If the next fire, flood, or catastrophic storm strikes near you, do you have a disaster plan for protecting your office's data? That's one of the many practices Jeff Broudy, CEO of PCIHIPAA, recommends that dental offices follow in order to remain HIPAA-compliant.
He spoke last week at the 2017 American Association of Oral and Maxillofacial Surgeons (AAOMS) meeting in San Francisco about the most important things dental practices can do to remain compliant with HIPAA regulations and avoid inappropriately sharing patient data or incurring fines for not following the rules.
Topping his list is the need to be proactive in terms of HIPAA compliance.
"What have you done in the practice to be proactive if there happens to be a fire, a theft, or half your practice is underwater?" Broudy asked.
Making a checklist
HIPAA was initially enacted in 1996, but various requirements regarding patient medical and financial information continue to be updated. Knowing what to do to follow all HIPAA regulations can be difficult for independent practices, Broudy said. His company focuses on helping these practices.
Broudy said that dental practitioners and their team often have misconceptions about who is responsible for HIPAA compliance. Such assumptions include the following:
- The information technology firm will handle it.
- The office's practice management software is HIPAA-compliant.
- The practice's general liability policy will provide protection.
- The office manager has it all covered.
- The office doesn't have any risks related to HIPAA.
However, dental practices typically need to be proactive about HIPAA compliance themselves, he said.
"The ADA said audits for dentists are here," Broudy noted.
Actions that need to be taken regarding HIPAA fall into three major categories: administrative, technical, and physical safeguards.
He recommended that practices do the following to achieve compliance with HIPAA administrative safeguards:
- Assign a security officer.
- Execute business associate agreements.
- Document who uses and accesses workstations.
- Conduct a thorough risk assessment.
- Perform security awareness training.
- Create a contingency plan in case of an unforeseen disaster.
Broudy told the audience that a thorough risk assessment is mandatory.
"It's the first thing [HIPAA regulators] look for when they do an audit," he said.
As for associate contracts, he pays special attention to the indemnification clause. He said the fine for not having business associates sign agreements could be up to $475,000.
"The indemnification clause is probably the most important part of the business associate agreement," Broudy said. "You want to make sure you're indemnified for the mistreatment of your data."
Security risks
Broudy pointed out some areas that can commonly produce security risks. Operating systems or firewalls that are not up-to-date can be more vulnerable to electronic attacks. Not being current on credit card-processing technology can also be a liability for the practice.
During his presentation, he recommended the following steps that dental offices can take to follow HIPAA regulations, mitigate risk to their practice, and protect themselves from fees or legal problems:
- Don't allow workstations to be used for personal use. Designate one workstation for this.
- Back up your data offsite and use at least 256-bit encryption.
- Consistently update operating systems and antivirus software.
- Update HIPAA policies and procedures, as you could get audited.
- Stop using Gmail, AOL, and Yahoo for email. He recommends using an exchange server so you have more control over your email and use encryption.
- Educate employees about phishing emails.
- Provide unique logins for all employees.
- Train employees who have access to protected health information and obtain acknowledgements.
- Don't share patient information without authorization, and implement rules forbidding gossip or snooping.
- Use good passwords.
- Use a virtual private network (VPN) and don't use public Wi-Fi.
- Make sure your fax and copy machines do not store data.
- Don't lease credit card equipment.
He also noted that he is a big believer in keeping data in the cloud.
Some of these steps can substantially lower the risk to a practice, whether it's reducing the actual risks of a mishap or the chances that the practice will be held liable.
"If you're sending patient information, you lower your risk dramatically if you use encryption," Broudy said. "If [patient data] gets into the wrong hands, it's a data breach. If you show you're using encryption and something were to happen, it's not a data breach."