The advent of computer filing systems has greatly simplified the process of recording and storing patient records in dental offices. However, this convenience does not come without a potential cost. Every day, dentists across the country face the threat of hacking, ransomware and other threats to cybersecurity. And even in the absence of these active dangers, dental office managers must make sure to maintain security standards that meet federal guidelines for patient confidentiality.
Understanding HIPAA Guidelines
All dental offices in the U.S. must follow patient protection guidelines established under a piece of federal legislation called the Health Insurance Portability and Accountability Act, or HIPAA. This legislation includes a security rule that requires all practices to protect digitized records with appropriate safeguards. Common steps used to meet this requirement include:
Making sure that all computers and mobile devices capable of accessing patient records are secured by passwords of adequate complexity
Protecting an office’s entire digital pathway with comprehensive data encryption software
Teaching staff members how to avoid exposing computers and mobile devices to unauthorized requests for access (which often come in the form of “phishing” emails)
Taking steps to ensure data security before and after business hours
The best way to coordinate your safeguarding efforts is to establish an office-wide cybersecurity policy that serves as a framework for all employees. In addition to actions that help keep patient records secure, this policy should include the steps to take if a security breach occurs.
Conducting a Cybersecurity Review
Once you have your office-wide policy in place, follow up with a review of your dental office’s current procedures. Crucial steps in this review include:
Identifying all computers capable of accessing patient records
Identifying all mobile devices (e.g., smartphones and tablets) capable of accessing patient records
Determining which staff members have access to relevant computers and mobile devices
Determining if any mobile devices ever leave the premises during or after hours
Making sure the entire electronic pathway is protected by passwords and adequate encryption
After completing your review, identify any discrepancies between your stated policies and your office’s actual day-to-day conduct. Be aware that current federal law allows HIPAA’s parent agency, the Office of Civil Rights, to audit any dental practice in the country. If such an audit turns up inadequacies in your policies or procedures, you could end up facing a hefty fine that totals thousands of dollars, or even more.
Responding to a Ransomware Attack
Ransomware attacks are increasingly common at all kinds of businesses, including dental offices. In most cases, these attacks begin when a staff member opens a seemingly harmless email and unleashes a piece of malicious software on the office system. Once active, this software can block access to vital electronic data, including patient records. In return for restoring access, the perpetrator of the attack will demand some sort of payment.
Dental offices victimized by ransomware attacks should take several immediate steps, including:
Limiting the damage by disconnecting the affected computer(s)/device(s) and disabling drive sharing
Letting the entire staff know that an attack has occurred
Seeking help from your IT provider
Informing your insurance provider
After completing these actions, follow up by assessing the extent of the harm. Steps in a thorough assessment include determining if you have backup records for the machine(s) under attack and determining the amount of time since the last backup was completed.
If you don’t have recent, secure backups for the ransomed machines, you may have to consider the pros and cons of paying the money required to release the blocked records. This tough call can be influenced by a number of factors, including the level of disruption caused by the attack, the type of information lost through the attack and the value of that lost information.
Having Dental Malpractice Insurance is important, but it doesn’t cover fines and penalties for not following current legislation and laws. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 by US Congress to protect patient data with a set of established procedures that every profession must follow.
If you have protected health information (PHI) – which you do – you must follow a set of specific procedures for handling your patient data. The policies apply to both business associates (BA) and covered entities (CE).
BAs include anyone with access to sensitive patient information like:
• Dental assistants
• Health insurance companies
• And more
CEs include anyone who provides dentistry, handles financial information, or operates the business like:
The HIPAA Act contains two sections, which includes the HIPAA Privacy Rule and the HIPAA Security Rule. The privacy rule contains Federal protection against personal health information (PHI) while the security rule requires businesses such as offices and professionals like dentists to protect electronic personal health information (ePHI).
The HIPAA Privacy Rule
The privacy rule allows PHI details to be shared in relation to issuing health care to a patient. This can include things like the hospital sharing records with your family doctor, sharing your patient history with a specialist doctor, etc. Dentists may also need to share such information to a doctor for diagnosis determinations just as a doctor may need to share patient information to a dentist for dental procedures.
The privacy rule relates to any means of PHI sharing, whether it is through papers, faxes, emails, documents, phone, or even simple electronic transfers. Aside from how the information is handled through professions, the patient also has the right to view their medical history.
The HIPAA Security Rule
The security rule involves several safeguards to protect PHI details, such as digital, physical, and administrative safeguards. For instance, it includes proper training of networked computer usage to all personnel involved, limiting access of specific information to certain employees, established policies and procedures for workstation operations, integrating usage of passwords for specific tasks and operations, etc.
