Olivia Wann, RDA, BSHCA

Technological advancements in the health care industry have created security challenges in assuring the confidentiality, integrity and availability of electronic protected health information (ePHI). As discussed in Part II, a security officer, who may be the same person as the privacy officer in a small dental office, should be appointed to train staff on security issues, ensuring that the entire team is striving to achieve compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. After training on the technical safeguards of the security rule, assigning unique identifiers (user names and passwords), and communicating sanctions and penalties, the next step is to ensure that the office meets the physical safeguards of the security rule.

Physical Safeguards

HIPAA defines physical safeguards as "physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion."^1(p2) For a dental practice, this means that to ensure the security of ePHI, the facility must be protected from unauthorized access.

Facility Access Controls

Facility Access Controls, CFR 164.310(a)(1), requires covered entities to "implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."^1(p3) According to HIPAA, a facility is defined as "the physical premises and the interior and exterior of a building(s)." The Facility Access Controls standard has 4 implementation specifications: contingency operations, facility security plan, access control and validation procedures, and maintenance records.

Contingency Operations

After disaster strikes, the dental office proceeds with contingency operations. The contingency plan must be made in advance to avoid a compromising situation in the event of an emergency. When designing a plan, the security officer will need to consider who is designated to re-enter the office to initiate data restoration and who will supervise the activity. During the data restoration process, the practice will need to continue maintaining physical security and allowing only appropriate access to ePHI. Therefore, the security officer will need to consider the office location. For example, if a tornado strikes and debris is everywhere, will your office location require you to post a guard to ensure that only authorized individuals enter the site?

Facility Security Plan

Only authorized team members should have access to the dental office and its equipment. Someone on staff should be assigned to make certain that the doors and windows are locked each day. File server cabinets should be locked. As a consultant, I recommend not housing the file server on a basement level or in an area susceptible to flood (ie, near pipes that could break or a sink that could overflow).

Alarm systems are extremely desirable to detect intrusion, especially for those dental offices located in high crime areas. Some systems use computer software that allows the practice owner to view the office through the Internet.

Access Control and Validation Procedures

The office's policies should detail who has access to the facility. It is appropriate to ask for proof of identity before allowing access to the dental office. For example, if the office consults with a new computer hardware company, the security officer may require the technical specialist to present identification to verify the person's identity.

Maintenance Records

Documentation of maintenance is necessary and must include the date, type of repair, and who authorized it.^1(p7) If the technician repairs the computer or device off site, notation should be made in the dental office's records.

Workstation Use and Workstation Security

The dental office's policy should detail the appropriate use of computer workstations, regardless of where they are located. Operatory workstations should not be logged on and left unattended. For example, if the assistant leaves the treatment room, precautions should be taken to prevent the patient from accessing the computer and viewing other patients' information. Additionally, each computer should be set up to automatically log off after a certain number of minutes of inactivity.

If a dentist uses a notebook computer or personal digital assistant, a password should be added to prevent unauthorized access if the device is stolen. I recently consulted in a hospital where a physician habitually left his computer workstation logged on to the network. In the evenings, the janitor was accessing the system. This violation was reported to the HIPAA security team and immediate corrections were made.

The administrative computer workstation screens should not be viewable by the patients. If this is difficult to achieve, a privacy screen/filter can be added. These screens are placed over the computer monitor and ensure that only the primary user can see the data. If the team is at lunch in the break room and patients are allowed to enter the office to be seated, precautions should be taken to protect the data. Ideally, team members rotate lunch breaks, ensuring that someone is positioned at the front desk throughout the day. Otherwise, the office should be locked to prevent unsupervised activities.

The dental office should control Internet access of the employees, particularly on computers that contain the management software that stores ePHI. The office's policy may detail that personal use of the Internet is prohibited. Because Internet history can easily be deleted, ongoing training and reminders are essential. It is highly important that the antivirus software be updated routinely to avoid expiration. Additionally, firewalls should be in place to help prevent someone from hacking into the system.

Device and Media Controls

Assemble an inventory of the hardware in use and list the serial numbers. A copy of the inventory is stored off site as this information is important for HIPAA compliance, identification for insurance companies, and tracking theft. The Device and Media Controls standard has 4 implementation specifications: disposal (required), media reuse (required), accountability (addressable), and data backup and storage (addressable). "Required" indicates that all dental offices that are covered entities must comply with the regulation as written. "Addressable" indicates that each office can determine how to implement the specification.

The dental office should have policies and procedures regarding the disposal of hardware and electronic media that contain ePHI. For example, if a practice upgrades their hardware and the old computers are removed from the facility, the hard drives should be erased or destroyed.

Dental offices may appropriately reuse electronic media. A workstation that does not meet the specifications of updated software may be reused as a workstation to conduct product ordering or bookkeeping. But if hardware is donated to an external source, the dental office is required to permanently delete ePHI before donation.^1(p12)

Standard CFR 164.310 (d)(2)(iii) specifies that where it is reasonable and appropriate, the covered entity should "maintain a record of the movements of hardware and electronic media and any person responsible therefore." This standard requires the security officer to track the movements of hardware and electronic media that contains ePHI.^1(p12)

Data backup and storage indicates that the covered entity creates an exact copy of ePHI to protect the availability of the data before moving equipment. Someone on staff should be designated to perform the back-up function. A mirrored hard drive, external hard drive, or back-up tapes/CDs are insufficient if disaster destroys the facility. Back-up devices must be stored in a secure, off-site location, such as a bank deposit box, the accountant's office, the dentist's personal residence, online storage, etc.

Never assume that a team member knows how to perform the back-up procedure. I consulted with a dental office and found that all the back-up tapes were blank. When I asked the receptionist to show me how she performed the backup, she simply placed the tape in the drive and let it spool. She never initiated the backup. For months, the data had not been copied. The problem? She thought the office had an automatic back-up procedure like her previous practice. As this example shows, it is important that the security officer verify the integrity of the backups.

Disaster Recovery

According to the American Dental Association, compliance with HIPAA's Security Rule has the added benefit of protecting a dentist's business assets.² Preparation of policies and procedures regarding the specifications listed in this article will assist dental offices in having a disaster recovery plan. With a plan already in place, a dental office can restore its data and return to operation as soon as possible.

Conclusion

Although HIPAA has been in effect for several years, understanding and implementing its rules remains challenging for many dental office personnel. Dental assistants, working in the roles of privacy officer and security officer, can help bring their offices into compliance, helping to reduce their patients' exposure to health care fraud and identity theft.

References

1. HIPAA security series: 3. Security standards: physical standards. US Dept of Health and Human Services, Centers for Medicare and Medicaid Services. Updated Mar 2007, Vol 2, Paper 3. Available at: www.cms.hhs.gov/EducationMaterials (PDF). Accessed Aug 31, 2007.
2. ADA HIPAA Security Kit for Dentists. Chicago, Ill: American Dental Association; 2004:7.