Data encryption, privacy and Internet security are front-page news. Presidential candidates have debated it. Apple is defending itself in federal court. Stories proliferate 60 Minutes regarding government-employed hackers in China and a growing threat of more than 5000 hackers worldwide targeting Americans and American businesses, and a lucrative black market for Americans’ identities with a premium on identities that include healthcare information. It’s clear there is a national data security emergency. Dentists cannot bury their heads in the sand and hope the emergency goes away.
A recent NBC News story estimates that 1 in 3 of us have had our healthcare record compromised (most of us unaware), and in last year alone, more than 100 million records were exposed. It is only a matter of time before patients, who today predominantly choose their dentists on the Internet, require dentists to provide them specifics about how their data will be secure before providing it to them, as is their right. This is serious business for all Americans, and dentists need to get ahead of it.
Adhering to HIPAA guidelines, at a minimum, to protect patient’s health information including x-rays and photos is the dentist’s responsibility. The HIPAA Security Rule became effective September 2013, and ignorance is not a defensible excuse. The HIPAA and state penalties for non-compliance can be high for dentists who do not comply, as well. The loss of patient identity can be a financial and emotional disaster that could take years to correct, if at all. Patients may never forgive or forget a dentist who does not protect their information under HIPAA guidelines and is required to report a breach that potentially exposes their personal data.
The HIPAA Security Rule standards for the protection of Electronic Protected Health Information (ePHI) include encryption of “data at rest,” “data in motion” and a unique database password. Dentists should understand that while HIPAA requires them to comply, dental software developers are NOT required to provide software that encrypts their patients’ data. Dentists cannot presume without verification that their software supports their compliance. In conjunction with securing data at rest and in motion, the Security Rule also requires secure email, and the penalties can be as much as $50,000 per email up to $1,500,000.
What is Data Encryption?
Data encryption transforms patient data collected and maintained by you, ePHI as defined by HIPAA, to be indecipherable by hackers without your unique encryption key.
Encrypt Data at Rest
Data on your computer hard disk or flash drive is called “data at rest” contained in your practice-management and imaging database(s) and on backups should be protected by a strong password that is unique and also encrypted. Recently, the largest practice management software was found to have the same, easily discoverable, hardcoded database password for every practice. Unbelievable, but true.
Encrypt Data in Motion
Data passed back and forth on your network between your server and terminals in your office or from outside (including remote secondary offices) is called “data in motion.” Data in motion also includes emails, text messages and any other electronic communication you have with patients, as well as other practitioners and insurance carriers about patients.
How Does HIPAA Apply?
HIPAA requires that doctors protect patients’ personal identity and health information at rest and in motion using AES encryption at a minimum.
2016 is expected to be the year for auditing practices for HIPAA compliance. Fines can reach $1.5 million. Your patients expect you to protect the personal identity and health information they have entrusted to you. Patients expect you to comply with HIPAA Privacy and Security Rules.
Make Sure Your Software Secures Your Patient’s Information
Without question, you should be using software that utilizes industry-standard AES data encryption and integrates secure messaging to protect your patient’s information and communications. Recently, the largest dental software company was fined $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data.
A $10 billion company being fined is small potatoes compared to the bigger story that most dental software isn’t encrypting patient data. Conversely, MacPractice DDS is one of only a few single-database practice management and EHR software programs that is ONC-ACB Certified, meaning your data is encrypted at rest and in motion. With MacPractice, you qualify for Safe Harbor and are not required, as you would otherwise, to report a breach to HHS to your patients and to the media.
How Do You Protect Yourself?
Ask your software company if your software has built in AES encryption (you might want to request third-party verification) for both data at rest and data in motion.
If your software is not using AES encryption, consider full disk encryption on all of your computers and backup media with Apple’s FileVault for OS X or BitLocker in recent versions of Windows. Retain an IT consultant to help you purchase equipment and to install a VPN for your network and for outside connections. There will likely be some performance degradation.
Implement secure email instead of the standard email you are very likely using now, preferably using industry-standard Direct messaging, from within your software if that is possible. Using standard email in your practice is like running an explorer under water and saying it’s clean and ready to go. Unfortunately, that is also a thing of the past.
More information about HIPAA Security Rule requirements, encryption, and Direct messaging are available at www.macpractice.com/hipaasecurity.
Mark Hollis is the cofounder and CEO of MacPractice, Inc. and provided practice management consulting services to 650 practices over 25 years. Mark represents MacPractice as member of HIMSS Electronic Health Records Association (EHRA), which advises the CMS, ONC and HHS, and as a contributing member of Commonwell, a non-profit created by top US EHR vendors to address the national challenge of patient identity related to EHR interopability.