A CDA member’s dental practice lost a computer server to thieves last year, and is now responding to U.S. Health and Human Services (HHS) inquiries on that practice’s HIPAA compliance. CDA has been assisting the practice in this process, and would like to offer members the following recommendations so they can avoid a similar situation.
Encrypt data at rest.
Encryption is an “addressable” technical standard under the HIPAA Security Rule, which means it is not required. However, data encryption does exempt a practice from complying with federal and state breach notification laws. If a dentist’s system is capable of encryption, he or she should do it. Dentists can double check with their practice management software vendors about the ability to encrypt data. In the case of the dental practice with the stolen computer, there was a question about whether the data was encrypted because the vendor said it was encrypted. It turned out that the data was not encrypted.
Strengthen the physical security of the server and hard drives if encrypting the data is not an option.
Check on ways to secure the drives to something difficult to move. Or, add additional barriers to impede access to the system.
Encrypt devices used for backups, such as laptop computers and flash drives.
A dermatology practice lost an unencrypted thumb drive and recently reached a resolution agreement with HHS that called for the practice to pay $150,000 and to comply with a corrective action plan. If dentists cannot encrypt these devices, they should consider using cloud back-up services. If using a cloud back-up service, have a business associate agreement with the company.
Purchase a data compromise policy.
TDIC offers this policy, with $50,000, $100,000 and $250,000 limits, as an addendum to property coverage. Such a policy can pay for mailing notification letters to patients, providing affected individuals with credit monitoring and more.
For more information on TDIC’s offerings, visit thedentists.com. View the CDA Practice Support resource HIPAA Security Rule—A Summary, or Data Breach Notification Requirements.