Olivia Wann, RDA, BSHCA

In Part I of Demystifying HIPAA (March 2007), Compliance in Practice discussed how dental offices can comply with the privacy standard, including appointing a privacy officer, providing training for the team, and implementing the necessary policies and procedures to safeguard patients' protected health information. This month, we will address the administrative and technical safeguards of the security rule and the penalties associated with HIPAA violations.

The health care industry, which includes small dental practices, has become more complex as new technology is incorporated into daily practice. With claims being filed electronically, eligibility being verified online, and other methods of exchanging electronic information, there was a need to safeguard patients' protected health information (PHI) and the security of the data—all of which is part of the administrative simplification standards contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

All covered entities (dental offices submitting electronic claims or verifying eligibility online) must have complied with HIPAA's Security Standards for the Protection of Electronic Protected Health Information, found at 45 CFR Part 160 and Part 164, Subparts A and C (commonly referred to as the Security Rule), no later than April 20, 2005.^1(p1)

Whereas the privacy rule sets standards on what uses and disclosures of PHI are authorized, the security rule is intended to guard data integrity, confidentiality, and availability of electronic PHI (ePHI). To comply with this component of the security rule, dental offices must implement safeguards to protect ePHI from unauthorized access, alteration, deletion, and transmission.

By reflecting on the tragedy of Hurricane Katrina, we may better understand the importance of HIPAA's security regulations. We should engage the thought process of "What would we do if…." For example, dental offices can burn to the ground, flood from broken pipes, be robbed, and other similar disasters that not only affect the security of ePHI, but also damage the practice as a small business. Thus, although we think of electronic security as preventing someone from hacking into our systems, we also must be prepared for other potential disasters.

Security Officer

First, a security officer should be appointed. In a small practice, the privacy officer and the security officer may be the same individual. Typically, an office manager serves in this capacity. This individual is highly familiar with HIPAA compliance and ensures that the practice's computer system meets security requirements. This is accomplished by working with an information technician who is well versed in the electronic security required for HIPAA compliance. Working with a technical specialist who has experience with the security needs of health care facilities, including dental offices, can protect your office from security violations. For example, I recently consulted with a practice whose wireless network was not secure, meaning anyone with a wireless device could use the network to get online. If the practice had worked with a technician experienced in the needs of health care facilities regarding HIPAA compliance, the technician would have set up its network to be secure, ensuring that no one could access the network without proper authentication.

Risk Assessment

Second, a risk assessment of the practice's HIPAA compliance should be conducted to assure the confidentiality, integrity, and availability of ePHI collected and stored by the dental office. Questions to assess your office's risk include:

• Is the building secure?
• Who has access to the network and management software?
• Where is the file server located?
• Is everyone using individual user names and passwords?
• Are user rights established according to job descriptions?
• What is the back-up procedure? Where are the back-up files stored?
• Is a secondary data back-up system, such as an external hard drive, being used?
• Is the integrity of the data tested?
• Is a paper shredder used?
• Is the antivirus software working and up-to-date?
• Do you record hardware repairs and report viruses to the security officer?
• Is the network secure? Are the data susceptible to hackers?
• Do you have a current inventory of hardware?

Workforce Security

Dentists or persons serving in management positions should check the references of new hire candidates. Additionally, if a new team member will have a high level of access to the data, a background check is recommended. It is critical to determine if this person was guilty of any crimes, including identity theft. Remember—this person has access to your patients' ePHI, social security numbers, physical addresses, and other sensitive information. A credit report is also helpful to avoid hiring someone who has a high-risk potential of embezzlement.

Access Control

For employees to complete their job duties, a certain level of access to management software is necessary. However, the Centers for Medicare and Medicaid Services remind us that the access controls should enable authorized users to access the minimum amount of information needed to perform their jobs.^1(p1)

User rights are easily set up in the management software. Please refer to your user manual or contact your software company's technical support for detailed information on how to define user rights. Thus, defining user rights allows employers to control each team member's access, particularly alteration of data. For example, if an administrative team member repeatedly deletes cash entries and replaces them with "adjustment," reviewing the audit trails can reveal the criminal activity. Thus, no one except the practice owner should be able to delete an audit trail.

When a team member terminates their employment, certain procedures need to take place: the return of the office keys and the deactivation of his or her security entrance code, user name, and password. A team member's account should be deactivated, not deleted. Deleting a user may compromise the data input by that user.

Technical Safeguards and Unique User Identification

HIPAA specifies 5 technical safeguards: Access Control, Audit Controls, Integrity, Integrity, Person or Entity Authentication, and Transmission Security.

HIPAA requires that a covered entity must "assign a unique name and/or number for identifying and tracking user identity."² Likewise, every team member who has access to computer workstations must have an individual user name and password. These user names and passwords are never shared among team members, which is a common HIPAA violation. Many practices incorrectly use generic log-on codes. Keep in mind that a unique user identification should be just that—unique. According to the Centers for Medicare and Medicaid Services, a set of random numbers and characters is more difficult for an unauthorized user, such as a hacker, to guess, though initially more difficult for the user to remember.^1(p5) It is a good idea for each user to periodically change his or her password.

