HIPAA Security Rule: The. next chapterLaney Kay, JD

My mother alwayssaid, "Don't sweat thesmall stuff. In the long run, it doesn'tmatter, and it'll drive you crazy thequickest." Once again, it appears mymama wascorrect.

As far as dentistry is concerned, theHIPAASecurity Rule that goes into effectApril 21, 2005, is "small stuff." Notbecause you can't get in trouble if you'renot careful; on the contrary, if personalhealth information is not protectedaccording to the requirements under theSecurity Rule, civil penalties can be from$100,up to $25,000per year per violation.Criminal penalties can be anywhere from$50,000 in fines and one year in prisonup to $250,000 in fines and 10 years inprison. Is that likelyto happen in a dentaloffice? No, not if you take reasonableprecautions to protect patients' electronichealth information.

The reason the Security Rule is "smallstuff" is because we've reallyalready donemost of what's required under this rule.We've already analyzed our practices todetermine potential problem areas, sothe additional requirements under theSecurity Rule are fairly minimal. You stillhaveto go through all the same stepsagain,but it's much easier since you're alreadyfamiliar with the general requirements.

Generally,accordingto the regulations,the SecurityRuledealswith"administrative,physical,and technicalsafeguardsto protectthe confidentiality,integrity,and availabilityof electronicprotectedhealth information."The major goal is to ensure that allprotected health data is protected asmuch as possible from inappropriateuse, access,modification, or destruction.Unfortunately, computers and electronicdata are vulnerable to ~ackers, computerviruses, and worms,\ ~s well as physicaldestruction, so it's impo~tant to take stepsto make sure your patienb' private healthinformation is protected a~J11uchas pos-sible. Dental facilitiesare also fequired toenter into business associate agreementswith any companies that have access totheir patients' private health information,and are also required to ensure that theiremployees comply with the regulations.

22

Although it deals with many of thesame considerations as the Privacy Rule,the Security Rule is concerned onlywith private health information in itselectronic form, not written or spoken.Also, as with the Privacy Rule, theSecurity Rule only applies to healthcare providers that either maintain ortransmit private health information elec-tronically. However, as with the PrivacyRule, even if you don't deal with electron-ic claims,or even if you don't verifybene-fits electronically,the standard of care willprobably require these same precautions,so it's better to go ahead and make sureyour security plan is in compliance withthe HIPAArules.

Some of the considerations outlined

in the Security Rule are "required;' andsome are "addressable." The requiredmeasures must be adopted, and the"addressable" measures must be consid-ered and then adopted if it is "reasonableand appropriate" to do so. If it is not"reasonable and appropriate" to do so,then you must document why it's not andprovide an"equivalentalternativemeasure."

The good news is that the Rule clearlystates that the size, type, and complexityof each facility should be consideredwhen determining which securitymeasures should be used. For example, ahuge dental corporation with multipleoffices and a large, complex computernetwork has different security needs thana small office with one computer at thefront desk.The Rule also allowsprovidersto consider the cost of various securitymeasures against the risks of inappropriateuse, access, or disclosure. That doesn'tmean you can say,"it's all too expensive"and choose to do nothing. You mustanalyze the situation and if a securitymeasure is reasonable and appropriate,and is not ridiculously costly for thedegree of protection it offers, you needto do it.

Administrative SafeguardsAccording to this section of the SecurityRule, administrative safeguards focus onpolicies and procedures in the workplace

that help prevent, detect, contain, andcorrect security violations. The Rulerequires that the office conduct a riskanalysis to determine potential vulnera-bilities and then adopt security measures"sufficientto reducerisksand vulnerabilitiesto a reasonable and appropriate level."One employee must be designated as theSecurity officer. In most dental offices,the Security officer should be the sameperson as the Privacy officer becausethe requirements are so similar. Thisindividual is responsiblefor recordkeepingand for establishing and maintaining theSecurity Rule policies and procedures.

Business associate agreements mustbe entered into with any outside businesswho, as part of their duties, has access toyour patients' data. Existing agreementsunder the Privacy Rule can be edited toadd that the business associatemust notifythe dentist in the event of a known securityincident, and that the business associatemust "appropriately safeguard the infor-mation in accordance with [the SecurityRule]." In the event a business associatefails to safeguard the information or failsto correct a problem that results in asecurity incident, business dealings withthat associate should be terminated.

