a new server installation, and whenever budget allows. However, since there are other ways to address these particular requirements under HIPAA for the smallest of dental practices, the decision should be weighed against the current workload of your current Privacy Officer and the budget you have to perform your other upgrades.
Understand Your Risks
As with any HIPAA compliant practice, you will need to perform a risk assessment each year to identify your possible exposure to breach or data loss. Understanding this procedure will let you focus on whats truly important to bring your office into compliance.
There is no single solution to bring your practice into full compliance, and the smaller the practice is, the more options you have. If you are considering upgrading your network to achieve compliance, take some time to become familiar with the marketplace of services, and determine exactly what is needed to meet your goals.