Obtaining, Storing, and Transmitting Patient Files
Bryan Laskin, DDS
HIPAA is a grossly misunderstood regulatory juggernaut seeking to protect patients’ electronic personal health information (ePHI). The confusion surrounding HIPAA is understandable given the ambiguous nature with which regulations must be worded, as the number of cases that could be affected are staggering. For example, if you forget that Google mail is not secure and you use it to transmit a patient’s medical history to a dentist in a different state (or foreign country) that has a different set of local laws, and the information is compromised, which state laws take precedence? The list of possible scenarios gets complicated quickly, hence the mounting confusion among clinicians.
We all know we need to have risk assessments, privacy officers, policies, procedures, training, and business associate agreements with our non-clinical partners to comply with HIPAA. What doesn’t get as much attention is how do you choose the partners you work with? It seems like every tech company in dentistry is saying they are “HIPAA-compliant.” I feel this is similar to how most of us say we are “cosmetic dentists.” (What’s the alternative—ugly work dentists?) There are a lot of companies looking to capitalize on the fact that the regulations are complicated to understand, even for “experts.” A good example of this are popular secure-email services that represent themselves as HIPAA-compliant email in their tagline, yet have a registration process that is a direct HIPAA violation (viewing an email directly during the registration process). So, how do you protect your practice and your patients? Start by answering the questions listed below.
Following these guidelines will keep your practice secure and your patients’ information safe. Take the time to educate yourself about HIPAA-compliant software and processes, as it will benefit all aspects of your practice and patients.
Is the information being stored on local machines (verses cloud servers or mobile devices)?
If so, make sure all information is in a secure physical location. For example, servers should be in locked rooms. The most common HIPAA breaches occur from theft, so make sure your laptops and phones are locked and encrypted, or preferably, use a cloud-based service that uses a major HIPAA-compliant platform to greatly reduce the impact of physical theft. Remember to delete files on your desktop that include things like x-rays that you securely transmitted.
How are you transmitting this information?
This is a key component in ePHI security, as many common tools are not compliant, and the risk of huge fines for these violations is real. Make sure to look for software that is cloud-based (as noted above), and requires a unique username and password, as that is a key component of the HIPAA rules. Look for a service that provides multiple secure communication options, as you will likely need to have a service for all communication needs, such as secure email, staff messaging, and patient recall.
If transmitting, is the other party aware of the need for secure communication and what that looks like?
Working with colleagues who understand the need to maintain privacy of your patients’ information is vital. Make sure to communicate with your specialists, labs, and patients and express that you value secure communication. There are many secure communication services available for free or minimal cost, but the people receiving the information still need education on HIPAA themselves. Educate those you are communicating with about why there are separate portals for information with unique logins and why their passwords can’t be sent via email.
Are your hardware and software tools doing what they claim?
Make sure you work with qualified, dental specific software tools and IT consultants that understand both dentistry and security (not just one of the two). By selecting tools designed by people who understand the unique needs of a dental practice, the tension between security and efficiency melts away, allowing your practice to be more productive and elevating your patients’ office experiences.
About the Author
Bryan Laskin, DDS
Founder of Prehensile Software
Developer of OperaDDS