When people think of the Health Insurance Portability and Accountability Act (HIPAA), they initially think of hospitals or doctors’ offices. But what about the dental field and the organizations that support it?
Dental offices, Dental Support Organizations (DSOs), community healthcare or Federally Qualified Health Centers (FQHCs), orthodontic practices, and even denture and dental implant manufacturers are all subject to HIPAA.
Each of these organizations deal directly with private medical information and rely on practice management software that falls under strict regulatory guidelines. That means all technology they use must meet HIPAA compliance certifications to ensure patients’ personal information and dental records stay safe.
Research conducted by the American Dental Association shows dental practices are increasing in number and increasing in size, and, according to the National Association of Dental Plans, the number of US citizens with access to commercially or publicly funded dental care increased from 170 million (2006) to 248 million (2016).
Every industry has seen an explosion of new technology aimed at making the job easier, and a dental practice is no different. Computerized healthcare information systems have improved the management of health information, improved medical care, lowered costs, reduced mistakes, and improved efficiency.
Because of this, dental offices have widely adopted this technology to streamline their operations. While all of these digital innovations have increased efficiency and mobility, they have also dramatically increased data security risk.
As dental practices, and the organizations that support them, continue to expand and gather larger databases of patient healthcare information and personal payment data, they become just as attractive as hospitals for hackers.
Are the Dentists Covered under HIPAA?
According to the American Dental Association, HIPAA rules for Privacy, Security, and Breach Notification apply to a dental practice if it meets the definition of a “Covered Entity.” Assuming a dental practice is a covered entity, the practice will need to take steps to comply, starting with the appointments of a HIPAA Privacy Official and a HIPAA Security Official.
Other steps include (but are not limited to) reading and understanding all of the requirements, creating a HIPAA compliance team, delegating tasks to appropriate roles, performing a risk assessment, devising policies and procedures, and training workforce members on the processes and requirements. Achieving and maintaining compliance is a significant, ongoing effort that requires time, people, and resources.
On the other end, a dentist employed by a dental firm is not covered under HIPAA – it is the dental firm that is the HIPAA Covered Entity. In this case the dentist would be expected to comply with HIPAA to the extent that the dental firm will enforce HIPAA-compliant policies relating to the acceptable uses and disclosures of patient healthcare information (PHI).
There is some gray area when it comes to dentists. If you are a dentist in a small office, it is best practice to seek advice about whether your practice is covered under HIPAA. If you are, then you must implement procedures or seek out a compliance and security partner that will help you achieve HIPAA compliance in your technology.
How to Achieve HIPAA Compliance as a Dentist
At LightEdge, our Chief Security Officer is available to all of our customers as a free added resource. Our security and compliance consultants help to strengthen your company’s risk mitigation and compliance story.
If your dental practice does not outsource compliant cloud or other technology services, then the first step to achieving HIPAA compliance is hiring a Compliance Officer. This can be an individual dentist or even consultant who acts as the temporary Compliance Officer. This person will be responsible for:
- Conducting regular security and risk assessments to determine if the practices has any vulnerabilities with their existing policies or practices that could result in a data breach or exposure of patient information
- Creating actionable steps to rectify any HIPAA vulnerabilities and protect patient data
- Developing new policies and procedures to support HIPAA compliance measures (included in these policies should be sanctions for those who fail to comply with procedures)
- Educating and training new and existing employees on compliance and security best practices
- Developing business continuity and disaster recovery plan if a breach were to occur to minimize business disruptions, reduce damage, and assess potential penalties for non-compliance with HIPPA regulations
Implement Access Control Requirements
Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data.
“In every data breach, access controls are among the first policies investigated,” notes Ted Wagner, CISO at SAP National Security Services, Inc. “Whether it be the inadvertent exposure of sensitive data improperly secured by an end user or the Equifax breach, where sensitive data was exposed through a public-facing web server operating with a software vulnerability, access controls are a key component. When not properly implemented or maintained, the result can be catastrophic.”
Modern technology solutions that dental practices use, manage data with many users accessing patient health data for various purposes within different organizations. Despite significant progress in the field of information access control, the implementation of access control still remains a challenge due to the complex nature of data access.
Go Beyond Audits and Contracts
Data centers have to meet strict security requirements in order to comply with HIPAA. The complexity of achieving the rules is simplified through independent audits that determine whether HIPAA compliance controls are implemented.
Audits and third-party consulting can help validate the compliance of system whether it is your own or that of a vendor you are outsourcing to. When looking for cloud hosting services or colocation, it is important to understand who is managing the compliance certifications.
