HOW RECENT REGULATIONS AFFECT ELECTRONIC STORAGE OF PATIENT DATA AND USE OF PATIENTS’ CREDIT/DEBIT CARDS FOR PAYMENT OF FEES

Among countless compliance standards that are now on the “MUST DO” list for dental practices, three standards/regulations rank near the top of the list for all covered practices.  “Covered” refers to all practices that store or transmit any patient data electronically, including filing third party claims and payment information; that is, the vast majority of practices in the U.S.  Two of these regulations involve HIPAA standards and one involves standards set by the payment card industry to protect debit and credit card information.

The HIPAA standards include (1) the Risk Analysis and (2) the Security Management Process.  The Risk Analysis standard requires all covered dental practices to actively assess vulnerabilities and risks to the confidentiality of protected health information held by the practice.  The Security Management Process requires covered practices to act on that assessment of risk by implementing security measures which bring the practice to a point of compliance that reduces risks and vulnerabilities to a “reasonable level”.

Basically, these two standards mean covered practices must conduct an assessment of risk and then put measures into place to respond to perceived privacy threats.  The risk assessment should include evaluation of privacy protection when speaking with patients in the office; when corresponding with patients by telephone, email, or posted mail; when transmitting patient health data to another health care entity; and when storing patient data electronically via your office computer system and on mobile devices.

Additionally, the risk assessment must include evaluation of your computer operating system’s ability to protect against hacking attacks, viruses, and such.  It is your responsibility to keep your computer system current so that it is sufficiently supported by the vendor to avoid data loss, viruses, crashes, etc.  Reminder:  as of April 2014, Microsoft no longer offers technical support for Windows XP operating system.  Therefore, if your practice still uses Windows XP, plan immediate replacement with a new system that receives regular software updates and technical support.

The third standard has to do with payment card protection, involving measures that must be implemented to protect patients’ payment card (credit or debit) data.  These measures include protection of payment card data at the time it is given by a patient to pay for services in your office and when the data is stored and transmitted electronically by your office computer system.

For more information on the HIPAA regulations, go to:  ADA.org/8753.aspx or the Office of Civil Rights at hhs.gov/ocr/privacy.  For additional information on the Payment Card Industry Security Standards, visit:  pcisecuritystandards.org.