by Bryan Laskin, DDS
The discussion of HIPAA — and its ugly
cousin HITECH — have recently become a
hot topic among dental experts. Like me, you’re
probably already sick of it. After all, who has time
to deal with that many acronyms when there is
dentistry to be delivered? I’m not one to consider
myself an expert of particular note on any topic
and yet here I am, trying to work through the
electrifying subject of data security for the good
of us all.
Here’s what I’ve found: The experts are right.
HIPAA is for real, HITECH is just getting
started, and now that we’re all going paperless,
our ability to maintain a secure grasp on our data
is more important than ever.
We are all familiar with and have, by now,
adapted to HIPAA, which is meant to protect
patient privacy while in our practices. Now,
in addition to the ramifications of the original
HIPAA legislation from 1996, we must deal with
emerging policies meant to address a new era of
information transmission with the HITECH
Act — a part of the American Recovery and
Reinvestment Act of 2009. HITECH addresses
the privacy and security of electronic transmission
of information while strengthening the civil
and criminal enforcement of HIPAA, ultimately
holding us fully responsible. That’s correct —
100 percent solely responsible.
What does this mean for you? Like most laws
HIPAA and HITECH are ambiguous, yet violations
carry serious consequences. I can admit that
the spirit of the law is understandable and therefore
worth the trouble, but the execution can be tedious to say the least. And while most of us can get behind the intent of the laws, we really don’t have a grasp of the letter.
Let’s review. There are two major components of HIPAA that are important to differentiate: the privacy rule and the security rule. The privacy rule sets standards regarding the management of
and access to all “personal health information” (PHI) of a patient, regardless of the source. This means that any written note or spoken sentence falls under this legislation, as well as any
and all electronic communication. The law requires that we, as HIPAA-covered entities, must implement “appropriate administrative, technical and physical safeguards to protect the privacy of
protected health information.” Examples of these safeguards include physical barriers that reduce the potential of patients overhearing PHI conversations and office policies such as shredding
PHI-oozing documents.
The security rule is far more comprehensive, and yet most of us remain unaware of its potential impact on our practices. This legislation sets general standards for access, management
and storage of “electronic patient health information” data, also known as ePHI. But the security rule does not dictate for us any specifics other than that we are to implement these new
security measures based on several general factors including risk, cost, technical infrastructure and complexity analyses. Great — that makes sense to a typical dentist, right? The security
rule also adds three additional safeguard requirements to the privacy rule — organizational, polices and procedures and documentation — again with no clear guidelines as to how we should
translate it all to stay compliant and safe.
“Huh?” you might ask, and I would agree with you. The way in which we must balance laws so open to interpretation has been largely left to us to figure out. Thank goodness for our experts,
as this is not a good plan for the spirit or the letter of the laws, when we’re all much more concerned with the day-in, day-out management of our practices.
And this is why our experts have been trying to get our attention. These laws translate to a very real concern because the simple fact is that your Gmail account isn’t secure and Dropbox
is a joke. Every time we use these free and easy services to innocently communicate with each other about anything having to do with a patient or a case, we’re in violation. Every single time
we send or receive information is a new potential fine because of how the information is transmitted (Fig. 1). Even if both the sender and receiver of an email or file have secure locations,
the pathway through which the information is sent is not secure according to HIPAA/HITECH standards (Fig. 2).
Did you go to school to learn how to manage
data security? Me either. Even if your information
is encrypted through third-party applications, the
burden of proof of compliant transmission and
storage is still on you — you remain liable to prove
compliance on everything from threat monitoring
to documentation of ongoing security measures.
So what happens to you, Dr. Meant-well, if
you can’t prove 100 percent compliant security?
Fines between $50,000 and $250,000, because,
as usual, ignorance is not a defense. Also, people
knowingly using, transmitting or selling ePHI
leave themselves open to hefty prison terms. Any
chance you knowingly transmitted some patient
data today?
Even if you are absolutely certain that you are
secure on your end, you are still setting yourself
up for trouble because you can’t control how data
is coming to you. If you open an email from an
unsecure source — knowingly or not — you’re in
violation. If your phone is lost or stolen, you’re in
violation. If your server gets hacked — violation. If
one of your team members leaves their laptop out
in public — violation. And in all of these examples,
not only are you in trouble but your unwitting
colleagues are as well.
Yet, modern technology demands that we
adapt and integrate in order to provide the best
possible care to our patients while remaining
efficient and profitable. It’s either adapt or stay
drowned in paper with sticky notes all over our
desk, piles of charts and voicemails lighting up our
landlines. So what do we do as we all transition to
paperless, chartless, wireless offices?
Thankfully, solutions are popping up in
dentistry in order to save us from ourselves by
utilizing cloud storage — storing data in a place
other than your own server in your own equipment
room. Storing your data in the cloud solves
not only that other troublesome and ongoing issue
of data back-ups, but transfers the burden of security
to companies whose entire existence is based
on securely encrypting and storing HIPAA- and
HITECH-compliant data, both coming and
going. Working with one of these new cloud-based
solutions means your data is likely safe, which
means so are you.
So how does cloud-based encrypted data transmission
work to keep us safe? A sender or receiver
logs into the centralized location using a unique
username and password such that information
can be viewed on any device using any browser,
and then is safely unavailable when you close the
browser (Fig. 3). That’s it. There is no unsecure
data transmission and data storage becomes the
responsibility of the cloud-based security company
you trust or the person on the other end that might
download and store the data — not you.
It turns out that sometimes the most tedious
problems can ultimately lead to the most innovative
and exciting solutions. The state of communication
within our profession could certainly
use a refresh, and the strict guidelines that HIPAA
provides has disrupted the way we store and distribute
information, but for the better. These new,
fully compliant solutions are going to allow for
two-way instantaneous and secure transmission
— even with large attachments and often with
cloud-based storage.
Cloud-based HIPAA- and HITECH-compliant
data management has, therefore, provided
us a great opportunity to solve multiple problems.
Consider the old way of working through
a case — the old inefficiencies, the paper trails,
the huge waste of time. By adopting secure cloudbased
communication we will no longer be scribbling
notes to our favorite endodontist on a piece
of paper, waiting for it to make it to their desk,
waiting to hear back, hoping the whole correspondence
makes it into the correct chart in the end,
and is securely scanned and shredded, all while the
patient waits for treatment.
This style of ePHI management allows for
access to secure data stored safely for everyone who
needs it, from any device, anywhere, at any time.
Some of these new services are even free, just like
our old favorites that we simply cannot use any
longer in good conscience. Wow.
So get on it, while keeping in mind that there
are some details to double check before you breathe
that sigh of relief. A couple of tips: Make sure
your provider is compliant with something called
SSAE 16 audit, which is a global auditing standard
designed to evaluate and issue an opinion on a service
organization’s controls. For services that also
provide financial services, make sure they support
a dedicated/hybrid capability for PCI and HIPAA
compliance standards. Generally, just make sure
you can trust the experts behind the company.
Get yourself in good hands and then get off
Gmail and Dropbox and the like. It will be for the
benefit of us all.
|