Message Boards
Today's Active Topics Today's Active Cases Browse Forum Categories My Recent Activity My Messages Private Groups My Marked Threads My Subscriptions
Today's Active Images Today's Active Polls Most Active Topics Global Townie Map Advanced Message Board Search Message Board Terms of Use

HIPAA, HITECH, ePHI: OMG, What a PIA by Bryan Laskin, DDS

View Comments (11) More by this author (3)

by Bryan Laskin, DDS
The discussion of HIPAA — and its ugly cousin HITECH — have recently become a hot topic among dental experts. Like me, you’re probably already sick of it. After all, who has time to deal with that many acronyms when there is dentistry to be delivered? I’m not one to consider myself an expert of particular note on any topic and yet here I am, trying to work through the electrifying subject of data security for the good of us all.

Here’s what I’ve found: The experts are right. HIPAA is for real, HITECH is just getting started, and now that we’re all going paperless, our ability to maintain a secure grasp on our data is more important than ever.

We are all familiar with and have, by now, adapted to HIPAA, which is meant to protect patient privacy while in our practices. Now, in addition to the ramifications of the original HIPAA legislation from 1996, we must deal with emerging policies meant to address a new era of information transmission with the HITECH Act — a part of the American Recovery and Reinvestment Act of 2009. HITECH addresses the privacy and security of electronic transmission of information while strengthening the civil and criminal enforcement of HIPAA, ultimately holding us fully responsible. That’s correct — 100 percent solely responsible.

What does this mean for you? Like most laws HIPAA and HITECH are ambiguous, yet violations carry serious consequences. I can admit that the spirit of the law is understandable and therefore worth the trouble, but the execution can be tedious to say the least. And while most of us can get behind the intent of the laws, we really don’t have a grasp of the letter.

Let’s review. There are two major components of HIPAA that are important to differentiate: the privacy rule and the security rule. The privacy rule sets standards regarding the management of and access to all “personal health information” (PHI) of a patient, regardless of the source. This means that any written note or spoken sentence falls under this legislation, as well as any and all electronic communication. The law requires that we, as HIPAA-covered entities, must implement “appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.” Examples of these safeguards include physical barriers that reduce the potential of patients overhearing PHI conversations and office policies such as shredding PHI-oozing documents.

The security rule is far more comprehensive, and yet most of us remain unaware of its potential impact on our practices. This legislation sets general standards for access, management and storage of “electronic patient health information” data, also known as ePHI. But the security rule does not dictate for us any specifics other than that we are to implement these new security measures based on several general factors including risk, cost, technical infrastructure and complexity analyses. Great — that makes sense to a typical dentist, right? The security rule also adds three additional safeguard requirements to the privacy rule — organizational, polices and procedures and documentation — again with no clear guidelines as to how we should translate it all to stay compliant and safe.

“Huh?” you might ask, and I would agree with you. The way in which we must balance laws so open to interpretation has been largely left to us to figure out. Thank goodness for our experts, as this is not a good plan for the spirit or the letter of the laws, when we’re all much more concerned with the day-in, day-out management of our practices.

And this is why our experts have been trying to get our attention. These laws translate to a very real concern because the simple fact is that your Gmail account isn’t secure and Dropbox is a joke. Every time we use these free and easy services to innocently communicate with each other about anything having to do with a patient or a case, we’re in violation. Every single time we send or receive information is a new potential fine because of how the information is transmitted (Fig. 1). Even if both the sender and receiver of an email or file have secure locations, the pathway through which the information is sent is not secure according to HIPAA/HITECH standards (Fig. 2).





Did you go to school to learn how to manage data security? Me either. Even if your information is encrypted through third-party applications, the burden of proof of compliant transmission and storage is still on you — you remain liable to prove compliance on everything from threat monitoring to documentation of ongoing security measures.

So what happens to you, Dr. Meant-well, if you can’t prove 100 percent compliant security? Fines between $50,000 and $250,000, because, as usual, ignorance is not a defense. Also, people knowingly using, transmitting or selling ePHI leave themselves open to hefty prison terms. Any chance you knowingly transmitted some patient data today?