HIPAA is Federal legislation, which means that you should thoroughly understand the details and ensure that you’re in compliance. Your dental malpractice insurance does not cover fines and penalties for HIPAA violations, but the insurer does have to abide by them just like you. In addition, Federal audits and enforcement are robust and highly active. Failure to comply with all rules leads to fines and/or penalties that can really add up. However, an audit gives your facility a chance to solve the issues found.
With HIPAA, there are really no exceptions to the rules, except in a few circumstances. Other than that, all states must utilize the HIPAA rules and regulations. If the state’s rules and regulations exceed HIPAA’s patient protection policies, then they generally receive precedence over the HIPAA rules.
For instance, a state requires doctors to obtain a signed patient consent form for disclosure of health records in relation to new patients, whereas HIPAA does not.
That means the state’s rule precedes the HIPAA rule and is acceptable because it offers a higher level of protection. As long as the state’s law provides better patient information protection, it will supersede existing HIPAA laws. While that is beneficial to a client or customer, it can be confusing to the dental professional. You need to be sure that you not only follow HIPAA rules, but also abide by state laws.
Since the sharing of patient information is restricted to specific allowances, it can be confusing. But in short terms, it is usually when the patient is at risk of harm to themselves or others, as well as subpoena and judgement orders that require specific patient information, such as an X-ray of the patient’s teeth or their oral history. Your dental practice may not be related to “patient at risk” details as you have no medical information in relation to it, but the subpoenas and judgements will apply. It may not occur much in the dental field, but it is possible and is important to know. This is just one example of legally sharing patient information when it otherwise would not be acceptable.
The most important strategy to staying HIPAA compliant involves creating a routine HIPAA compliance program. This program will analyze potential risks and identify key areas of need. Since HIPPA laws can change, it is important to routinely pull out your compliance program and ensure that your office complies. There are three main components that your program should have, which includes risk assessment, policies and procedures, and business associate agreements.
Policies and Procedures
The policies and procedures involve reviewing your written employee rules and training processes to ensure that they cover all current HIPAA compliance rules. As laws change, you may need to adjust your policies and procedures for the staff at your office.
The risk assessment is a way to identify all sources that patient information is available to, such as tablets, mobile phones, fax machines, networks, email addresses, phone numbers, and more. This helps you identify potential privacy leaks that could occur and ensure that all sources that hold private information are properly secured or controlled. For example, a mobile phone with patient data could get lost and provide access to someone who is unauthorized to view the information. Another prime example would be network loopholes that allow a hacker to access private patient data. Aside from that, a particular program or application could be allowing the wrong people to access private patient medical information. Basically, the list could go on and on, but this provides some insight.
Business Associate Reviewing
The business associate agreements ensure that your third-party associations are aware of your office’s policies and procedures, as well as their responsibilities to comply with HIPAA. If private information is leaked by the party in relation to you, you may be responsible if you don’t provide them the important information related to your practice. They may also face penalties, but you need to protect your profession too. HMBD Insurance Services follow all HIPAA rules and regulations to protect us and you, but you will still want to review your other third party affiliations that must adhere to HIPAA regulations.
Get a FREE Malpractice Insurance Quote.
HMBD offers one of the most comprehensive and affordable professional liability insurance policies on the market. Get Your Quote in 24 Hours.
The #1 Decision To Make In Choosing Dental Malpractice Insurance
Knowing what your dental liability insurance covers and doesn’t cover for your dental puts your reputation at risk for Malpractice. Your livelihood is at stake when you don’t understand the ins and outs of the liability insurance you signed up for after you finished Dental School. Even if you did cover your insurance recently, do you know if any of the policies can be cancelled at anytime by your current insurance plan?
This free short 2 minute read will help you understand the truth about dental liability insurance plans.
This short 2 minute read will help you:
• Understand the Importance of Choosing the Right Malpractice Insurance Agent.
• Determine If You Need to Re-Evaluate your Liability Coverage.
“ I really like the communication with HMBD Insurance. Ted and his team are always quick to
respond and very helpful. It’s something that I value because of my busy schedule. ”
Dr. Brian Martin, DDS
“ Ted and his team helped us with our office package policy, risk management, and a question about a hospital application all in the same conversation. They also followed up on another issue that I was tardy in getting an answer back. VERY PROFESSIONAL! ”
Dr. Leighty, DDS
“ Timely responses to request… VERY HELPFUL! Total WOW experience with Ted and his team’s insurance knowledge and expertise! ”