Legal Standards & Compliance

Hi, my name is Scott Aurnou. I'm here on behalf of dentalcare.com to talk to you about data protection and security for dental professionals. So we're going to start off with legal standards and compliance. First, a quick disclaimer: in all honesty, this is the driest portion of the day. So this is basically dry stuff and acronyms. Sorry about that. But this stuff is actually important because this is effectively the set of rules for all the cool stuff we talk about later, like phishing and firewalls and hackers and stuff. So let's get this rolling with Protected Health Information or PHI. Told you, acronyms. That basically is information that can reasonably identify a patient coupled with a diagnosis, treatment and outcome, etc. So what that can be is something like health or dental care information coupled with a name, an address, a date of birth, a social security number, a medical or dental ID number, etc.

 

And it can even include something like a patient's name plus the reason for an appointment. Now the main law that affects this is what's called HIPAA, the Health Information Portability and Accountability Act. The original Act came out in '96. It was updated by another law called HITECH in 2009 and then HIPAA itself sort of adopted all the changes in 2013. Why mention all this? Because it has changed a little bit. So the original HIPAA affected healthcare providers, healthcare plans and various types of vendors working with, once again, PHI, Protected Health Information. So that means for dental offices using computers, electronic data storage, the Internet, etc., they're considered covered entities and hence subject to HIPAA. Now also related is a concept called a business associate. Business associates are also subject to HIPAA. These are non-employees that create, receive, maintain or transmit PHI. This can include vendors, this can include consultants and any subcontractors of either one who might have access to patient information.

 

So once again, the updates came later and effectively what they did was strengthen HIPAA. So, for example, under the original version of the Act, business associates usually could get out of direct accountability. That changed when they updated it and they also enhanced the enforcement provisions, making it a bit tougher. They also put a specific agency in charge, the Department of Health and Human Services; other acronym - HHS. But wait, there's more. The Office of Civil Rights (OCR) inside HHS is the one that's actually in charge of enforcing HIPAA's main two rules, which are basically the Privacy Rule, the Security Rule. There's also a Data Breach Notification Rule. We'll cover all three of these in just a moment. So in effect when it was updated and included these breach notification requirements and with the breach notification rule, there's direct liability for the business associates. There's increased fines. And one other thing that's kind of key, this final rule which came out in 2013 removed statutory language, which used to say that there was a significant risk of harm of data loss from something getting taken. Because it took that language out, that means anytime anything is lost under HIPAA, any of this PHI, that's a reportable data breach. It doesn't mean that it has to have been automatically harmful. If you lost it or it was altered, take it. So I mentioned these three primary rules, the Privacy Rule, the Security Rule and the Data Breach Notification Rule. Let's take a moment to go through each of them. The Privacy Rule basically relates to any covered entity or business associate is subject under HIPAA, once again, with a duty to prevent unauthorized access to any patient files. The thing that's key here is it doesn't just refer to electronic data. It can mean paper data and even spoken information regarding patients. You just can't disclose that stuff. Now the Security Rule is what does relate to electronic patient files and that means covered entities, once again including dental offices, must take steps to prevent unauthorized access to electronic PHI. And it has controls that can be described as administrative, physical and technical.

 

What's that? Administrative is basically paper - written policies, procedures, that type of thing. Physical could mean security cameras, gates, locks, that type of thing and technical refer to something like a firewall, antivirus software, etc. Now the idea is you're trying to improve your organization's security practices. Finally we have the Data Breach Notification Rule and that requires covered entities and business associates to provide notice when a data breach involving unsecured PHI has occurred. Thing is proof of actual data theft is not required. So the HHS defines a data breach that's an impermissible use or disclosure of the Protected Health Information unless there's a low probability of the data has been compromised. In particular data that is encrypted is viewed as "secured." So that sort of gives you a way out of this. Effectively a "safe harbor" that doesn't trigger it, assuming what's called the decryption keys to scramble and unscramble the data, haven't been taken along with it. Now there's also under the Data Breach Notification Rule, a publication requirement mandating a press release to local media for any breach over 500 patient records. I know, lovely. And as if that's not bad enough. Knowingly failing to report a breach in excess of these 500 PHI records to HHS within 60 days can actually result in jail time. But wait, there's still more. HHS also has what is colloquially known as the Wall of Shame, where they basically post any reported breaches over 500 records. You can find it on the HHS website and let's just say it's best to stay off that. So also relevant our state data breach laws. Depending on which state you're in, very likely they'll apply. And all 50 states have laws, including a number of US territories as well, like Puerto Rico, Virgin Islands, etc.

