By Dr. Lorne Lavine
Welcome to another article in our series on helping dental practices become HIPAA compliant. I wanted to focus today on the need for encryption, but first, we need to back up a bit and talk about HIPAA rules.
As many people know, there are two types of rules: required, and addressable, and there is unfortunately a lot of confusion about these. Required is the easy one: any rule that is required means you must do it, no if’s, and’s, or but’s, it’s not negotiable. Addressable, though, is a bit less cut and dry. The wording is this: The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision.
It’s important to understand that addressable does NOT mean optional! The part in the bold text is the key thing here, if it’s reasonable, you must do it. Who gets to decide if it’s reasonable? Well, you…until the day the HIPAA auditor shows up, then they do.
How does all of this related to encryption? Well, encryption is an addressable concern, by law it’s not required…but that doesn’t mean you shouldn’t do it. There are two reasons why I always recommend encryption:
1. As we discussed in the previous issue, the Breach Notification Rule requires you to notify all patients in writing as well as the local media if you suffer a breach of your data. If the data is encrypted, though, it’s not considered a breach and as such, you do not need to notify your patients or the local news.
2. The second reason related back to this issue of reasonable and appropriate. My question is, how will you win the argument that it’s not reasonable and appropriate if you are ever audited? There are many versions of Windows, such as Server 2008 or Server 2012, Windows 7 Ultimate, Windows 8 Pro, etc. that contain a free encryption program called Bitlocker. There are free encryption programs like Veracrypt that will encrypt folders or an entire drive. Assuming you’re not comfortable setting these programs up, most IT companies can easily do it for around the cost of 5-6 hours of support.
The bottom line is that encryption is really something every office should be doing. It protects the security and privacy of the data, and it will protect the practice from embarrassing public notifications that always lead to a loss of patients and income. Talk to your IT people or contact me to discuss how to encrypt your data safely and with minimal cost.
Dr. Lorne Lavine, a former periodontist, is known as the leading authority on technology in the dental practice. Founder of The Digital Dentist, he has extensive hands-on experience with most practice management software, image management software, digital cameras, intraoral cameras, computers, networks, and digital radiography systems. Dr. Lavine has over 30 years invested in the dental and dental technology fields.