Plus, due diligence must be performed when selecting a dental business associate. Beyond healthcare-specific audits you should also pick a technology partner with ISO 20000-1, ISO 27001, and SOC 1, SOC 2, and SOC 3. The adoption of these additional compliance certifications in addition to a HIPAA compliance audit creates redundancy in third-party security evaluation of the infrastructure partner you select.
Physical Safeguards is a guide to policies and procedures creation that aims to protect electronic systems and ePHI from potential dangers and unauthorized intervention. Each of the developed standards has to be documented as a written policy and accessible to all employees so they would understand the potential risks and necessary steps that should be taken to maintain patients’ privacy.
These standards also determine how workstations and mobile devices should be secured against unauthorized access.
Implement Backup and Disaster Recovery
The next point that is important for you, when you develop a system that should follow the HIPAA compliance, is to look over the backup services. Your IT team should understand how your solution will benefit from backup services in case of a disaster.
What you need to do is to ensure that all ePHI that are collected, stored, and used within your solution are backed up. The reserved copy should be stored in a secure environment and according to the best practices, it should have several backups that are stored in different locations.
This approach helps to avoid data loss in case when something unpredictable happens with data in one physical location. If you consider this moment you will be able to restore data from other locations. Also, the copy should be readily retrievable if the hardware or electronic media is damaged. And don’t forget that scale and size of the data has an impact on the manner in which the implementation is carried out.
Notice that ePHIs stored in backups must also be protected according to HIPAA compliance standards. This means security, authorization controls, etc. Having robust data backup and disaster recovery solution in place may serve as the last line of defense for many dental practices striving to be compliant with the laws.
In accordance with §164.306, a covered entity must implement a mechanism to encrypt/decrypt ePHI. Here is how you can do that with your dentist healthcare application.
While HIPAA addresses the security and privacy of ePHI as a policy and procedure-oriented approach with no strict parameters, it is your responsibility to determine which type of technology to use. When it comes to the question of sensitive data protection, encryption is typically considered to be the best practice.
Data encryption involves the conversion of data into undistinguishable symbols with the help of complex algorithms that require a security key to convert the data back into its original form and is very important in cases when data may be stored or backed up in locations available to users besides your staff.
If data encryption is necessary, then you have to ensure that all collected and stored ePHIs are encrypted and they can only be accessed and decrypted by the person with the appropriate access. This makes your data secure and protects it from unauthorized users unless your access is stolen.
Other methods that can help you determine if you need encryption include completing a HIPAA risk assessment, performing a gap analysis to find out what you’re missing in your current security environment, and developing and documenting solutions to become more resilient to the risk of a data breach.
Take Advantage of LightEdge’s HIPAA Compliant Services
The Health Insurance Portability and Accountability Act (HIPAA) establishes requirements for the use, disclosure, and safeguarding of electronic protected health information (ePHI).
For organizations that manage, store, or transmit ePHI or those that are entering the cloud marketplace, staying up to date on the latest HIPAA guidelines is essential.
LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and HITECH Breach Notification Requirements and has been issued a Type 1 attestation report from an independent CPA firm. This means our facilities have the HIPAA colocation requirements to keep your data HIPAA-compliant.
Our HIPAA report includes the HIPAA Security Rule and HITECH Breach Notification Requirements to demonstrate that we have controls in place to protect the security, confidentiality, and availability of your electronic protected health information (ePHI).
Outsourcing a dentist office or hospital’s information security and IT infrastructure is an important decision and transferring legacy data and applications is a sensitive task. With our HIPAA-compliant cloud services, we create service level agreements (SLAs) to address security, information disclosure, disaster recovery policies, and other specific data handling practices.
When searching for the right HIPAA-compliant cloud hosting provider, it is best that your provider has experience with healthcare customers. LightEdge has extensive experience in the healthcare industry and is well-versed in addressing the dynamic needs of healthcare businesses. We have the expert knowledge to keep EHR and PHI secure and have the background experience dealing with industry rules and regulations and will be able to advise you on compliance actions your organization should be taking.
Get in touch with our compliance experts today and get a free quote. If you are not ready to chat, Download our whitepaper to learn more about what to look for in a HIPAA-compliant cloud hosting provider.
- HIPAA and Encryption Best Practices
- HIPAA Compliance: The Difference Between Addressable and Required Specifications
- Challenges Healthcare Faces In The Public Cloud
- HITRUST vs. HIPAA: What You Need To Know
- Healthcare IoT Adoption In the HIPAA Compliance Landscape
- Key Takeaways: Security and Privacy Concerns for Healthcare Data
- What All Healthcare Companies Need to Know About HIPAA Compliance
- Control the Risks of IoT and BYOD In Healthcare: Part II
- Why Colocation Improves Healthcare IT