Taking steps to protect patient information under HIPAA

Recent Health Information Technology for Economic and Clinical Health (HITECH) amendments to the Health Insurance Portability and Accountability Act (HIPAA) expanded patient rights with regard to their health information and added a breach notification rule for covered entities, such as dentists, to follow.

It also has significantly increased the maximum amount of fines and penalties for violations. Dentists who are HIPAA-covered entities, who haven’t taken the necessary steps to put a plan in place to protect patient data and experience a breach, could face fines and penalties up to $1.5 million depending on the situation — not to mention the impact it would have on the dentist’s professional reputation.

CDA provides its members with many resources related to HIPAA and its requirements via cda.org/Privacy-HIPAA. Resources include samples of the forms that were required to be in place by Sept. 23, as well as articles, a Q&A and a checklist for HIPAA compliance.

CDA also has partnered with Rami J. Zreikat, one California IT vendor with 25 years of experience in developing enterprise mainframe applications, to lead a lecture on the topic at CDA Presents The Art and Science of Dentistry in Anaheim on May 15-17, 2014. The lecture, titled Information Privacy and Security Update: HIPAA, HITECH and CMIA, will review the laws’ requirements and illustrate to attendees the various methods to protect patient information that is stored or transmitted.

“Dentists should get going on making sure their patient data is protected — this is not an option for them,” said Zreikat, whose company focuses on HIPAA, privacy and information security assessments.

Zreikat said dentists could take the following precautions to protect patient information.

  • Do not allow staff members to share usernames and passwords on any software regardless of whether the software manages or touches patient data or not. This is a requirement and is a good security practice that provides accountability. Each person in the practice must have his or her own unique username and password.
  • Make sure all computers are locked with a password when unattended.
  • Make sure computers have privacy screens, especially if those computers are in the front office and are easily viewed by visitors.
  • Keep antivirus software up-to-date.
  • Make sure patient data backups are secure and encrypted.
  • Reach out to an IT consultant for advice on how to best protect the practice from potential threats.
  • Make sure the wireless network that the practice uses is protected with, at a minimum, Wi-Fi Protected Access (WPA) protocol or newer (WPA II).

Dentists who are HIPAA-covered entities must have a documented risk analysis on their practices’ information systems. Dentists who are not tech savvy may utilize a tech consultant to look at how electronic information is stored and transmitted and to identify risks and threats to the system.

“A risk analysis will help a practice map out a plan and make recommendations on the weaknesses that the dentist needs to focus on,” Zreikat said.

Sometimes a threat can come from an upset employee.

“A disgruntled employee could act on a weakness such as backups that are kept in the office. They could steal the backups without the dentist knowing and impact the operation,” Zreikat said. “Another scenario is where some dental software packages simply allow for data to be transferred/exported in what is called ‘Coma Separated Value files (CSV)’ and then copied on to an external device, thus replacing or bypassing the backup of the data. These CSV files are not encrypted and can be imported into various other office tools like Microsoft Excel where a disgruntled employee can simply copy the CSV file to his or her external USB or flash drive/stick without being noticed. Therefore, a dentist needs to look at where data backup copies of his or her patient information are kept, assess what could cause this information to be stolen/breached and what he or she is doing to protect it.”

While encryption is an “addressable safeguard” and is not required under HIPAA, it is highly recommended. Encryption takes readable data and obscures (garbles) it so that someone who steals the data can’t read it. Dentists can encrypt both “data in motion” (data that is in transit either through the Internet, email or being sent to a printer, etc.) and “data at rest” (data on a hard disk, external USB stick/flash drive or on an external drive).

Encrypting stored data serves as a “get out of jail” card should the computer, laptop, mobile device, hard drive, or flash drive or any mobile media in that fashion with patient information be stolen or lost. Breach notification requirements apply in the theft or loss of patient information, except when the media with the information has been demonstrated to have been encrypted.

