Message Boards
Today's Active Topics Today's Active Cases Browse Forum Categories My Recent Activity My Messages Private Groups My Marked Threads My Subscriptions
Today's Active Images Today's Active Polls Most Active Topics Global Townie Map Advanced Message Board Search Message Board Terms of Use

Practice Management: Data Encryption: Count the Acronyms by Dr. Bryan Laskin, DDS

View Comments (2) More by this author (2)

Living and practicing in the great state of Minnesota comes with some fun nuances.
For example, we have the honor of paying a two-percent Minnesota Care Tax on all procedures which, as you might expect, mainly goes to help build roads. I guess that makes sense if you are a politician, and I guess I do like the convenience of having fancy roads so that patients can make it to our front door. But I digress.

The latest feather in our Minnesota dental caps is that we get to be the first state required to adopt a certified, interoperable electronic-health-record system (or EHR) by 2015, just like our pioneering physicians already have, in order to increase the level of care while reducing errors. Minnesota is often first in all things fantastic and I'm sure this won't be the last time, which means that sooner or later we all will get to add to our list of acronyms (one so far. Count them with me).

I've had a paperless practice for the last 10 years, so I actually agree that using EHRs will be better for everyone. It's hard to admit to those of you who prefer your paper charts, but it's true because, despite tradition, it is only a matter of time until we're all firmly entrenched in the 21st century, surrounded by wireless transmission of information, including sensitive health data.

There are, however, a whole host of issues that come with storing your patient's health information electronically (ePHI). The second acronym we did not go to dental school to memorize- keep counting.

The most basic ePHI rule pertains to how you store sensitive patient information. The vast majority of HIPAA data breaches don't actually come from hackers breaking into databases, as is commonly thought-after all, how much profit is there in looking into a stranger's gingival pocket depths? One would think those brilliant Eastern European hackers are going to start with banks, not your practice. (HIPAA is the third acronym-stick with me.)

In truth, the largest risk is from people who have physical access to your patient data, either by stealing a USB, a hard drive or emailing information that is stored on a local server. So tell me, is there any possible way someone could grab your data? And do you know what will happen when they do? I know, I know, you are certain that a data breach will never happen to you and frankly you have way too many other fires to put out today to care, like fixing the air compressor. But I'm telling you, it's time to care, because even if you don't, your patients and the media will.

Alert the media
Breaches have recently occurred in California, Pennsylvania and Texas. Each of these regular old dental-practices-next-door were burglarized. Their computers, full of unencrypted ePHI, were stolen. A loss like that makes it hard to open the practice the next day. Even worse, according to the law, both the media and patients must be notified when you have more than 500 ePHI records. Do you have more than 500 patients? Yeah, so do I, and so did all three of these sad aforementioned examples.

In the case of the Pennsylvania practice, 11,000 patient records were downloaded to IP addresses all over the world. Who knows what they will do with that information, but we definitely know what your patients will do when they hear about it.

While the fines are heavy enough, it's the public-relations nightmare our examples above faced that is the real problem for all of us. If they had only encrypted their ePHI data, they would not have had to notify anyone. As it was, their reputations suffered. That's tough to quantify. All this suffering because the patient data was not encrypted.

Why data encryption matters
Encryption is the conversion of data such that it cannot be read without the correct key, usually a software-generated algorithm that automatically scrambles the data, thereby disguising your ePHI, which in turn protects your data against confidentiality breaches or malicious intent. Simply put, it's putting information into a code that only you can decode.

Under the newly enforced Health Information Technology for Economic and Clinical Health Act (HITECH), our fifth acronym for those still counting, all ePHI must be encrypted, whether at rest on a server, in transit down the hall of your practice or down the street to your friend's practice. This means you must understand data encryption and become compliant, or you'll be breaking the law every second of every day. As a bonus, though, by obeying these new laws you'll be protecting your patients, and therefore your reputation, from a public-relations nightmare. Not to mention ridiculously expensive fines.

Save yourself, from yourself
How will you stay safe given these new laws? Since data is typically compromised physically, access must be protected by a combination of common sense, hardware, software and, most importantly, a real, live dental information-technology expert. Sixth acronym! See, you are a dentist-nerd, not an IT-nerd, so go find one and then help them help you. If you don't already have one, I highly recommend you go to DentalIntegrators.org or ask for a referral from a trusted colleague or rep. Then get out of their way and do what they say so they can employ all kinds of tactics to save you from yourself.