It's important to ensure that onlythose employees who need access topatients' protected health informationactually have access. For example, if anemployee's only job is to process instru-ments, there isno reason for that employeeto haveaccessto privatepatientinformation.In the event an employee violates theseadministrative safeguards, the employermust establish and maintain sanctionsagainst that employee.

To further ensure that only authorizedusers are accessing the system, records ofsystem activity, such as audit logs andaccess reports, should be regularlyreviewed. In the event a security incidentis discovered, steps must be taken to fixthe problem, mitigate any damages asmuch as possible, and document theevent and its outcome.

Security incidents can also include"any occurrence that damages systems

GDA ACTION JANUARY 2005

that contain electronic protected healthinformation," which can include eventssuch as a computer crash, natural disasters,fires, or acts of terrorism. The Rulerequires that every office have a databackup plan, a disaster recovery plan,and an emergency mode operation planin place so that lost data can be quicklyaccessed and restored in the event of acatastrophic event.

Think about this: If your office wasdestroyed today by a fire or a hurricane,how long would it take you to be back inoperation? If you have electronic patientrecords and have a current, completebackup, you could be up and running inthe amount of time it takes you to get anew computer. Youmay not have all yourx-rays or some of your oldest writtenrecords, but you have enough to getgoing. If you don't have these things, youdon't have anything... you don't have yourpatients' names or phone numbers, youdon't know when they're corning in, youdon't know what needs to be done, andyou don't know what they owe you. Now,you've got a problem.

Back up your computer every day.

PROFESSIONAL

Think how many transactionsarecompletedon your computer every day...paymentsare entered, appointment dates arechanged, patient notes are entered. If youdon't back it up, you lose a huge amountof information that may be impossible toreconstruct completely.

Also, at some point, make sure thatyour backup is working properly. Alocal dentist had his computer servercrash. He took his current backup disk,inserted it in the new computer, andfound there was no data. Apparently,when he thought he had been backing uphis data, it was actually copying his den-tal software instead. He had to send hisserver to a data recovery company and,$7,000 later, he retrieved most of his data.If he'd had a fire, he would have beencompletely out of luck. It's worth the costof getting your computer repair person tovisit your office to check and make surethat when you clickon "Backup,"it's actu-ally writing the correct information ontothe disk.

This section also requires that certainother related topics must be addressed andadopted if it's "reasonableand appropriate"

PRACTICE SALES AND

to do so. Most of these sections should be

implemented, but different facilities willneed different levels of compliance, sothese sections are considered to beaddressable, rather than required. Forexample,a security awarenessand trainingprogram should be implemented in everyfacility;this may require a full-time trainerin a large corporate facility, or it mayrequire a fact sheet and a five minutediscussion in an office consisting of adentist and his spouse.

Password protection, determiningwhich employees have what levelof accessto electronic information, establishinghow to end computer access in the eventan employeeis terminated,and determininghow often the security program should beupdated, must all be considered. Firewallsand anti-viral softwareshould be installedthat are adequate for the type of systemand the size of the network.

Physical SafeguardsPhysical safeguards are defined as "securitymeasures to protect a covered entity's

Continued on page 24

ACQUISITIONS

~ Your dreams. Myjob.\ DOYLE WATSON, PRESIDENT,OW GROUP

~ ~~ I~ 1

r

\

\ ,.I.\

For twenty years, putting sellers and buyers of professionalpractices together-with unrivaledsuccess for both parties-has been my job, my passion.

From skilledappraisals and emotion-free negotiations,to tax strategies and ready financingfrom our team of topcommercial lenders (often with 100%financing),we'rewith you every step of the way.

Ifa practice sale or acquisition is in your future,I inviteyou to call 800.956.1977.

owwww.dwgroup.info

GOA ACTION .JANUARY 2005 23

HIPAA SECURITYRULE

Continuedfrom page 23

electronic information systemsand relatedbuildings and equipment, from naturaland environmentalhazards,and unauthorizedintrusion." Dentists are required toestablish policies and procedures thatensure that physical access to electronicdata is limited only to those who areauthorized to use it. The policies shouldalso discuss workstation security andphysical safeguards for each workstationand all disks,CDs, magnetic tape, and anyother media that may contain privatepatient information.

