July 8, 2014
My most recent blog post referenced privacy and security actions that are necessary for a dental practice to implement in order to be compliant with the 2013 Omnibus Final Rule. That rule is scalable and flexible based on the size of the business. But knowing exactly what is necessary for your dental practice has created tremendous angst, uncertainty and confusion in the profession.
I feel that the biggest liability for a dental practice is cyber theft. If someone breaks into your office and steals a laptop or a cell phone, under the Omnibus Rule, this will trigger a series of events. If over 500 names are in the computer, you are required by law to notify the local media and have your practice listed on the Health and Human Services website. You also have to notify every patient in your practice in writing about the possible loss of Social Security numbers and credit card numbers and other protected health information. This undoubtedly leads to many unhappy and angry patients and damage to your reputation. The economic fallout to your practice is potentially catastrophic. That is the bad news.
The good news is that if your data is encrypted, and that same breaking and entry and theft occurred, you are now exempt from the Breach Notification Rules. So to protect yourself, you must have sophisticated and coordinated systems in place including but not limited to the following.
• Encrypted practice management software.
•Encrypted email. Even if your computer is secure, your e-mail message passes through dozens of unknown servers en route to its destination.
• Staff training on the proper methods of data disposal and data protection.
• Understanding special rules for fax machines.
• Secure credit card systems. Credit card terminals must be PCIDSS (payment card industry data security standard). In order to meet those standards, you must have both a software and hardware firewall that needs to be configured properly to prevent data from being compromised.
• Business associate agreements. You need agreements in place with any vendors with whom you do business that have access to your protected health information. This is essentially an agreement with any third-party service provider that will indemnify you – the covered entity – from liability based on their negligence. That agreement might also require the third party to have a certain level of cyber liability insurance.
• IT support. You will need significant support from your information technology team to assist in all of these technical requirements for compliance.
For most of us, trying to do all of the above is just not possible. I would like to recommend two companies that have the expertise and the experience and the programs in place to guide you on a journey to becoming HIPAA compliant. Both of these companies work remotely and have costs that are quite reasonable. Eric Simmons is a HIPAA Security Analyst at SecurityMetrics located in Orem, Utah. His direct telephone number is 801-995-6366. Dr. Lorne Lavine is the founder of The Digital Dentist located in Burbank, California, and is a Certified HIPAA Security Professional. Lorne can be reached at 866-204-3398 X 200.
Please open the links that I have included for both companies and read the material. I suggest that you then call each of these companies and listen to their approach. Then make the decision on how to proceed. You absolutely can’t afford to drag your heels and put your head in the sand on an issue of such great importance.
No comments yet.
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.