The HIPAA Security Rule is a federal regulation created to protect sensitive patient data from unlawful disclosure without the patient’s consent. The rule requires dental practitioners and physicians to safeguard any sensitive data that can be used to identify a patient from unauthorized access and disclosure.
What type of data is covered by the HIPAA Security Rule? All electronic Protected Health Information (ePHI) which is either treatment, health, or billing data that can identify a patient, such as:
- Birth dates
- Treatment dates
- Personal Identification Numbers – social security, National ID numbers
- Biometric data – fingerprints, facial recognition data, voice recognition data, photos
- Location data – zip codes, street and home address
- Contact information – phone numbers, email, IP addresses, URLs, fax information
The U.S. Department of Human and Health Services (H.H.S.) oversees HIPAA compliance by ensuring health institutions and service providers adhere to HIPAA security policies and procedures. Understanding the HIPAA Security Rule and its implications for your dental practice will save you from costly legal suits and help patients have more confidence in your services.
A critical component that contributes to HIPAA compliance is consistent data privacy and management practices. Unfortunately, it’s no secret that health services are now the most targeted sector by cybercriminals. Indeed, data breaches in healthcare account for 30% of all security breaches accounting for $6 trillion in losses.
Such worrying statistics on patient data security are reasons enough to get on board a HIPAA-compliant data management platform that secures your patient’s information and complies with the HIPAA Security Rule.
Below, we’ll break down the HIPAA Security Rule and how you can protect your patient’s sensitive data.
HIPAA covers security regulations and privacy regulations. While the Privacy Rule was initially meant only to cover protected health information (PHI), the HIPAA Security Rule came about to protect electronic data as well.
The growth in technology, cloud computing, and cybersecurity meant that HIPAA had to expand to accommodate a new landscape that required a different set of regulations. This evolution in technology needed a new mandate. As such the HIPAA Security Rule is designed to safeguard electronic Protected Health Information (ePHI).
HIPAA security standards require physicians to protect sensitive patient data using the governing body’s appropriate administrative, physical and technical safeguards. Let’s explore the safeguards in detail.
Administrative safeguards include procedures and policies that protect the integrity of Electronic Protected Health Information (ePHI).
The specific definition from HIPAA (45 C.F.R. § 164.304) defines these safeguards as “Administrative actions and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
These are the administrative safeguards you should apply in managing your patient’s health and personal information to your dental practice.
- Security management measures – Your dental practice should implement measures that reduce vulnerabilities in your PHI security systems, such as HIPAA risk analyses, vulnerability scanning and management practices.
In conducting a risk assessment, the Human and Health Services body recommends asking these questions to gain a better view of risks faced in your PHI security systems:
- Have you identified and documented all electronic Protected Health Information (ePHI)? This includes electronic information created by your company or data sent to you.
- Are there any external sources for ePHI? For example, which third parties transmit this information to your systems?
- What threats and vulnerabilities do your ePHI systems face?
- Information Access Management – Another administrative requirement is to control access to your company’s ePHI and only give permission to authorized entities.
- Training – HIPAA expects that you train and create awareness among your personnel and stakeholders who handle your organization’s ePHI.
- Security Privacy officer – HIPAA administration safeguards require that you assign security personnel to create and implement ePHI security policies and procedures. The officer could either be an in-house resource or an external agent.
Technical safeguards touch on the specific technology, policies, and procedures involved in access control and protecting ePHI. Specifically, this standard provides access control, audit control, integrity measures, and transmission security guidelines.
For access control, your organization must implement policies and procedures that control who, when and how personnel and external stakeholders access ePHI. This means streamlining your credentials and identity management system for easier identification of who has access to your ePHI and if they’re authorized to do so.
Next is audit control. HIPAA expects your dental practice to utilize technology that monitors network activity and access to your ePHI systems. If an audit is conducted, you should be able to easily retrieve log records for review.
Integrity measures ensure that your access controls and audit standards are not tampered with to allow for easier accountability.
Finally, transmission security expects dental practitioners to implement procedures and policies that secure network activity and protect against malicious intent with ePHI.
Physical safeguards cover the equipment, buildings and physical systems that house and protect PHI, such as computer hardware, office premises, and any related facilities.
The specific standards that govern physical safeguards include:
- Facility access controls: to safeguard the health information technology facilities where PHI is managed and transacted, such as servers, routers, computers and hard disk drives.
- Workstation security: design policies that protect workstations containing ePHI, such as installing malware and firewalls and tracking software to monitor activity.
- Device management and removal policies: this standard expects dental practitioners to implement procedures and guidelines for decommissioning end-of-life devices.
Continuous compliance with the HIPAA Security Rules requires consistent data assessments to ensure your ePHI is up to the standards expected. Therefore, we recommend that you conduct routine data assessments to identify areas of non-compliance and implement remediation solutions.
At Central Data Storage, we have developed a comprehensive data assessment process that reviews your system and identifies non-compliant areas. Schedule your free data assessment today and we’ll advise you on a backup and disaster recovery solution that ensures your data, reputation and business aren’t at risk and that you’re in full compliance with the HIPAA Security Rule.