If someone feels that their individual user name and password have been revealed, this person should contact the privacy or security officer immediately to obtain new ones. Computers should never be left logged on. Rather, when the station is not in use, users need to log off to the desktop. Additionally, the workstations may be set up to log off automatically after a certain period of time with no activity. This prevents unauthorized access and enables the practice owner and privacy or security officers to track the team members' activities, including intentional data corruption.

Someone should be responsible for viewing the audit trails regularly. As a consultant, I advocate that the practice owner know how to conduct audit trails to maintain accountability of the team.

E-mails that contain ePHI (including digital photographs and radiographs) sent over an open network, such as AOL or Yahoo, are not secure. Therefore, consult your information technician regarding encryption and decryption. Otherwise, it is necessary to obtain consent from each patient to send e-mails that are not secure.

Training

As with any regulatory issue, training is essential to achieve compliance. Team members must understand why and how the practice protects ePHI. Everyone should know who serves as the security officer and how to report security violations. Reminders should be posted to help team members keep HIPAA security in the forefront of their everyday work routines. A sample HIPAA privacy/security policy acknowledgement form can be viewed and printed here.

Business Associate Agreements

Business associates, third parties who have access to the dental office's PHI, must comply with the practice's HIPAA privacy and security policies. Examples of business associates include software trainers, hardware technicians, bookkeepers, accountants, attorneys, practice management consultants, billing services, and medical records storage companies. Business associate agreements are written documents that must be signed by the covered entity (the dental office's privacy/security officer) and the business associate. These agreements need to limit the sharing of PHI to that which is minimally necessary. For example, a hardware technician does not need access to specific patient information.The goal, according to the American Medical Association (AMA), is to assure end-to-end protection and privacy of PHI.^3(pp68,69) Further, business associates' activities must be supervised. If a HIPAA regulation is violated by a business associate, the supervising team member needs to take immediate action, including sanctions.

Sanctions

Having satisfied HIPAA security training, practice owners expect everyone to comply with the office's policies and procedures in assuring the security of ePHI. However, sanctions need to be in place, in case the security rule is violated. In the ADA HIPAA Security Kit for Dentists, the American Dental Association provided this example⁴: First Time—Reminder; Second Time—Written Notice; Third Time—Administrative Leave Without Pay; Fourth Time—Termination. By adding a clause to the office's policy that indicates that immediate termination may result if a team member violates the policy, employers are not obligated to allow 4 violations. Check with your state laws to determine if this clause is appropriate for your office.

Penalties

As discussed in Part I, HIPAA transactions are specific and distinct activities involving the electronic transfer of health care information for particular purposes. If a covered entity engages in 1 or more of the identified electronic transactions, the entity must comply with the standard for that transaction. The US Department of Health and Human Services (US DHHS) is the government agency that enforces HIPAA. The penalties for noncompliance are severe. The civil penalty for violating an electronic transaction standard is a fine up to $100 per person per violation and up to $25,000 per person per violation of a single standard per year; the criminal penalty for willful misuse of a patient's identifiable health information is up to $250,000 and/or imprisonment for up to 10 years. Other sanctions include a fine of not more than $50,000 and/or imprisonment of 1 year; misuse under false pretenses is a fine of not more than $100,000 and/or imprisonment of not more than 5 years. If the misuse of identifiable health information is with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm, the penalty is a fine of not more than $250,000 and/or imprisonment for 10 years.^3(pp12,13)

According to the US DHHS, the total financial penalty could exceed $1 million per year. According to the AMA, it is commonly understood that a member of the entity's executive team or chief executive is responsible for compliance. Therefore, if a standard is violated in a private dental practice, the practice owner is the one most likely to be imprisoned.^3(pp12,13) Having analyzed this information, most dental team members readily agree that compliance with HIPAA's security rule is critical to the successful management of their practices.

The next Compliance in Practice will complete the Demystifying HIPAA series with a discussion of the technical and physical safeguards of HIPAA security.

Do you have questions about compliance issues? If so, e-mail your questions to Olivia at , and they may be answered in an upcoming column.

References

1. HIPAA security series: 4. Security standards: technical standards. US Dept of Health and Human Services, Centers for Medicare and Medicaid Services. May 2005, Vol 2, Paper 4. Available at: www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandardsTechnicalSafeguards.pdf. Accessed Mar 7, 2007.
2. US Dept of Health and Human Services, Office of Civil Rights. Standards for Privacy of Individually Identifiable Health Information, Security Standards for the Protection of Electronic Protected Health Information. Technical Safeguards. CFR 164.312(a)(2)(i). Available at: www.hhs.gov/ocr/combinedregtext.pdf. Accessed Mar 7, 2007.
3. Doscher M. HIPAA A Short- and Long-Term Perspective for Health Care. Chicago, Ill: American Medical Association Press; 2002.
4. ADA HIPAA Security Kit for Dentists. Chicago, Ill: American Dental Association; 2004:156.