Among countless compliance standards that are now on the
“MUST DO” list for dental practices, three standards/regulations rank near the
top of the list for all covered practices.
“Covered” refers to all practices that store or transmit any patient
data electronically, including filing third party claims and payment
information; that is, the vast majority of practices in the U.S. Two of these regulations involve HIPAA
standards and one involves standards set by the payment card industry to
protect debit and credit card information.
The HIPAA standards include (1) the Risk Analysis and (2) the
Security
Management Process. The Risk Analysis standard requires all
covered dental practices to actively assess vulnerabilities and risks to the
confidentiality of protected health information held by the practice. The Security
Management Process requires covered practices to act on that assessment of
risk by implementing security measures which bring the practice to a point of
compliance that reduces risks and vulnerabilities to a “reasonable level”.
Basically, these two standards mean covered practices must
conduct an assessment of risk and then put measures into place to respond to
perceived privacy threats. The risk
assessment should include evaluation of privacy protection when speaking with
patients in the office; when corresponding with patients by telephone, email,
or posted mail; when transmitting patient health data to another health care
entity; and when storing patient data electronically via your office computer
system and on mobile devices.
Additionally, the risk assessment must include evaluation of
your computer operating system’s ability to protect against hacking attacks,
viruses, and such. It is your
responsibility to keep your computer system current so that it is sufficiently
supported by the vendor to avoid data loss, viruses, crashes, etc. Reminder:
as of April 2014, Microsoft no longer offers technical support for
Windows XP operating system. Therefore,
if your practice still uses Windows XP, plan immediate replacement with a new
system that receives regular software updates and technical support.
The third standard has to do with payment card protection,
involving measures that must be implemented to protect patients’ payment card
(credit or debit) data. These measures
include protection of payment card data at the time it is given by a patient to
pay for services in your office and when the data is stored and transmitted
electronically by your office computer system.
For more information on the HIPAA regulations, go to: ADA.org/8753.aspx
or the Office of Civil Rights at hhs.gov/ocr/privacy. For additional information on the Payment
Card Industry Security Standards, visit:
pcisecuritystandards.org.