The HIPAA Security Rule offers a framework to protect ePHI (electronic Protected Health Information). HIPAA regulations mandate that any patient identifiers in written, verbal or electronic form be protected. HIPAA rules apply to any dental office that sends claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. This also applies to a dental practice’s business associates and third-party providers.
The HIPAA Security Rule for Dentists
The HIPAA Security Rule is primarily comprised of 3 separate sets of “requirements” – technical requirements, physical requirements and administrative requirements. In this article, we’ll be talking about the technical requirements.
Technical requirements regulate how patient information is communicated electronically. It details how ePHI must be protected when in storage and in transit. (For example, you must not communicate PHI in email, on text or via Skype or any other form of electronic communications.)
Instead, you must employ secure messaging within a private network that’s only accessible to authorized users. Your authorized users can access patient data and share it with other authorized users after they login to secure messaging applications that use authentication through a centrally-issued username and password. The secure messaging applications must also employ a time-out feature that automatically logs users out of the network when a workstation, laptop or mobile device is unattended.
All ePHI in storage and in transit must be encrypted. And, safeguards must be implemented that prevent patient data from being saved to an external hard drive, copied and pasted or forwarded outside of your dental practice’s private network.
10 HIPAA Security Best Practices
As noted above, your dental practice has a duty to meet all requirements under HIPAA for audit controls, data integrity, access controls, person or entity authentication, and secure data transmission and storage. By following these 10 HIPAA Security Best Practices, your dental business can remain compliant.
1. Locate any security gaps in your IT network. Ask an IT security specialist to run a security assessment on your network. They will provide you with a report that outlines any weak areas such as aging technology, programs that have not been updated and patched, etc.
2. Stay up-to-date on the current threats to ePHI. There are new threats every day, and you have to be aware of this to combat them.
3. Implement Remote Management and Monitoring and Data Intrusion Solutions to detect unauthorized attempts to breach your system and block them. Your IT service provider can handle this from end-to-end.
4. Utilize enterprise-based antivirus, firewalls, advanced threat protection solutions, EDR (Endpoint Detection and Response), and DMARC (Domain-Based Message Authentication, Reporting and Conformance) email-validation solutions.
5. Ask your IT provider to provide Security Awareness Training for your employees. They should be ongoing because new threats arise all the time. Hold security awareness training sessions several times a year.
6. Make sure you only allow access to confidential information to only those who need it to perform their duties. You must revoke all credentials for employees who leave your organization.
7. Use audit controls to gain visibility into your ePHI and Electronic Health Records. Monitor all access, and record all login attempts. Respond immediately to unauthorized attempts.
8. Perform regular ePHI inventories. Ask your IT provider to help you perform regular inventories to determine where on your systems, servers and applications ePHI is stored.
9. Identify how you use, collect store and share patient data. You must also have a secure method for deleting ePHI. Remember that if you drag a file to your computer trash can, it still resides on the computer.
10. Adopt a HIPAA Security Policy for your dental practice. Your employees must know the rules in order to comply. HIPAA Security Rules and your own policies should be made clear and available to everyone. Your Incident Response Plan can designate a person or team responsible and describe their roles and the steps they should take if a data breach occurs.
You Must Comply With The HIPAA Rules
What should you do?…
You Need Service & Support From A Managed IT Provider Who Understands HIPAA Requirements For Dental Practices
If you don’t understand all the terms and regulations in the HIPAA Security Rule, or how they apply to electronic Protected Health Information, it’s advised that you contact an IT Managed Services company.
Just like referring patients to specialists for evaluations to ensure their dental health, you should refer your IT network to a professional Managed Service Provide who understands HIPAA compliance requirements for dentists.
They are best suited to evaluate your processes and procedures to determine if your network is HIPAA compliant. Relying on an IT professional who understands what HHS is looking for could mean the difference between passing a HIPAA audit and ending up on the HHS Wall of Shame.
A Managed IT Service Provider Can Set Up Business-Class Software & Operating Systems That Comply With HIPAA
In case you didn’t know, you shouldn’t be relying on consumer versions of Windows and Apple. There are different versions, and many don’t have the security built in that you need. The manufacturers do this to keep prices low.
Don’t buy computers for your dental practice from retail stores that offer low-cost consumer products. To promote HIPAA compliance, ask your IT service company to provide computers and operating systems with the business-class security that you need. And ask them to set them up for you. Not only will you have the peace of mind that you’re doing everything that you can to protect ePHI, but your IT provider can usually get better prices on business-grade hardware and software than you can.
If you use consumer-based IT solutions, your files might not be secure. Nor will these products connect securely to your network. It’s essential that you use enterprise-based versions of operating systems. And you must ensure that they are set up properly to protect your ePHI and are securely joined to your network.
