HIPAA (The Health Insurance Portability and Accountability Act) may be a "household" name around your practice, but are you certain you are not next in the 35,028,304 healthcare records compromised thus far in 2019? Following HIPAA guidelines prevents and limits data breaches that could cost your practice well over half of your patients, thousands of dollars, and even cost your job.
Data security is one of the most important unseen elements of your practice, and one that should not be taken lightly. According to HIPAA Guide, the records exposed this year is more than all of 2016, 2017, and 2018 combined. In terms of data, HIPAA is basically divided into three components — security, privacy, and notification.
Secure your data
The security rule is what guides your practice on how to handle data security when it comes to protected health information (PHI). This is the section of HIPAA that mandates written risk assessments of your practice periodically.
You must have three safeguards in place to protect PHI:
- Administrative — How your office collects and stores PHI, such as through your practice management system, is the administrative side of safeguarding.
- Technical — Technical protections are what happens once you have a patient’s PHI and need to send that information; Such as when you are sending insurance claims through Remote Lite powered by rPractice, which is completely HIPAA compliant.
- Physical safeguards — Physical comes into play if your office has paper copies containing PHI. For example, one way to be HIPAA compliant with paper documents is to destroy them using a crosscut shredder.
Protect patient privacy
The privacy rule is set up to protect patients. It grants patients peace of mind that their billing, medical, and dental records are handled with care. The rule also allows patients to request changes to their records, confidential communication, and to not disclose any information about them or their procedures to unauthorized parties.
The privacy rule allows a patient to request a copy of their records. Your practice is responsible for sending that information in a secure way, note that HIPAA applies to email and text messages as well. While you probably wouldn’t send dental records via text, a patient might request them via email. In which case, you should inform them that private email systems are not secure and require their explicit permission before sending it. When you do, make sure to encrypt the communication.
Send notifications immediately
The third key to understanding HIPAA for a dental practice is the notification rule. This basically says that if your data is compromised you must report it to the affected patients, the government, and send a press release to your local media. The aftermath of a data breach is difficult and can cost your practice the patronage of loyal patients and thousands of dollars to reinforce your security systems. Staying ahead of cyber-crime is as much your responsibility as patient care. The best way to care for your patients is to do so preventatively, including their data.