By Greg and Wayne Polakoff

A dental office manager was going through paperwork with a patient prior to an appointment. Among the papers was a HIPAA compliance sheet that asked questions about permission to share their personal health information – asking for phone numbers and email addresses where personal health information could be sent. After the patient returned the compliance sheet, the office manager pulled up the patient’s records and began to record the information on her computer. That’s when the dentist interrupted her work and called her to the back. She saved the information and logged out of her computer. As she left her workstation, another patient came into the office. A second employee did what a good dental employee does – she greeted the new patient, sat down at the office manager’s computer and logged in to pull up the new patient’s records. She noticed that the first patient’s health records were still open on the computer. She asked the new patient to take a look at the computer screen to confirm their address and phone number. The new patient complied and sat down in the waiting room. She noticed that the first patient’s paper records were sitting by the computer. She started to update those files, but there was a security feature that prevented her from editing the files on this computer. So she went into the system preferences and changed her security clearance, accessed the first patient’s files and completed updating the records that office manager had yet to complete. She saved the file, left the workstation and went about her business.

What just happened? A HIPAA compliance regulation was violated. See if you can pick out the violation.

  1. The office manager left the first patient’s personal information on the HIPAA compliance sheet sitting beside her computer when she walked away.
  2. The second employee asked the new patient to verify an address on a computer screen while having the first patient’s personal health information on the computer screen.
  3. The computer system allowed the second employee to change her security clearance to be able to access and edit the patient’s health records.
  4. The second employee walked away from the workstation without logging out, leaving access to all of the patient files to whoever sat down at the computer next.

Did you pick out the violation? As you might of guessed, all of these answers violate HIPAA regulations. If you are working at a busy dental office, you have to be thinking, what can I do to keep the office running and stay in compliance.

The Health Information Portability and Accountability Act of 1996 (HIPAA) regulates the security and privacy of patient medical records stored by any kind of medical facility, which includes dentists. It requires that your patient’s health information be stored electronically (ePHI) and not on paper so it can be easily accessed and transferred via secure electronic means. That’s the portability part of the regulations. HIPAA also requires dental practices to remain in compliance with privacy regulations. That’s the accountability part of the regulations. These rules are administered by the U.S. Department of Health and Human Services (HHS). Dental practices which are found to be out of compliance face fines up to $100,000.

The HIPAA basics
HIPAA compliance is all about how you handle all your patients’ personal health information. There are two general components: the information you divulge, whether it is communicated verbally or in written form, and how you secure that information electronically. Our business is built around helping dental offices maintain HIPAA compliance. Many dental practices believe they are in accordance with these laws, but in most cases, they are not. A lot of that has to do with some common misconceptions around the way they back up their servers, the security systems they have in place, not covering all of their computer devices with encryption technology when transferring ePHI, and a lack of understanding how the internet works. Let’s take a look at each of these issues.

Backing up your servers when ePHI is involved
HIPAA laws require that you back up your system in two places: on site and off site. For the off site backup, you must use a cloud server. You cannot simply backup to an external device, such as an external hard drive, a thumb drive or some other recording device and walk it out the door. The backups must be encrypted so that none of the ePHI can be read during the transfer except by the sender and the receiver. This requires password-protected access. The internal server needs to be at your place of business and physically secured so it cannot be accessed without unlocking a door to get to it.

Securing your information
The way you set up your security system makes a big difference in HIPAA compliance. Many dental offices use a Local or User Security. This simply means that each user controls their own access to information stored on your server. So what? Shouldn’t everyone working in the office have the ability to read and write to patients’ medical records? They are working in a dental office with patients. The problem with Local Security is that it gives multiple paths to secure information. For instance, if you have an office of 12 people, that is like having 12 different doors to your server. A hacker needs only to gain access to one of those 12 doors and they have access to your most sensitive records. HIPAA compliant security systems use Domain Security. In this scenario, one administrator controls the domain and sets the security protocol, including passwords that are generated by the server to the users. Access to the server is granted by the domain to the users.

Encrypting all your devices
Many times when a dental office thinks about using encryption technology, they are thinking only of the backup of their servers. This is important, but it is not the only place where personal health information is being transferred electronically. For instance, if you are using a phone to talk about a client’s medical condition, there is an electronic transfer of information. If you are sending a file via email, you are doing the same thing. HIPAA requires that these signals be scrambled so they cannot be deciphered unless you have a password to open them.

The internet is the monster!
A common myth is that if your dental office is not connected to the internet, you are safe from having your medical records hacked, therefore you are HIPAA compliant. The truth is, you cannot be in HIPAA compliance without the internet (see the cloud storage of your off site backup discussion above). In fact, if you are not connected to the internet, you are likely running an outdated operating system and software, which are updated through the internet. Having your old software updated is not only a good business practice, but is also mandated by HIPAA. The solution to this is to have an audit of your complete computer system performed.

Have your entire system audited
The Department of Health and Human Services (HHS) suggests that you have a regular security audit of your entire system. HHS makes regulatory changes to HIPAA periodically, so if even if you have had an initial audit of your computer system, it is a good practice to have it checked on a regular basis. An audit takes 30 minutes or less. It is a good safeguard against HIPAA noncompliance. Beyond HIPAA, it also will keep your system running smoothly. We all depend upon technology to do our jobs. When it fails, so does our work.

Greg and Wayne Polakoff are IT Consultants with NFC IT. They specialize in Dental Practice computer system security and compliance. Contact them at gpolakoff@nfcit.com or wpolakoff@nfcit.com