By Mary Govoni, CDA, RDA, RDH, MBA
On April 21, 2005, the second phase of HIPAA requirements takes effect. These requirements deal with the security of the protected health information of your patients. If your practice submits or receives electronic transactions, performs online inquiries for patient insurance benefits or eligibility, or accepts electronic payment of claims, you must comply with the security regulations. Although these requirements may be simple for your practice setting, it may take some time to get ready. Getting started now will decrease your stress level as the deadline approaches. Even if your practice doesn’t meet the qualifications as a covered entity, it is a good idea to review and implement security measures for your electronic information, since it is well known that multiple security threats exist for business as well as home computers and the data stored on them.
As with all new guidelines or regulations, there are many myths and rumors circulating about what must be done. If someone tells you that you must implement a procedure, always go to a trusted source to verify the need before you purchase and/or modify any equipment or procedures in your practice. An excellent and trusted resource for HIPAA information that is specific to dentistry is the American Dental Association. The ADA’s HIPAA Security Kit includes all the information that dental practices need to comply, including training materials. The kit is available in the ADA product catalog and can be ordered online at www.ada.org. In addition, a copy of the HIPAA security rules and regulations can be obtained online at www.access.gpo.gov/fr/index. At this site, go to the index and search for the Federal Register for Thurs., Feb. 20, 2003. This document can be printed or saved to your computer’s hard drive. The text for the regulations starts on page 8376. You will find a glossary of terms, as well as the requirements.
According to the standard, HIPAA requires that covered entities must ensure the confidentiality, integrity, and availability of all electronic-protected health information that the covered entity creates, receives, maintains, or transmits. A covered entity must also protect against any reasonably anticipated threats or hazards to the security or integrity of the information. In addition, a covered entity must also protect against any reasonably anticipated uses or disclosures of protected health information, and ensure compliance with the standards by employees.
The standard states that covered entities have “flexibility of approach,” meaning that they may use any security measures that reasonably and appropriately implement the standards. In other words, there are no specific, stated methods of compliance in the standard. The terms reasonably and appropriately are keys to implementation. The standard states that the size, complexity, and capabilities of the covered entity are taken into account when determining security procedures. The current hardware and software, as well as cost, are also factors that are considered. For example, retinal scanning is a security technology that is available for employees to access computers and electronic information. Is it reasonable and appropriate for dentistry? No, this technology is quite expensive and designed for use in large businesses. Reasonable and appropriate procedures for dental practices are user passwords or fingerprint scanners.
The standard also used two very important terms that dental practices need to know - “required” and “addressable.” If a provision of the standard is required, it is stated in parentheses after the provision is listed. These items or tasks must be implemented if reasonable and appropriate. If the provision is not reasonable and appropriate, the practice must document why not, which, of course, must be supported by data, and cannot be a subjective opinion. Provisions of the standard that are not designated as required are addressable, and are measures that should be taken under consideration but are not mandated.
The required items in the standard are risk analysis, risk management, sanction policy, and information system activity review. Translated, this means that every covered entity must conduct a security analysis to determine what security risks exist, implement procedures and policies to minimize or eliminate the risks, implement procedures to regularly review security system activity (such as auditing who has accessed computer information), and designate a security officer who oversees the implementation and maintenance of the required elements of the standard.
The security officer in your practice setting may be the same person you designated as the privacy officer, or it may be assigned to a different person. It would be helpful for the security officer to have a high level of knowledge of computer hardware, software, and security procedures. If there are no team members who can perform this function, then the practice can utilize the services of a computer or technology consultant. If your practice utilizes an outside consultant or contractor, remember that the practice must have a signed Business Associate Agreement with that contractor, requiring him or her to protect the privacy and security of your electronic information.
Performing a security risk analysis may or may not require the assistance of an outside consultant or contractor, depending on the level of expertise of the team members. Security threats may include many things. When considering the security of your electronic or computer data, ask yourself if unauthorized users, such as patients or sales representatives could access your computer files. If so, you must implement security measures to allow authorized users to access the system that are unique to each user, such as a password or using a fingerprint reader.
The practice must also evaluate outside threats, such as computer hackers, that might access your protected health information through an Internet connection. Protective measures against these types of threats include the use of firewalls, both hardware and software, antivirus software and spyware programs, data encryption programs, and security logging programs that monitor who has accessed the data.
Security risk analysis must also include evaluation of the practice’s data backup system and procedures, as well as a disaster recovery plan to restore or retrieve the data in case the primary data storage is damaged, stolen, or destroyed. There are many types of backup systems available that are practical for dental practices. A computer consultant can assist you in selecting the best option for your practice.
Once the security risk analysis is completed, the practice must document all of the security procedures and policies. Examples of security policies are available in the ADA HIPAA Security Kit and from other resources, such as American Dental Support, publisher of Insurance Solutions Newsletter.
Finally, all members of the team must participate in training on the HIPAA security requirements so that they understand the purpose and scope of the requirements, procedures, and policies for the practice, including the sanctions or consequences of violating those policies and practices. Training can be conducted in the office or by participation in an outside seminar or training session. The dates and names of the team members who have participated in the training must also be documented.
This is only a brief summary of the HIPAA security requirements. If you have not already begun the implementation process, I recommend that you become more familiar with the standard and start the compliance process now. Giving yourself adequate time to meet the compliance deadline affords you the opportunity to make well-informed choices. Remember that any measures you implement should be reasonable and appropriate. If you receive information or someone tells you that you must do something that doesn’t seem reasonable and appropriate, always ask a trusted source first before making any unnecessary changes or purchases.
Mary Govoni is a Certified and Registered Dental Assistant and a Registered Dental Hygienist, with more than 28 years of experience in the dental profession as a chairside assistant, office administrator, clinical hygienist, educator, consultant, and speaker. She is the owner of Clinical Dynamics, a consulting company dedicated to the enhancement of the clinical and communication skills of dental teams. She can be reached at [email protected].
