Danielle Sheer, vice president and legal counsel at the data storage and security firm Carbonite, explained what dentists need to do to keep patient data secure at the Yankee Dental Congress on Thursday, Jan. 27.
Meeting HIPAA compliance standards is a requirement, not a choice.
At the 2017 Yankee Dental Congress on Friday, Jan. 27, Danielle Sheer discussed HIPAA compliance, a subject she deemed “near and dear” to her heart.
Sheer is vice president and general counsel at Carbonite, a company that provides automated data storage solutions for businesses. She explained that there are three main safeguards, or security rules enacted by the U.S. Department of Health and Human Services to protect patient privacy: administrative safeguards, physical safeguards, and technical safeguards.
Administrative safeguards are security measures that restrict access to patients’ electronic protected health information, keeping out unauthorized persons. Vulnerability of patient information should be tested, she said. Does your system detect intrusion, and are there rules to manage a breach? Sheer referred to this method of testing vulnerability as “ethically hacking” the system. She said that this safeguard “ensures confidentiality, integrity, and availability of data.”
Physical safeguards are restrictions of physical access to healthcare facilities. Physical access should be limited to authorized personnel. Furthermore, all patient data must be disposed of securely, so that it is irretrievable, she said.
Technical safeguards are a means of encrypting and decrypting electronic protected healthcare information. Only those who are authorized should have direct access to patient records. It is imperative that electronics containing private information are password protected and automatically locked after the electronic device has been idle for a pre-determined period of time.
According to Sheer, there are three common mistakes that dentists or other healthcare practitioners often make:
1. Using a flash drive or external hard drive to back up data
2. Using public software, such as Google calendars or Google Docs
3. Using a program that syncs data rather than backs it up
With the first mistake, losing a flash drive or hard disk can cause several problems. While encrypting data is not required by HIPAA, not doing so causes vulnerability, said Sheer. If the data on your lost drive is not encrypted, someone can access those files. On the other hand, even if the data is encrypted, you still run into the issue of having no backup files.
In addition, when using public software to set up patient appointments or store patient information, you have now made what is supposed to be private data public.
Finally, syncing data refers to keeping data consistent on all your devices. It does not, however, create a copy of your data as backup.
Ensuring that HIPAA compliance standards are met within your practice can help you avoid lawsuits with the government and settlements that sometimes range in the hundreds of thousands of dollars, Sheer advised.