The Health Insurance Portability and Accountability Act (HIPAA) of 1996 required the Department of Health and Human Services in the United States to develop regulations protecting the security and privity of specific health information. To meet these requirements, the Department published what is known as the HIPAA Security Rule and the Privacy Rule. Ensuring that the standards outlined by the Security Rule are met protects the health information covered under the Privacy Rule.
Before HIPAA, there weren’t any general requirements or security standards protecting health information in the healthcare industry. By 1996, new technologies were developing, and health industries were relying more heavily on electronic information systems. HIPAA covers healthcare providers who transmit healthcare information electronically, which includes most dental practices and dental labs. Currently, many clinical applications, including dental practice and dental laboratory systems, are computerized, increasing efficiency and allowing clinicians to check patient cases from wherever they are. While more efficient, the adoption of these technologies increases the potential for security breaches, which is why HIPAA is so essential. Despite the importance of HIPAA rules, many dental businesses find them confusing.
The Security Rule
The main aim of the Security Rule is to ensure that a patient’s privacy and health information is protected while still allowing the adoption of new technologies to improve the quality of services provided to the patient. Information stored as a paper record is called protected health information, or PHI. Data that is electronically transmitted under the Security Rule is called electronic protected health information, or E-PHI. Providers covered by this rule must ensure the following points:
- Confidentiality and integrity are maintained during electronic transmission, and paper records are sent securely.
- Reasonable anticipation and identification of and protection against threats to the integrity and security of their information.
- Safeguarding against impermissible uses or disclosures of information, and ensuring that that their workforce is compliant with these procedures.
Any confidential information transmitted electronically should not be available or disclosed to anyone who doesn’t have the proper authorization. The Security Rule also demands that the patient’s PHI integrity is maintained and that the information is not altered or destroyed without the proper authorization. Because the rule covers such a diverse range of providers, it is flexible, and providers can analyze their own needs to find the most appropriate solutions for specific environments.
Factors that must be considered include:
- The size, complexity, and capability of the provider
- The software, hardware, and infrastructure
- The costs of these security measures
- The likelihood of a potential risk to the integrity of electronically transmitted information or information sent by other means
Analyzing and Managing the Risks
Healthcare providers must carry out a detailed risk analysis process evaluating the likelihood and impact of potential security risks to PHI. Once these risks have been identified, the appropriate security measures are implemented to address them. All these security measures are documented, along with the rationale behind adopting the measures. Risk analysis is an ongoing process that must be continually maintained and updated as needed. It’s essential that security measures be periodically evaluated to ensure patient data is appropriately protected, regardless of whether it is stored as a paper record or electronically. Although electronic health records are not mandatory, they are easier to back up, whereas paper records can be destroyed, stolen, or lost forever.
Ensuring That Your Dental Practice Complies with HIPAA Rules
To ensure that your dental practice is HIPAA compliant, you will need to compile a compliance manual, which can be maintained manually or electronically. Good compliance includes ongoing staff training and written documentation of security and privacy policies and practices. You must also post a Notice of Privacy Practices and make sure patients are given access to these policies. Patients who feel that their PHI has been disclosed inappropriately must have access to a complaint process.
Electronic devices storing patient information must have their hard drives reformatted or destroyed when they are replaced, so the data cannot be accessed. Drive-scrubbing software will not adequately remove the information, because data remains on the drive until new data is saved in that specific sector. A written policy should cover the use of computers connected to the internet in the dental practice. Staff members who use the computers for personal business and to access certain websites or download information could put patient data at risk. Social networking sites are frequently hacked, as are games, and this could affect the practice’s software or server.
Communication with patients via email must be done through a secure server. An increasing number of dental practices now choose to communicate with patients through email, but many popular and well-known providers are frequently hacked. Any patient information, such as x-rays or referrals, should always be sent as an encrypted message, because the source of the information is accessed through the patient database. If the email were to be intercepted, the server could be compromised. Practice management software programs and website hosting companies usually provide secure email addresses with encryption services for dental practices.
How We Protect Your Information
Here at DDS Laboratory, we take your privacy, and that of your patients, extremely seriously and have a well-established HIPAA policy in place. As a Certified Dental Laboratory, the guidelines we follow meet or exceed those set by authorities. DDS Lab uses the most advanced technologies available within the dental industry, including the latest software and hardware to streamline the process of ordering work from the lab, accessing files, and checking the status of work in progress. All the technologies used are HIPAA compliant, ensuring that all communications between the dental lab and our clients are encrypted and stored in secure databases. All digital information is regularly backed up to ensure that it is correctly preserved. We regularly review and update our policies, and every staff member fully realizes the importance of HIPAA compliance, not only as a professional responsibility but as part of good business practice. Every patient has the right to expect that their personal information is securely stored and protected.
Please be reminded that should you wish to discuss a case in more detail, our experienced technical team is here to assist you.