Even if you are absolutely certain that you are secure on your end, you are still setting yourself up for trouble because you can’t control how data is coming to you. If you open an email from an unsecure source — knowingly or not — you’re in violation. If your phone is lost or stolen, you’re in violation. If your server gets hacked — violation. If one of your team members leaves their laptop out in public — violation. And in all of these examples, not only are you in trouble but your unwitting colleagues are as well. Yet, modern technology demands that we adapt and integrate in order to provide the best possible care to our patients while remaining efficient and profitable. It’s either adapt or stay drowned in paper with sticky notes all over our desk, piles of charts and voicemails lighting up our landlines. So what do we do as we all transition to paperless, chartless, wireless offices?

Thankfully, solutions are popping up in dentistry in order to save us from ourselves by utilizing cloud storage — storing data in a place other than your own server in your own equipment room. Storing your data in the cloud solves not only that other troublesome and ongoing issue of data back-ups, but transfers the burden of security to companies whose entire existence is based on securely encrypting and storing HIPAA- and HITECH-compliant data, both coming and going. Working with one of these new cloud-based solutions means your data is likely safe, which means so are you.

So how does cloud-based encrypted data transmission work to keep us safe? A sender or receiver logs into the centralized location using a unique username and password such that information can be viewed on any device using any browser, and then is safely unavailable when you close the browser (Fig. 3). That’s it. There is no unsecure data transmission and data storage becomes the responsibility of the cloud-based security company you trust or the person on the other end that might download and store the data — not you. It turns out that sometimes the most tedious problems can ultimately lead to the most innovative and exciting solutions. The state of communication within our profession could certainly use a refresh, and the strict guidelines that HIPAA provides has disrupted the way we store and distribute information, but for the better. These new, fully compliant solutions are going to allow for two-way instantaneous and secure transmission — even with large attachments and often with cloud-based storage.

Cloud-based HIPAA- and HITECH-compliant data management has, therefore, provided us a great opportunity to solve multiple problems. Consider the old way of working through a case — the old inefficiencies, the paper trails, the huge waste of time. By adopting secure cloudbased communication we will no longer be scribbling notes to our favorite endodontist on a piece of paper, waiting for it to make it to their desk, waiting to hear back, hoping the whole correspondence makes it into the correct chart in the end, and is securely scanned and shredded, all while the patient waits for treatment.

This style of ePHI management allows for access to secure data stored safely for everyone who needs it, from any device, anywhere, at any time. Some of these new services are even free, just like our old favorites that we simply cannot use any longer in good conscience. Wow.

So get on it, while keeping in mind that there are some details to double check before you breathe that sigh of relief. A couple of tips: Make sure your provider is compliant with something called SSAE 16 audit, which is a global auditing standard designed to evaluate and issue an opinion on a service organization’s controls. For services that also provide financial services, make sure they support a dedicated/hybrid capability for PCI and HIPAA compliance standards. Generally, just make sure you can trust the experts behind the company. Get yourself in good hands and then get off Gmail and Dropbox and the like. It will be for the benefit of us all.
A 1999 graduate of the University of Minnesota Dental School, Dr. Bryan Laskin operates a private practice in Wayzata, Minnesota. Dr. Laskin is a certified CEREC trainer and founder of Prehensile Software, developer of OperaDDS; the total communication dashboard for the dental profession which includes intra-office messaging, as well as HIPAA secure emails, laboratory prescriptions and specialty referrals from any device anywhere.

Dentaltown Magazine
May 2024
Dentaltown Magazine May 2024 Read Current Issue Read Archived Issues
Sponsors
Townie Perks
Site Menu
Message Boards Magazine Continuing Education Podcasts Blogs Classifieds News Events Townie® Poll Ebooks Townie Choice Awards
Company Info
Contact Us Advertise With Us Howard Farran DDS, MBA Policies and Agreements
Site Help
Sally Gross, Member Services Specialist
Phone: +1-480-445-9710
Email: sally@farranmedia.com
©2024 Dentaltown, a division of Farran Media • All Rights Reserved
9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 • Phone:+1-480-598-0001 • Fax:+1-480-598-3450