by Ellen M. Grady
The HIPAA Security Rule and the orthodontic office
Just when you hoped that all the Health Insurance Portability and Accountability Act of 1996 (HIPAA) fanfare was over, the Security Rule took effect on April 21, 2005.
It is fitting that several HIPAA resources include a hippopotamus as a graphic design element. The average hippopotamus weighs at least 4,000 pounds. While HIPAA regulations are not that massive, they are a large set of health care rules with penalties for violation. But, like the hippo, you will not drown as long as you are looking for security threats and stay prepared.
Does the Security Rule Apply to You?
A patient’s Electronic Protected Health Information kept on any computer is called EPHI, and it is covered by the Security Rule. If your office does not use a computer for any protected health information, does not file electronic insurance claims, does not use digital treatment records, and does not use the Internet for downloading any treatment information, then the HIPAA Security Rule does not apply to you.
If you said no to the above, but you use email to send a treatment request or x-ray to the patient’s general dentist, or if you verify orthodontic insurance benefits via the Internet, then you need to comply with all elements of HIPAA, including the Security Rule.
The Major Elements of the Security Rule
The first step in complying with the Security Rule is to assess the risk of exposure that could result from certain events. Examples of security issues include natural disasters that damage the patient data; misuse of authorized access; theft of computers or backup devices that hold patient information; unauthorized access of systems by hackers; and unauthorized access by patients. It’s also important that your staff knows how to prevent security incidents and how to dispose of sensitive data.
The good news is that the security standards are technology-neutral: No specific programs or hardware are required, but the technology must withstand changes and allow access to archived protected health information.
In addition, the security requirements are “scalable” to fit each practice. The Rule clearly states that the covered entity (CE) needs to consider their size, complexity, and capability; the technical hardware and software security already installed; and the costs of security measures that might be considered. These factors are then weighed against the risk of exposure of your EPHI. Therefore, each practice is able to determine what is best to meet the security requirements.
There are three types of safeguards covered by the Security Rule: administrative, physical, and technical. The Rule also requires documentation of your exposure risk analysis and chosen safeguards; keep the documentation for 6 years and update as modifications are made.
1) Which staff members need to see EPHI to perform their jobs well? Practice-management software will help you establish appropriate user access. Please also consider who has access to credit reports and patients’ financial information. If orthodontists or staff use tablet PCs, laptops, or PDAs to access protected health information—or if they access EPHI from outside the office—have risks of unauthorized access been minimized?
2) Do orthodontists and staff know how to use the security measures already in place? A computer without a password, or a computer that is left on the Internet all day when not necessary, or virus definitions not updated in 2 weeks, are obvious gaps in security.
3) Does your Employee Handbook include a statement that everyone is required to adhere to the security policies and procedures of the practice, and that violation could be cause for termination? Do you have up-to-date Business Associates Agreements that include reporting security breaches to you and defining their responsibility to minimize the risk of exposure of your electronic data? These agreements are necessary for the insurance claims clearinghouse, computer software support firms that might access EPHI when doing their job, and your consultants and accountants who have access to patient data.
4) Are your security standards periodically evaluated so that you can verify that threats are reasonably controlled?
5) Have you appointed a security officer? In most practices, this will be the same person as the privacy officer. The duties include review of policies and procedures to verify that your EPHI is reasonably secure, and to periodically reinforce the procedures with staff.
1) Are you reasonably protected from malicious software invading your computers, disabling your security, and accessing EPHI? If your antivirus and antispam software are not automatically updated daily and do not check all incoming data, you will have serious flaws in the physical safety of the EPHI. Remember, 87% of all viruses come from email attachments or downloaded programs from unknown sources from the Internet. The viruses and worms can destroy data as well as programs and hard drives.
2) Can you track unsuccessful log-ins? In most instances, reasonable security is automatic disabling of a password if too many unsuccessful attempts are made to log in to a computer or program.
3) Are policies in place to prevent employees from sharing passwords with one another? Please remove any passwords posted conveniently at the computer.
4) Are passwords easy to decipher? Each password should include letters and numbers, and it should be changed on a routine basis.
5) Do you have a contingency plan for recovering access to data if a computer fails, if there is an electrical outage or natural disaster, or if the computer’s hard drive quits? Most offices are not adequately prepared for this. In addition, the Security Rule requires that patient data be archived on another media so that it can be restored unaltered.
Is your EPHI data backed up routinely? Is the daily backup removed from the office? Do you have a list of programs and files that must be restored first in case of a system failure?
