Imaging in a HIPAA world

The majority of dental offices now use some sort of image management system.

Whether it’s digital X-rays, intraoral cameras or digital cameras, dentists accumulate images on their computer systems.

As many practices know, there are now many new rules and regulations regarding the protection and privacy of patient information. For electronic data images, this is part of the HIPAA Security Rule. Unlike practice management data, however, image files are significantly larger and need to be handled differently. In this article, we will look at the storage of images, data backup and disaster recovery and how to share these images with other practitioners.

More on HIPAA: The 5 most commonly forgotten things about HIPAA

Image storage

The biggest threat dentists face when it comes to patient images is having an unauthorized person access those images. This would qualify as a data breach, and the law is quite clear on what happens next. If a practice suffers a data breach, it must notify all patients in writing and the local media, as well as be listed on the Health and Human Services website, affectionately known as the Wall of Shame. However, there is one “get-out-of-jail-free card” and that is encryption.

If you encrypt the folders where the images reside and suffer a loss of the data, you are exempt from the Breach Notification rule. Because most offices have far more ePHI (electronic protected health information) than just images, I would almost always recommend you encrypt the entire hard drive of the server. Windows Server 2008 and Server 2012 have a free encryption program called BitLocker built into the operating system.

Hot read: Why the benefits of using digital imagery and conebeam CT scans outweigh the risks

Continue reading on Page 2 ...

Disaster recovery

While backing up your data is obviously critical and has been for decades, new HIPAA regulations make this even more critical. HIPAA requires the backup be “retrievable” (this mostly means offsite), and it must also be “indecipherable, unreadable and unusable”, which you can easily accomplish using the encryption I mentioned above. While I am a huge fan of online backup, for offices that handle images, a two-pronged approach is needed, as downloading multiple gigabytes of data from an online data center could take days or even weeks.

What I recommend is doing an “image” of the server to a local device. This would be an exact snapshot of the entire server, including settings, programs, etc. This image can be updated as often as every 15 minutes. If the server goes down, you create a virtual copy and can get up and running within minutes. And, if the entire office burns down, you could restore from the online backup. Keep in mind that many of the better online services charge based on the amount of data you have.

Risky business: HIPAA compliance and the importance of risk analysis assessments

Sharing information

While there are some very good online portals for sharing images, the reality is most dentists prefer to use email when communicating with other offices. HIPAA has some very clear criteria when it comes to what it calls “data in motion,” and email certainly qualifies as data in motion.

For the most part, if you send images to another office, you should use an encrypted email system to meet HIPAA regulations. Yes, you could in theory send just, say, a single bitewing radiograph with no identifying information and then call up the recipient to tell them which patient that X-ray belongs to, but that’s not really practical. Encrypted email systems can be found for less than $50/month, are very easy to use and will protect both the sender and recipient from HIPAA violations.

While image management has made HIPAA compliance more challenging, there are many established systems available that allow dental practices to meet these rules and regulations.

Interesting reading: 5 steps to developing your team