Embed Size (px)
Citation preview
JANUARY 2015 » dentaltown.com26
practice management feature
by Bryan Laskin, DDS
Count the Acronyms
Living and practicing in the great state of Minnesota comes with some fun nuances. For example, we have the honor
of paying a two-percent Minnesota Care Tax on all procedures which, as you might expect, mainly goes to help build roads. I guess that makes sense if you are a politician, and I guess I do like the convenience of having fancy roads so that patients can make it to our front door. But I digress.
The latest feather in our Minnesota dental caps is that we get to be the fi rst state required to adopt a certifi ed, interoperable electronic-health-record system (or EHR) by 2015, just like our pioneering physicians already have, in order to increase the level of care while reducing errors. Minnesota is often fi rst in all things fantastic and I’m sure this won’t be the last time, which means that sooner or later we all will get to add to our list of acronyms (one so far. Count them with me).
I’ve had a paperless practice for the last 10 years, so I actually agree that using EHRs will be better for everyone. It’s hard to admit to those of you who prefer your paper charts, but it’s true because, despite tradition, it is only a matter of time until we’re all fi rmly entrenched in the 21st century, surrounded by wireless transmission of information, including sensitive health data.
There are, however, a whole host of issues that come with storing your patient’s health information electronically (ePHI). The second acronym we did not go to dental school to memorize—keep counting.
The most basic ePHI rule pertains to how you store sensitive patient information. The vast majority of HIPAA data breaches don’t actually come from hackers breaking into databases, as is commonly thought—after all, how much profi t is there in looking into a stranger’s gingival pocket depths? One would think those brilliant Eastern European hackers are going to start with banks, not your practice. (HIPAA is the third acronym—stick with me.)
In truth, the largest risk is from people who have physical access to your patient data, either by stealing a USB, a hard drive or emailing information that is stored on a local server. So tell me, is there any possible way someone could grab your data? And do you know what will happen when they do? I know, I know, you are certain that a data breach will never happen to you and frankly you
have way too many other fi res to put out today to care, like fi xing the air compressor. But I’m telling you, it’s time to care, because even if you don’t, your patients and the media will.
Alert the mediaBreaches have recently occurred in California, Pennsylvania
and Texas. Each of these regular old dental-practices-next-door were burglarized. Their computers, full of unencrypted ePHI, were stolen. A loss like that makes it hard to open the practice the next day. Even worse, according to the law, both the media and patients must be notifi ed when you have more than 500 ePHI records. Do you have more than 500 patients? Yeah, so do I, and so did all three of these sad aforementioned examples.
In the case of the Pennsylvania practice, 11,000 patient records were downloaded to IP addresses all over the world. Who knows what they will do with that information, but we defi nitely know what your patients will do when they hear about it.
While the fi nes are heavy enough, it’s the public-relations nightmare our examples above faced that is the real problem for all of us. If they had only encrypted their ePHI data, they would not have had to notify anyone. As it was, their reputations suffered. That’s tough to quantify. All this suffering because the patient data was not encrypted.
Why data encryption mattersEncryption is the conversion of data such that it cannot be read
without the correct key, usually a software-generated algorithm that automatically scrambles the data, thereby disguising your ePHI, which in turn protects your data against confi dentiality breaches or malicious intent. Simply put, it’s putting information into a code that only you can decode.
Under the newly enforced Health Information Technology for Economic and Clinical Health Act (HITECH), our fi fth acronym for those still counting, all ePHI must be encrypted, whether at rest on a server, in transit down the hall of your practice or down the street to your friend’s practice. This means you must understand data encryption and become compliant, or you’ll be breaking the law every second of every day. As a bonus, though,
continued on page 27
JANUARY 2015 » dentaltown.com28
practice management feature
Comment on this article at Dentaltown.com/magazine.aspx.