According to Zreikat, there are alternatives to using encrypted email such as secure web portals and secure file-sharing software. Other alternatives include de-identifying the information being sent (basically removing all 18 HIPAA identifiable elements from the record); transmitting as little information as necessary; encrypting portions of the electronic protected health information of the record being transmitted; not emailing sensitive or diagnosis information; sending information via standard mail with tracking; or using standard fax (make sure to call the recipient before and after faxing the information and request a receipt confirmation of the fax).

Some common misconceptions about HIPAA compliance include:

  • Not being connected to the Internet means data is protected (this is not true because access to patient data can take on many forms).
  • Free email services such as Gmail and Yahoo are secure (this is not true and dentists should pay to have a secure email provider).
  • Using a cellular provider’s “personal hotspots” as part of a cellphone plan as the office’s wireless hotspot is secure (this is not true because these personal wireless Internet hotspots do not provide for a minimum WPA protection).

“Wireless networks, if not properly protected, are a big hole. Make sure they are set with a key (password) and that the password is changed frequently,” Zreikat said. “Most older routers come with standard WEP, where the key is 10 characters and does not change, or Wi-Fi Protected Access, a much more secure option because it utilizes a passphrase (supplied by the user), as well as shared keys, which changes, making it much more difficult for someone to crack.”

CDA members have recently reached out to the Practice Support Center with questions about texting and emailing appointment reminders and if that violates any HIPAA requirements.

Appointment reminders may be sent via text or unsecured email as long as no information on treatment or purpose of the appointment is included in the communication. The first name of the patient, date, time and name of the practice may be included. It is the dental practice’s responsibility to ensure the appointment reminder is being sent to the correct telephone number or email address.

Members also have asked questions about email.  

Encryption, again, is a popular option for email, but it is not the only solution to secure electronic transmission. Other solutions include secure file-sharing software, secure emailing services and dental-specific services such as RecordLinc, eDossea, Brightsquid and Dental Sharing. Other solutions may be available. Dental practices should consult with their IT advisors to determine the best solution for their needs. CDA makes no recommendations in this area.

Dentists can use “Cloud” services to help back up their patient information. Zreikat warns, however, that these companies sometimes store data overseas and recommends dentists ask the companies the following questions:

  • Where is my data residing? 
  • Who supports my data? 
  • Can I get my data back and will you have any of my data should our business relationship end?
  • Are your backup facilities HIPAA compliant?
  • Do you co-mingle the data with non-HIPAA data?

Zreikat and Teresa Pichay, practice analyst with CDA’s Practice Support Center, will discuss all of this and more at the Information Privacy and Security Update: HIPAA, HITECH and CMIA lecture at CDA Presents in Anaheim in May. Zreikat and Pichay will break down both federal and state health information privacy law requirements to help attendees understand compliance.

Registration for CDA Presents opens in early December at cdapresents.com.

Information technology security with regard to HIPAA requirements is the subject of several guides and reports produced by the National Institute of Standards and Technology (NIST), a federal agency that sets computer security standards for the federal government. One guide, for example, looks at Secure Sockets Layer (SSL) virtual private networks (VPN), and another one reviews transport layer security implementations. A list of their publications is available on the website of the U.S. Department of Health and Human Services (HHS), which enforces HIPAA.

Secure electronic transmission of protected health information is one of the many requirements of the HIPAA Security Rule. Dental practices should review the rule requirements to ensure compliance. A major component of compliance is a documented risk analysis. HIPAA Security Rule: A Summary can be found on cda.org. HHS has on its site Guidance on Risk Analysis.

“HIPAA is all about due diligence, make sure you are doing your due diligence and understand what you need to do to be compliant. Basically, follow these three steps: understand your risk profile and its implications;  ensure new and existing patients’ electronic data is compliant, traceable and can be safely shared; and take HIPAA compliance seriously and make it a good habit in your practice. It touches everything you do,” Zreikat said.

For more information on patient privacy and HIPAA requirements, visit cda.org/Privacy-HIPAA.