HIPAA and Your Practice
The responsibility for HIPAA compliance falls to each dental office. It is up to you to make sure your practice is secure. Open Dental software is a tool to help you become HIPAA compliant.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act, a federal law to protect Protected Health Information (PHI).
- The HIPAA Privacy Rule regulates the use and disclosure of all PHI.
- The HIPAA Security Rule establishes detailed standards to protect the integrity, confidentiality, and availability of electronic PHI (ePHI).
What is Protected Health Information (PHI)? PHI is defined in in 45 CFR 160.103. Under the HIPAA Privacy Rule, PHI refers to individually identifiable health information that is transmitted or maintained in any form or medium. In the United States generally any information that includes more than first name and age (unless over 89) is considered individually identifiable and thus PHI (see https://privacyruleandresearch.nih.gov/pr_07.asp). In other countries the laws regarding privacy of patient information may vary.
Why is it important to comply with HIPAA requirements? Following HIPAA guidelines help protect PHI and your organization. Businesses that fail to do so may be responsible for consequences, including fines, if data is compromised (hacked, computer stolen or lost). See http://www.databreaches.net/north-memorial-hospital-settles-hhs-charges-for-1-55m/
What should I do to make my computer systems HIPAA compliant? To get started, we recommend following all guidelines on Network and Security Setup. This includes but is not limited to:
- Backing Up data.
- Using Virus Protection.
- Setting up Security profiles in Open Dental for all users (user groups, user names, passwords).
- Encryption of data at rest and in transit.
- Conduct a Security Risk Analysis (see below).
For information on how Open Dental Software, Inc. addresses HIPAA security guidelines and standards, see HIPAA and Open Dental Business Practices.
Security Risk Analysis
As part of the Security Rule, dental practices must conduct a security risk analysis, document it, and develop safeguards to protect ePHI.
Business Associate Agreement
If your practice shares PHI with a third party (e.g. IT professionals, backup service, Dropbox), we recommend you enter into Business Associate Agreements. If you need more information, or examples of the forms that patients and business associates must sign, you can request information from the American Dental Association at www.ada.org.
If you will be sending PHI to Open Dental for any reason, please be sure to sign and date the Open Dental Business Associate Agreement and make a copy. Keep one for your records, and return one to us for our records. We do not sign alternate versions of Business Associate Agreements from customers or other third parties because we do not have the resources to review them. Our Business Associate Agreement was updated March 2014 and includes all Rule requirements. Please let us know if there is an issue with the document or if you require additional language that applies to our relationship (e.g. state specific requirements). We will not include language that does not apply to our relationship. For example, we will not include language agreeing to retain PHI for five years since we will not do so.
Question: I have submitted my company's Business Associate Agreement to Open Dental, and I have been told that Open Dental will not sign it. Why not?
Answer from Open Dental's CEO: We provide a reasonable and compliant BAA. If you want us to add additional language to comply with law or to protect you, read the one we have and compare it with yours. Submit very specific requested changes to us and we will consider them, and if the change is reasonable, we will incorporate the changes into our published BAA.
We have thousands
of customers. In order to review distinct BAAs from each customer, we would need a legal team to read and respond to discovered issues with thousands of customers each year. Note that my staff cannot give me legal advice, so this would be an external team or I would hire in-house counsel. This would mean we would raise our prices significantly, and it would not be constructive use of anyone's time.
Further, with many distinct BAAs, we might have distinct required responses and requirements for each customer, which is unreasonable because our security policies and response to a breach must be the same for every customer's data. Because we are a Business Associate of so many entities, we provide a BAA you can download and countersign at any time.
If your state has specific requirements for a BAA that are not included in ours, we will add those sections as needed.
Questions and Answers
Q: I have an external contractor who needs to use Open Dental regularly outside of my local network. How can I accomplish this?
A: Follow HIPAA guidelines. We do not give advice on selecting contractors or assess the risk of allowing others access to business and patient data (PHI), However this is a common scenario and not materially different than a direct employee having access to your data. Do minimize access to data the contractor does not need and track the contractor's usage via the audit trail. Below are some suggestions to prevent direct access to the database:
- Have the contractor access Open Dental via Middle Tier using a HTTPS connection with a Security Certificate.
- In the contractor's Open Dental user profile, remove the permissions for User Query (to prevent access to user reporting) and Security Admin (so they do not have Admin privileges). See Assigning Security Permissions.
- Set up a local OpenDentImages folder (A to Z) for the contractor that has limited data in it (e.g. update files but not scanned images). This may take some time to setup.