Author’s Bio
A 1999 graduate of the University of Minnesota Dental School, Dr. Bryan Laskin operates a private practice in Wayzata, Minnesota. Dr. Laskin is a certifi ed CEREC trainer and founder of Prehensile Software, developer of OperaDDS; the total communication dashboard for the dental profession which includes intra-offi ce messaging, as well as HIPAA-secure emails, laboratory prescriptions and specialty referrals from any device anywhere.
by obeying these new laws you’ll be protecting your patients, and therefore your reputation, from a public-relations nightmare. Not to mention ridiculously expensive fi nes.
Save yourself, from yourselfHow will you stay safe given these new laws? Since data is
typically compromised physically, access must be protected by a combination of common sense, hardware, software and, most importantly, a real, live dental information-technology expert. Sixth acronym! See, you are a dentist-nerd, not an IT-nerd, so go fi nd one and then help them help you. If you don’t already have one, I highly recommend you go to DentalIntegrators.org or ask for a referral from a trusted colleague or rep. Then get out of their way and do what they say so they can employ all kinds of tactics to save you from yourself.
That work will include securing all physical local hard drives teeming with patient data, to limiting access to that data, to keeping your server off the ground, to installing physical fi rewalls, anti-virus software, strong passwords, and so much more. They’ll get you in compliance. They may recommend using an external server, making certain that both the storage and transmission of data is safely encrypted, both coming and going. They’ll make sure your practice-management software is encrypting like it should, if it can. They may even duplicate your data via a confi guration known as a redundant array of independent disks (RAID), aiding both encryption and retrievability of your patient data. Seven acronyms!
The experts you need are out there and they probably know more than you do about compliance, so rely on their knowledge.
Tripping over ourselvesI love my iPad. I go to bed with my iPhone (you know you
do, too). I’ve tripped on a crack walking down the sidewalk trying to text my wife. I’m relying more and more on the freedom these devices grant me. But if I’m not careful—if we’re not careful—we’ll trip over more than a crack in the sidewalk.
Protecting ePHI seems diametrically opposed to the convenience of being mobile. All these devices are way too easy to lose and unless you’re serious about it, like your IT nerd should be, these devices boast little-to-no security controls. So what should you do? Common sense starts with password protecting everything—even many fl ash drives are available that can be protected. At the practice, you can use physical controls, such as
laptop or iPad locks that secure devices in place. And, obviously, it is absolutely necessary to have the data encrypted on every mobile device too.
The most secure way to ensure your ePHI stays safe while you stay mobile is to access data through a password-protected, HIPAA compliant, secure internet interface. You may have heard of this before referred to as the cloud, which despite its moniker, is not actually made of fl uffy water or fairy dust. In fact, in most cases, the only way to ensure that you are 100 percent compliant is to perform all sensitive communication through a secure cloud platform (in other words, a secure server located offsite of your practice that encrypts data for you). The great thing about the cloud is that it allows you to access this sensitive data securely from any device you like, any time, anywhere—no more being shackled to your practice desktop computers. The key here, though, is to use a cloud platform that is HIPAA secure and encrypted.
Let me explain: your Dropbox account, while technically cloud-based, is not secure. I repeat, not secure. Every time you use it to send a case to your lab you’re tripping over several of the aforementioned acronyms. Then there are those emails you’re sending through Gmail. Don’t get me wrong: I love Gmail. Frankly, I love Google. But Google is not in the privacy business and so, just like with Dropbox, every time you email even just a patient’s name to your favorite endodontist, you’re breaking federal and state law. I know you’ve heard this before, and I know it’s hard to break a habit, but you have to get your patient’s health information off traditional email and get on a HIPAA-secure email portal built specifi cally for healthcare professionals. If you think about it, fi nding and using one isn’t any more diffi cult or complicated than it was when you fi rst started using Yahoo. It’s all the same in terms of usability and ease. The only difference is that Yahoo and other such email services aren’t secure.
I just want to fi x teethIt is true that with the great power inherent in electronic
dental records, we also have a great responsibility to protect our patient’s valuable health information. It is also true that there are experts who can help you and some simple tools available that can get you back to where you want to be, in your operatory. I’ll see you there, fully compliant and with all seven acronyms emblazoned in our brains. ■
continued from page 26
