Thursday, October 3, 2013
Excuse me for a moment while I climb up onto this soapbox.
I appreciate the concept of government regulations, but it is so very easy to get too much of a good thing. What is most frustrating are regulations written in such a way that no normal person can read and understand them. I present the HIPAA Omnibus rule as exhibit A. Even the government summaries that are supposedly designed for ease of use are often unintelligible.
Grrrr.
Thank you for your indulgence, the rant is over and I am off the soapbox now, but you are still liable for HIPAA compliance including the new rules that went into effect Sept 23, 2013. Dentists do have a moral and legal obligation to keep patient information confidential.
The new rules require you to have a business associate agreement with any person or business that may have access to your dental practice data. This includes e-service companies such as Demandforce or Sesame Communications that access the data to send reminders or other communications. It includes your CPA, a practice management consultant or any other professional who reviews your practice records. It includes the IT company that sets up and services your computers and the online service that backs up your data every day. It includes Dentrix, Eaglesoft and other practice management systems and anyone with remote access to your system for service and support. And of course it includes insurance and third party payers.
That is just the first layer. Every one of the companies you have a business associate agreement with must have similar agreements with the people they contract with who might see the data, and your agreement needs to assure that their agreements are in place and…on and on it goes.
The bottom line, any agreements you might have had in the past are no longer valid and all need to be updated. How all this redundant paperwork makes any difference is a mystery to me. Oops I slipped back on the soapbox for a second, sorry.
The next set of changes all have to do with micromanagement minutia. For example if you wish to use patient information for fundraising, the patient can opt out. I had no idea dental offices were using patients for fundraising but it is good to know. If the patient chooses not to use their insurance they can choose not to have information sent to the carrier. A patient can request an electronic copy of his or her record and the dental office can’t sell patient information.
I guess these new rules make sense even if they hardly ever happen. However, the rules also state you must let your patient know he or she has all these rights. That means the HIPAA disclosure agreements you have had everyone signing for the past few years are no longer good enough, and you need to get everyone to sign an updated version which includes the new rules like that fundraising bit.
The rules also require each office to do a risk assessment, train staff members on data safety and take “reasonable” steps to ensure patient privacy. Actually doing all that is not good enough you must document that you did it.
If you want to try and do all this yourself the government does have a website with instructions and templates here: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.
The ADA offers a Complete HIPAA Compliance Kit: http://www.ada.org/8833.aspx
The law says that you need all this paperwork; agreements, disclosures, signatures and documentation. I fail to see how paperwork will protect your data, even large amounts of redundant paperwork. However, there are two concrete steps you should take that will make a real difference.
First install a firewall. A firewall is a software- and or hardware-based security system that blocks unauthorized access to your computer network. It is possible to download and install a free DIY firewall. However, this is too important to leave to chance. Have an IT professional install an enterprise level firewall that isolates your entire network from outside access and is automatically updated on a regular basis. Some firewall applications even include malware protection.
Second, encrypt your data. That is store it in an encrypted fashion so even if an unauthorized person gains access to the data they cannot use it. This seems simple, but in real everyday use it gets complicated. There is not yet an accepted industry standard as to a “good enough” level of encryption or where and when the data should be encrypted. For now discuss this with your IT provider and at a minimum encrypt any data that leaves your office in the form of a backup or is copied to another computer, such as a doctor’s laptop.
Many Dental IT vendors offer services to walk you through the compliance process and create the needed documentation.
ClearData will help you do a compliance assessment and provide documentation.
Lorne Lavine the Digital Dentist offers an encryption and compliance service he calls HIPAACheck.
Pact-One and other members of DIA the Dental Integrators Association are using a program called PCI-HIPAA.
Digital technology provides tremendous benefits at the same time it does create privacy concerns. The future is coming and it will be amazing!