For example,make sure that computerterminals and data disks or tape are notaccessible to patients or visitors. Thosethat are accessible should be passwordprotected and disks should be lockedaway. Lock your office when you're notthere to protect your equipment from"unauthorized physicalaccess,tampering,and theft." If you are in a building withother occupants, evaluatebuilding securityto ensure that access to your office isproperly limited. If you are replacing yourcomputers, make sure that all patientinformation is removed from the harddrive and any disks before disposal. If acomputer is being removed for repair,record the name of the repair person andlog in the date of removal and when it isreturned. Back up any data before thecomputer is removed from the facility, ifpossible.Also, have that individual sign abusiness associate agreement if there isany patient data on that terminal.

TechnicalSafeguardsDentists are required to implementpolicies that allow access "only to thosepersons or software programs that havebeen granted access rights" under theSecurityRule. In other words, you need toestablish protections to ensure that noone else can hack into your systems andmess with your data. You don't want acomputer savvy patient who owes you acouple thousand dollars to be able tosneak in and adjust off the balance. Also,with identity theft becoming such a hugeissue, a dental office with Social Securitynumbers, birthdays, and addresses wouldbe a gold mine for a criminal, so you don'twant to put you or your patients at risk.

Assign a unique name and/or num-ber to make sure that only authorized

24

users are accessing the system. Makesure that your emergency plan includesprocedures that allow rapid access tohealth information in the event of acatastrophic event, including powerfailures. Install technical systems toensure that the netw~rk is as secure aspossible while transmitting data. Establishprocedures to ensure that informationcannot be accessed, edited, and ordestroyed without authorization. Set uphardware and software systems to ensurethat any such unauthorized activity willbe recorded, and establish schedules toexamine the resulting audit logs in orderto reveal any unauthorized access.

Consider using automatic logoffs ifthe system is inactive for a specific time inorder to ensure that a computer is notleft on inadvertently, thereby allowingunauthorized access. The Rule also

suggests considering "encrypting" infor-mation so that unauthorized users wouldbe unable to decipher any information.The problem with encrypting informationis that, unless you have compatible"decrypting" software, the information isnot usable. This would be a problemwhen sending information to anotherprovider or a patient who may not havethe software.Also,the type of informationwe generally send outside our facilities ismostly things like insurance claim formsand patient e-mails, which rarely containsensitive information. For example, onyour averageclaimform,now that insurancecompanies have generally stopped usingSocial Security numbers as identifiers, theinformation the hacker may receive isname, birthdate, address, and the fact thata filling was done on tooth number 31.Big deal. They can get name, address, andbirthdate from public records, and thetype of health information that we generallytransmit on an insurance form is not

particularly damaging. As a result,encryption software is probably moreprotection than we need and is likely tocause more problems than it solves.

That's pretty much the basics. Keepall records relating to the Security Rule forat least six years from the date the recordswere created, and make sure your poli-cies are in place by April 21, 2005. If youchange your policies, review your procedures,

or update your computer systems, makesure you update your documentation, aswell. Happy HIPAA.

GDA ACTION JANUARY 2005

Laney Kay, ]D, and has worked in her

husband's general dentistry practice since1989. She has been writing and speaking on

OSHA regulations, the Americans WithDisabilities Act, risk management, team

building, and women's issuesfor more thana decade. She has spoken at the AmericanDental Association and Hinman Dental

Society meetings, as well as numerous stateand district dental meetings, and hasauthored many articles on government

regulations and risk management. She alsoconsults for individual offices throughoutthe Southeast on various regulatory matters.

The ADA Department of SalableMaterials is taking orders for the HIPAASecurity Kit. The price is $99.95 formembers. Call the ADAat (800) 947-4746or goto the ProductCatalogat www.ada.org.The catalog number for the ADA HIPAASecurity Kit is J685. The Kit providessample compliance forms, policies, andprocedures that you can customize foryour own dental office.

Have Explorer,Will Travel.

Temporary dentaloff ice coverage.

MarkRabin,DDS

. Georgia license. DEA Number

. Fully insured

. Cover your hygiene& emergency casesl

Dr. Mark Rabin770.512.0837