Is email correspondence relating to a patient’s care also saved and secured off-site? What about any separate diagnostic or digital downloads that pertain to the patient’s treatment? Where do you keep the letters that have been sent to patients or dentists? This data must also be backed up, as these computer files have replaced much of the paper that was formerly stuffed into patient folders.
Is your older backup media accessible? As technology changes, you need to transfer the archived data onto the newer backup media so that you have access to the old data.
6) Do you use other physical safeguards in areas where it is easy for patients and outsiders to access to computers that contain EPHI? Some offices install privacy filters on the monitors (like glare filters). These devices keep people from viewing information unless they are right in front of the screen, but also make details of x-rays difficult to see.
7) How do you sanitize the hard drives on old computers before recycling the computer? Using a sledgehammer to destroy the hard drive is an excellent choice, and it allows you to vent your HIPAA frustrations. Otherwise, a certified “erase” program can be used. Reformatting the hard drive is no longer considered adequate, and you also need to destroy obsolete storage media (such as CDs) that contain protected health information.
8) Are you using a wireless network to connect all or some of your computers? A wireless network is easier to install, but it is slower and much more unreliable than a wired network. The security of wireless connections is still a major problem, even though you can turn off the “zone broadcast” feature. Several hardware experts consulted for this article state that major improvements on wireless encryption and security are needed before wireless networks are viable for large-scale use in health care offices.
1) Does each user have a unique ID and password? The passwords can be keystroke entries or some form of biometrics (fingerprint, voice recognition, eye scan, etc). Some new computers even come with the fingerprint-scanning technology already installed.
2) Does every workstation automatically log a user off if there has been no activity within a specified period of time? This type of control is needed at computers where the users change often and/or nonauthorized users (patients) could easily get access. This includes computers in consultation rooms or at chairside. If a staff member stays with a computer most of the day, and patients cannot get access, then a screen saver that activates within a few minutes of no activity is usually sufficient security.
3) When data is transmitted, is it secure? This includes emails, Web downloads, uploads to clearinghouses, or data from another office of your practice. Please note that the Security Rule allows EPHI to be sent over an open electronic network as long as it is adequately protected.
Use the firewalls, antivirus, and spam- and advertisement-blocking software that are now available. This is a very small cost for the security rewards.
The use of a “router” as a hardware and software control between your computer network and the communication connection is also helpful for keeping others out. It adds another layer of security.
Do your computers have the latest software patches for the programs and operating system? All designers of reputable software take security threats seriously and spend time to update software as new threats are discovered. Therefore, it is important to check for updates monthly, and to install the recommended files immediately.
Close the Internet browser when it is not needed. Malicious software travels this communication connection, and hackers can spot the open ports as long as the browser is active. Offices that use the Internet as the pipeline to access the main office computer from a branch location need to protect the computers at both ends with strong security firewalls and verified users and passwords. Please discuss this with hardware consultants who have expertise in network connections for health care offices.
Any computer with a user name and no password is very vulnerable. Do not use “admin” as a password. Again, common sense is the first line of defense.
Ideally, emails containing EPHI should be encrypted, but this requires that the sender and recipient use the same encryption method. At present, there is no uniform standard, so encryption is virtually impossible. Therefore, it is recommended that emails containing EPHI contain a disclosure statement that “this form of communication is not secure, and could be accessed by unauthorized individuals. Please inform us if you do not wish to receive this type of communication.” Your office should also request a “receipt” from the recipient of any email containing EPHI.
Secure Web sites are also available for posting EPHI for access by a physician or patient. Access is gained only with individual user IDs and passwords. Other secure sites allow patients to make a payment on their account, or to check the date and time of a future appointment.
If you have read this far without muttering unprintable words, here’s a note of encouragement: While there are fines for breaching confidentiality of EPHI, the government plans to enforce the regulations by voluntary compliance and complaints from patients or employees. Training of office personnel, respecting the privacy of patient information, and using today’s technologies will go a long way to ensuring the security of EPHI.
For more information on HIPAA guidelines, please contact the AAO or your state dental association. The full text of the Security Rule can be found at www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
Ellen M. Grady, owner of Ellen M. Grady & Associates in Pacific Palisades, Calif, has consulted with orthodontic practices throughout the United States, Canada, and Europe for more than 30 years. Her consultation services encompass management, marketing, team development, and practice transitions. She is also a part-time clinical assistant professor at the University of Southern California Dental School in the Graduate Orthodontic Program. She often speaks at national and regional orthodontic meetings, and she can be reached by email at [email protected] or by telephone at (310) 459-3013.