Living and practicing in the great state of Minnesota comes
with some fun nuances.
For example, we have the honor
of paying a two-percent Minnesota Care Tax on all procedures
which, as you might expect, mainly goes to help build roads. I
guess that makes sense if you are a politician, and I guess I do like
the convenience of having fancy roads so that patients can make it
to our front door. But I digress.
The latest feather in our Minnesota dental caps is that we get
to be the first state required to adopt a certified, interoperable
electronic-health-record system (or EHR) by 2015, just like our
pioneering physicians already have, in order to increase the level
of care while reducing errors. Minnesota is often first in all things
fantastic and I'm sure this won't be the last time, which means that
sooner or later we all will get to add to our list of acronyms (one so
far. Count them with me).
I've had a paperless practice for the last 10 years, so I actually
agree that using EHRs will be better for everyone. It's hard to
admit to those of you who prefer your paper charts, but it's true
because, despite tradition, it is only a matter of time until we're
all firmly entrenched in the 21st century, surrounded by wireless
transmission of information, including sensitive health data.
There are, however, a whole host of issues that come with
storing your patient's health information electronically (ePHI).
The second acronym we did not go to dental school to memorize-
keep counting.
The most basic ePHI rule pertains to how you store sensitive
patient information. The vast majority of HIPAA data breaches
don't actually come from hackers breaking into databases, as is
commonly thought-after all, how much profit is there in looking
into a stranger's gingival pocket depths? One would think those
brilliant Eastern European hackers are going to start with banks,
not your practice. (HIPAA is the third acronym-stick with me.)
In truth, the largest risk is from people who have physical
access to your patient data, either by stealing a USB, a hard drive
or emailing information that is stored on a local server. So tell me,
is there any possible way someone could grab your data? And do
you know what will happen when they do? I know, I know, you are
certain that a data breach will never happen to you and frankly you
have way too many other fires to put out today to care, like fixing
the air compressor. But I'm telling you, it's time to care, because
even if you don't, your patients and the media will.
Alert the media
Breaches have recently occurred in California, Pennsylvania
and Texas. Each of these regular old dental-practices-next-door
were burglarized. Their computers, full of unencrypted ePHI,
were stolen. A loss like that makes it hard to open the practice
the next day. Even worse, according to the law, both the media
and patients must be notified when you have more than 500 ePHI
records. Do you have more than 500 patients? Yeah, so do I, and
so did all three of these sad aforementioned examples.
In the case of the Pennsylvania practice, 11,000 patient records
were downloaded to IP addresses all over the world. Who knows
what they will do with that information, but we definitely know
what your patients will do when they hear about it.
While the fines are heavy enough, it's the public-relations
nightmare our examples above faced that is the real problem for all
of us. If they had only encrypted their ePHI data, they would not
have had to notify anyone. As it was, their reputations suffered.
That's tough to quantify. All this suffering because the patient
data was not encrypted.
Why data encryption matters
Encryption is the conversion of data such that it cannot be read
without the correct key, usually a software-generated algorithm
that automatically scrambles the data, thereby disguising your
ePHI, which in turn protects your data against confidentiality
breaches or malicious intent. Simply put, it's putting information
into a code that only you can decode.
Under the newly enforced Health Information Technology for
Economic and Clinical Health Act (HITECH), our fifth acronym
for those still counting, all ePHI must be encrypted, whether
at rest on a server, in transit down the hall of your practice or
down the street to your friend's practice. This means you must
understand data encryption and become compliant, or you'll be
breaking the law every second of every day. As a bonus, though,
by obeying these new laws you'll be protecting your patients, and
therefore your reputation, from a public-relations nightmare. Not
to mention ridiculously expensive fines.
Save yourself, from yourself
How will you stay safe given these new laws? Since data is
typically compromised physically, access must be protected by
a combination of common sense, hardware, software and, most
importantly, a real, live dental information-technology expert.
Sixth acronym! See, you are a dentist-nerd, not an IT-nerd, so go
find one and then help them help you. If you don't already have
one, I highly recommend you go to DentalIntegrators.org or ask
for a referral from a trusted colleague or rep. Then get out of their
way and do what they say so they can employ all kinds of tactics to
save you from yourself.
That work will include securing all physical local hard drives
teeming with patient data, to limiting access to that data, to keeping
your server off the ground, to installing physical firewalls, antivirus
software, strong passwords, and so much more. They'll get
you in compliance. They may recommend using an external server,
making certain that both the storage and transmission of data is
safely encrypted, both coming and going. They'll make sure your
practice-management software is encrypting like it should, if it
can. They may even duplicate your data via a configuration known
as a redundant array of independent disks (RAID), aiding both
encryption and retrievability of your patient data. Seven acronyms!
The experts you need are out there and they probably know
more than you do about compliance, so rely on their knowledge.
Tripping over ourselves
I love my iPad. I go to bed with my iPhone (you know you
do, too). I've tripped on a crack walking down the sidewalk trying
to text my wife. I'm relying more and more on the freedom these
devices grant me. But if I'm not careful-if we're not careful-
we'll trip over more than a crack in the sidewalk.
Protecting ePHI seems diametrically opposed to the
convenience of being mobile. All these devices are way too easy
to lose and unless you're serious about it, like your IT nerd should
be, these devices boast little-to-no security controls. So what
should you do? Common sense starts with password protecting
everything-even many fl ash drives are available that can be
protected. At the practice, you can use physical controls, such as
laptop or iPad locks that secure devices in place. And, obviously, it
is absolutely necessary to have the data encrypted on every mobile
device too.
The most secure way to ensure your ePHI stays safe while
you stay mobile is to access data through a password-protected,
HIPAA compliant, secure internet interface. You may have heard
of this before referred to as the cloud, which despite its moniker,
is not actually made of fluffy water or fairy dust. In fact, in most
cases, the only way to ensure that you are 100 percent compliant
is to perform all sensitive communication through a secure cloud
platform (in other words, a secure server located offsite of your
practice that encrypts data for you). The great thing about the
cloud is that it allows you to access this sensitive data securely from
any device you like, any time, anywhere-no more being shackled
to your practice desktop computers. The key here, though, is to use
a cloud platform that is HIPAA secure and encrypted.
Let me explain: your Dropbox account, while technically
cloud-based, is not secure. I repeat, not secure. Every time you
use it to send a case to your lab you're tripping over several of
the aforementioned acronyms. Then there are those emails you're
sending through Gmail. Don't get me wrong: I love Gmail.
Frankly, I love Google. But Google is not in the privacy business
and so, just like with Dropbox, every time you email even just a
patient's name to your favorite endodontist, you're breaking federal
and state law. I know you've heard this before, and I know it's hard
to break a habit, but you have to get your patient's health information
off traditional email and get on a HIPAA-secure email portal built
specifically for healthcare professionals. If you think about it,
finding and using one isn't any more difficult or complicated than
it was when you first started using Yahoo. It's all the same in terms
of usability and ease. The only difference is that Yahoo and other
such email services aren't secure.
I just want to fix teeth
It is true that with the great power inherent in electronic
dental records, we also have a great responsibility to protect our
patient's valuable health information. It is also true that there are
experts who can help you and some simple tools available that
can get you back to where you want to be, in your operatory.
I'll see you there, fully compliant and with all seven acronyms
emblazoned in our brains.
|