Wednesday, November 27, 2013
Protecting your patient’s privacy is important. Dentists have an obligation to honor patient confidentiality, and the digital age has made that obligation harder to fulfill. In addition you are expected to comply with the HIPAA privacy rules which have only a vague connection with actual privacy.
Last week in Emmott on Technology we made the distinction between PMP (Protect My Patient) documentation and CYA (Comply Yet Again) documentation. PMP might actually improve patient data protection and CYA protects the dentist from investigators. (As was stated last week the usual disclaimers apply: I am not a lawyer and you would be a fool to take my advice as legal counsel.)
PMP
- Risk Assessment
- Team Training
The biggest causes of actual data loss and privacy violations are employee errors, lost or stolen computers and malicious hackers. PMP addresses these issues.
HIPAA compliance starts with a risk assessment. With the help of your IT provider ask yourself these five questions:
- Where is the PHI?
- Who has access to it?
- Is it secure?
- Does the staff know what to do?
- Is the paperwork in order?
PHI is Protected Health Information which is government jargon for everything you have in a patient record. The actual rules have multiple pages defining PHI, but for all practical purposes just assume it is everything in the chart including full face photos.
A typical dental office client server technology plan will look much like this:
Most of your PHI, for example your Dentrix database, should be stored on the server. However, there is more. Of course the data is also on the backup. The doctor or office manager might have a copy on a laptop or have a connection through a smartphone. Many offices actually maintain several databases that contain PHI. For example digital radiographs, photos and correspondence are often saved seperately. Where are they? CAD/CAM and CBCT units are usualy sold with a dedicated computer that stores the 3D image data. Even some printers have built in memory that could contain PHI.
Of course your staff has access to the data, that is expected. However, when you do the assesment you are likely to find others who are not so obvious. These will include your IT support company, your offsite back up system, eServices such as Sesame or Smile Reminder who acccess the data to send reminders, management consultants and possibly even your CPA.
Once you have identified them determine if they really should have access and then be sure and get a signed BAA from each of them.
Once you know where the data is stored and who has access to it you can determine if it is secure. A backup tape tossed in the back seat of the office manager’s SUV has questionable security. The following four steps will help ensure proper security.
- Password protect both the computers and the dental application with unique secret passwords for each team member.
- Install an enterprise level firewall to keep out hackers.
- Install and keep current an enterprise level anti-malware program.
- Most importantly encrypt all patient data especially any data that leaves the office as a backup or copied on a laptop or USB drive.
Question number four; “does your staff know what to do?” is the essence of PMP step two team training. Start by creating a culture of professionalism and respect for patients.
Make sure team members know the basic HIPAA rules, review the assessment and the essential elements of your policy and procedures manual. Designate “best practices”. These could include:
- Do not send patient info via e-mail.
- Never copy patient information to a removable data storage device.
- If your smartphone or tablet has a connection to the office, be sure it is password protected and has an antitheft app installed.
- Do not talk about patients out of the office or online.
- Limit office website use to approved business sites.
Providing training will improve data security but once again that is not enough. You need to document it. Train and document all new hires and provide annual updates with once again documentation.
Digital technology and electronic patient records provide amazing benefits including faster and better access to the record. Unfortunately it also provides faster and better access to identity thieves. We do have an obligation to protect our patients. It is smart to CYA. It is the right thing to do to PMP. The future is coming and it will be amazing!