Your Managed IT Provider Will Ensure That You Use Use Business-Class Email & Text Messaging So You Comply With HIPAA
If you’re using webmail services like G-mail, Hotmail, Yahoo!, or those provided by your Internet Service Provider (ISP), you could be in breach of HIPAA regulations. These solutions aren’t secure enough for sending ePHI. That’s because they don’t provide end-to-end email security. Nor will they sign Business Associate Agreements (BAA) that you require.
To ensure you comply with HIPAA regulations, you need to use either a:
- Secure email solution and server that you own;
- An email encryption service from a provider who will sign a BAA; or
- The communications tools in your secure and certified Electronic Health Record (EHR) system.
Faxes are OK to use with business associates and entities that also comply with HIPAA unless your system converts the fax into an email, but they shouldn’t be sent to a webmail account. And texting isn’t secure or HIPAA compliant if you use a cellphone carrier’s system. You nor your staff should ever text ePHI or other patient information. And be sure that the answering service you use doesn’t send texts containing patient information.
Your IT Managed Service Provider Will Keep Your Dental Practice’s Network Secure & HIPAA Compliant
When setting up a Windows network, two different strategies are considered:
1. A Domain-based network where everything is centrally managed and that includes security features.
2. A peer-to-peer workgroup. This is a loosely connected group of workstations.
Can you guess which one you should use? Yes…The Domain-based network. This is required to comply with HIPAA requirements like Unique User Identification, Person or Entity Authentication in a Workgroup, System Activity Reviews, and Audit Controls.
Your Managed IT Service Provider will provide a secure server or convert your existing one into a Domain Controller. They can also link you up to a secure IT system in the Cloud. Never use a Workgroup setup if you store or transmit ePHI outside your certified EHR system. And remember, you must log everything and retain these logs for 6 years. Your IT professional can ensure you do this as well.
Your Managed IT Provider Will Make Sure That Your Files & Data Are Encrypted
If you lose a laptop, or one is stolen that contains ePHI, you’ll be in noncompliance unless the data and device are encrypted. In this scenario, it’s mandated that you report the loss to the federal government for investigation and contact all of the patients whose data was stored in the device.
If the device and data are encrypted, and they’re lost, you won’t have to report this to the authorities nor your patients. Your IT provider can deploy Mobile Device Monitoring to wipe the data from a lost machine. And they can also direct you to laptops that automatically self-encrypt when you turn them off or close the lid. It costs a lot less to encrypt a machine and data than it does to pay fines and penalties.
Your IT Provider Will Ensure That You Enforce Password Security & Automatic Logoff
HIPAA regulations require audit trails to identify which users are accessing and have accessed patient health records. This means that you must enforce security controls like having users log on and off by themselves, prohibiting the sharing of passwords, or piggy-backing (where multiple employees use a computer during a single session).
And, remember… you must NEVER leave an unlocked computer when a patient is in the room. The dentist, hygienist, or staff member must be in the room at all times when a computer is unlocked and a patient is present.
If Automatic Logoff seems too annoying to you, remember that there are convenient ways to log on. Your Managed IT Provider can help you with this. They can make sure the computers you use have fingerprint readers or proximity cards.
Your Managed IT Provider Can Set Up A Business-Grade Firewall
To access the Internet, you need a router or firewall. A router and firewall both direct traffic between two networks–your internal network and the Internet. A firewall also comes with security features. But this doesn’t mean that you should run out and purchase just any firewall.
A business-grade firewall can block unauthorized access. It will also filter the traffic from the Internet to prevent viruses and malware from getting into your computers. This is required for HIPAA compliance.
A Managed IT Service provider can set this up properly, plus they can employ Remote Management and Monitoring that offers continual monitoring and maintenance of your network for security and reliability, and to apply updates and patches.
Your Dental Practice Needs Managed IT Services
To be HIPAA compliant today requires dental businesses to either employ a full-time certified IT staff or arrange for service from a Managed IT Service provider.
Managed Service Providers like SymTec offer everything we discussed and more and for a fraction of the cost of employing a full-time IT staff (or the cost of fines, penalties and notifying patients about a data breach!).
We specialize in providing HIPAA-compliant IT service and solutions to dental practices in Utah and Idaho. Plus, we will provide a signed Business Associate Agreement which is also mandatory for HIPAA compliance.
Managed IT Services = HIPAA Compliance For Dental Practices
Don’t wait until you get audited. By then it will be too late. HIPAA Compliance for dental offices is the law. Contact the IT specialists at SymTec to learn about our Compliance and Managed IT Services.