That work will include securing all physical local hard drives teeming with patient data, to limiting access to that data, to keeping your server off the ground, to installing physical firewalls, antivirus software, strong passwords, and so much more. They'll get you in compliance. They may recommend using an external server, making certain that both the storage and transmission of data is safely encrypted, both coming and going. They'll make sure your practice-management software is encrypting like it should, if it can. They may even duplicate your data via a configuration known as a redundant array of independent disks (RAID), aiding both encryption and retrievability of your patient data. Seven acronyms!

The experts you need are out there and they probably know more than you do about compliance, so rely on their knowledge.

Tripping over ourselves
I love my iPad. I go to bed with my iPhone (you know you do, too). I've tripped on a crack walking down the sidewalk trying to text my wife. I'm relying more and more on the freedom these devices grant me. But if I'm not careful-if we're not careful- we'll trip over more than a crack in the sidewalk.

Protecting ePHI seems diametrically opposed to the convenience of being mobile. All these devices are way too easy to lose and unless you're serious about it, like your IT nerd should be, these devices boast little-to-no security controls. So what should you do? Common sense starts with password protecting everything-even many fl ash drives are available that can be protected. At the practice, you can use physical controls, such as laptop or iPad locks that secure devices in place. And, obviously, it is absolutely necessary to have the data encrypted on every mobile device too.

The most secure way to ensure your ePHI stays safe while you stay mobile is to access data through a password-protected, HIPAA compliant, secure internet interface. You may have heard of this before referred to as the cloud, which despite its moniker, is not actually made of fluffy water or fairy dust. In fact, in most cases, the only way to ensure that you are 100 percent compliant is to perform all sensitive communication through a secure cloud platform (in other words, a secure server located offsite of your practice that encrypts data for you). The great thing about the cloud is that it allows you to access this sensitive data securely from any device you like, any time, anywhere-no more being shackled to your practice desktop computers. The key here, though, is to use a cloud platform that is HIPAA secure and encrypted.

Let me explain: your Dropbox account, while technically cloud-based, is not secure. I repeat, not secure. Every time you use it to send a case to your lab you're tripping over several of the aforementioned acronyms. Then there are those emails you're sending through Gmail. Don't get me wrong: I love Gmail. Frankly, I love Google. But Google is not in the privacy business and so, just like with Dropbox, every time you email even just a patient's name to your favorite endodontist, you're breaking federal and state law. I know you've heard this before, and I know it's hard to break a habit, but you have to get your patient's health information off traditional email and get on a HIPAA-secure email portal built specifically for healthcare professionals. If you think about it, finding and using one isn't any more difficult or complicated than it was when you first started using Yahoo. It's all the same in terms of usability and ease. The only difference is that Yahoo and other such email services aren't secure.

I just want to fix teeth
It is true that with the great power inherent in electronic dental records, we also have a great responsibility to protect our patient's valuable health information. It is also true that there are experts who can help you and some simple tools available that can get you back to where you want to be, in your operatory. I'll see you there, fully compliant and with all seven acronyms emblazoned in our brains.

A 1999 graduate of the University of Minnesota Dental School, Dr. Bryan Laskin operates a private practice in Wayzata, Minnesota. Dr. Laskin is a certified CEREC trainer and founder of Prehensile Software, developer of OperaDDS; the total communication dashboard for the dental profession which includes intra-office messaging, as well as HIPAA-secure emails, laboratory prescriptions and specialty referrals from any device anywhere.

Dentaltown Magazine
October 2025
Dentaltown Magazine October 2025 Read Current Issue Read Archived Issues
Sponsors
Townie Perks
Townie® Poll
Do you place implants in your practice?
  
Site Menu
Message Boards Magazine Continuing Education Podcasts Blogs Classifieds Dental News Events Townie® Poll Ebooks Townie Choice Awards
Company Info
Contact Us Advertise With Us Howard Farran DDS, MBA Policies and Agreements
Site Help
The Dentaltown Team, Farran Media Support
Phone: +1-480-445-9710
Email: support@farranmedia.com
©2025 Dentaltown, a division of Farran Media • All Rights Reserved
9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 • Phone:+1-480-598-0001 • Fax:+1-480-598-3450