 

Now, what's helpful there is, rather than detail all 50 of them (because I don't hate you), there are a number of law firms practicing in this area, which actually have charts detailing what each state has and requires, etc. I'll put a link to that in the notes. You can take a look at whatever state applies to you. Just a random mention, if you happen to be in California, they also have a Wall of Shame for the same reason HHS does. Best avoided. So a dental practice can come into OCR's attention through either a random audit or as a result of a complaint left on the HHS website, which OCR is then required to investigate. Now if that happens, you do need to be ready. So in a dental office setting, there are a few points to focus upon, initially. For starters, every dental practice should have a written HIPAA compliance policy clarifying everyone's role in keeping the office compliant and protecting the PHI. HIPAA also requires someone in your office to be responsible for compliance with the Privacy and the Security Rules. In a large organization, typically this is a designated privacy officer. In a smaller office, one of the dentists or perhaps the office manager can take care of that. Now it's also really important to engage in staff training. What this means is employee education, which can save your office from otherwise avoidable HIPAA violations and your privacy officer should organize regular trainings to clarify everyone's role in keeping the office compliant. And also make sure you document these trainings and, even better yet, have everyone sign a written statement that they've completed the training so that - if an audit does arrive - you can point and say, "Hi, here's the documentation." So it's always a really good thing.

 

It lets HIPAA know you're taking the risk seriously and it makes the audit process itself a lot easier to deal with. Now also when dealing with business associates, you want to have what are called BAAs or Business Associate Agreements with any organization that handles paper or electronic PHI for your office. This will clarify how your vendors, consultants, etc., will handle the PHI and which, if any, of their subcontractors will have access to it and what measures will be taken to secure it. This is a critical step. The reason for this, there was a study done by the Ponemon Institute- which is a well respected security think tank - a few years ago on privacy and security of healthcare data. And what they found was in the prior two years, 59% of business associates had suffered a data breach. So obviously something to keep an eye out for. And also any organization that's subject to HIPAA has to perform what's called a security risk assessment to evaluate potential risks and vulnerabilities to PHI.

 

It's meant to be pretty thorough and look through things. Then you have a corresponding risk management plan, which is used to address the issues identified in that security risk assessment. And it's an ongoing process. It's not one and done. You have to perform it regularly, document it, update it, etc. And HHS does offer helpful information and a security risk assessment tool to assist a covered entity, including a dentist's office or business associate, in achieving HIPAA compliance. One related concept (promise, we're almost done with this fun stuff) is something called PCI-DSS. That's right. More acronyms. If your office accepts credit cards for payment it will be required to comply with the PCI-DSS, which is the Payment Card Industry Data Security Standard. Now that's administered by the Payment Card Industry Security Standards Council, PCI-SSC. That's our last acronym for this section. That was established in 2006 by major credit card brands in America and Japan. This includes American Express, Discover, MasterCard, and Visa. Now the purpose of the PCI-DSS is to set minimum security standards that an organization must maintain in order to protect cardholder data.

Protected Health Information (PHI) is information that can reasonably identify a patient.

  • This can include health/dental care information coupled with a patient’s name, address, DOB, SS#, medical/dental ID #, etc.

HIPAA (the Health Information Portability and Accountability Act of 1996) was created to safeguard patient data.

  • Dental offices using computers, electronic data storage, the Internet, etc. are considered “covered entities” and subject to HIPAA’s requirements
  • “Business associates” are also subject to HIPAA. They are non-employees that create, receive, maintain or transmit PHI. This includes vendors, consultants and any sub-contractors of either who have access to patient information

HIPAA has three primary rules:

  • Privacy Rule
    • Each covered entity and business associate subject to HIPAA has a duty to prevent unauthorized access to patient files
    • Relates to electronic, paper and even spoken information regarding patients
  • Security Rule
    • Relates to electronic patient files
    • Covered entities (including dental offices) and business associates must take steps to prevent unauthorized access to electronic PHI
    • Has administrative, physical and technical safeguards focusing on steps to improve an organization’s security practices
  • Breach Notification Rule
    • Requires covered entities and business associates to provide notice when a data breach involving unsecured PHI has occurred (proof of actual data theft is not required)
    • HHS defines a data breach as an impermissible use or disclosure of PHI, unless there is a low probability the data has been compromised
    • Exception: encrypted data is viewed as secure (i.e., does not trigger the Breach Notification Rule), assuming the decryption keys to unscramble the data weren’t taken, as well
    • Note: Individual state data breach laws may also apply, as there are data breach notification laws in all 50 states (and a number of US territories).

HIPAA also requires someone in your office to be responsible for compliance with the Privacy and Security Rules:

  • Employee education can save your office from avoidable HIPAA violations.
    • Be sure to document these trainings and have everyone sign a written statement that they have completed their HIPAA training
  • Use detailed written Business Associate Agreements with any organization that handles paper or electronic PHI.
    • This will clarify how your vendors, consultants, etc. will handle PHI, which (if any) subcontractors will have access to PHI and what measures will be taken to secure it.
  • Any organization subject to HIPAA must perform thorough and accurate Security Risk Assessments to evaluate potential risk and vulnerabilities to PHI.
    • A corresponding Risk Management Plan is used to address the issues identified in the Security Risk Assessment.

If your office accepts credit cards for payment, it will also be required to comply with the Payment Card Industry Data Security Standard (PCI DSS).