Call Us Anytime! 317.219.3002

Dentists must comply with HIPAA or face hefty fines
By Greg and Wayne Polakoff

The Health Information Portability and Accountability Act of 1996 (HIPAA) regulates the security and privacy of patient medical records stored by dentists. HIPAA Title II requires healthcare organizations, such as dental practices, to carry out secure electronic access to healthcare data and to remain in compliance with privacy regulations which are administered by the U.S. Department of Health and Human Services (HHS). Dental practices which are found to be out of compliance face fines up to $100,000.

Staying updated is mandated by HIPAA
Just what is involved in HIPAA compliance? First and foremost, all your patients’ personal health information (PHI) must be stored electronically, and that electronic storage must be secure. Spyware and virus protection has to be part of the equation here. With the rise of sophisticated hacking schemes, keeping your computer Operating System (OS) and software up to date is imperative. Not only is it wise to update your systems, if you are caught by HHS with an outdated OS or old software, you will be out of HIPAA compliance and could face a fine. The solution to this is to have an audit of your complete computer system performed.

Backing up electronic PHI
The second factor in HIPAA laws concern the backing up of your computer systems. HIPAA now requires that you back up your system in two places: on site and off site. Here is the kicker – those backups must be encrypted so that none of the stored PHI can be read during the transfer without a password. Gone are the days of backing up to an external hard drive and putting the drive in the back of your car. You need to back up your system to an off-site cloud server to remain HIPAA compliant.

HIPAA regulatory changes
A good off-site server can do more than just provide a backup of your system. The backup can be audited for HIPAA compliance, especially when the rules change, which happens more often than you might imagine. Just as your staff undergoes ongoing training in HIPAA compliance, so should your computer system. An initial audit of your computer system does not mean you will remain HIPAA compliant forever. As stated in the HHS.gov website: “A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.1” A regular security audit is essential to ensure your OS is always in compliance. As a federal bureaucracy, HHS is very good at making new regulations, but poor at informing dentists of the changes. A good practice is to have your system audited for these new regulations on a regular basis.

Beyond HIPAA
There is a secondary benefit of an off-site back up server. If your on-site system would happen to go down, with the proper service, you can keep your business running from the off-site server. Smart dentists are taking advantage of IT services that provide 24/7 monitoring and live help desk technicians. Think of the chaos that would happen if your on-site computers crashed in the middle of the day. Clients would be filing into your front doors only to be told they would have to reschedule and turned away… and you wouldn’t have access to your calendar to even give them another appointment. You risk losing them as clients. You can avert this problem with off-site cloud storage, live technicians that are available to you whenever your system goes down, and a monitoring service that sees potential problems before they happen.

In conclusion, dentists must be aware that HIPAA compliance is not just a suggestion from the federal government, it is the law. Proper configuring and maintenance of computer security systems should be a matter of routine business for every dental practice. If not, you are risking hefty fines from the government.

Greg and Wayne Polakoff are IT Consultants with NFC IT. They specialize in Dental Practice computer system security and compliance. Contact them at gpolakoff@nfcit.com or wpolakoff@nfcit.com

Notes: 1. 45 C.F.R. § 164.308(a)(8), www.hhs.gov