Protecting patient privacy is essential to any healthcare facility that wants to stay in business. In this era of electronic medical records (EMR) and health information exchanges (HIE), keeping patient information safe from the nefarious and the just plain nosy is difficult but not impossible. Small dental and medical practices have to ensure that they’re HIPAA compliant the same as large hospitals and medical centers do. So, if you run a small dental or medical practice, ask yourself: Are the IT solutions I use HIPAA compliant?
If your answer to the above question is yes, then you’re fine. If your answer to the above question is no, then you – and your patients – have a problem that needs to be solved ASAP.
If your answer to the above question is, “I don’t know,” here are three things you can check to help you determine if your practice is indeed HIPAA compliant.
- Physical Security – Do you store your practice’s digital medical records on a system that’s located in a locked office or cabinet, or could your employees or – worse — your patients easily access your office systems? Your patients should never be able to access any records in your system, not even their own. Your employees should have access based on their need to know. Does your bookkeeper really need to know the results of someone’s x-rays? Probably not. So, giving your bookkeeper access to that kind of information is probably not a good idea.
- Digital Security – Do all of your employees have access to all records on your workstations, server(s) and other office systems? Do all employees know the “administrator” password? How often do you change passwords? Again, employees should only have access to what they need to have access to in order to do their jobs efficiently. And only you – and maybe your staff IT person – should know the “administrator” password. As for changing passwords, you could make it a policy for all employees to change their passwords every 60 days. To ensure that this happens, you could schedule an email to go out on the scheduled date as a reminder.
- Backups – Do you make regular backups of your workstations, server(s) or other office systems that store digital medical records? If so, how often does someone check to confirm that the backups are successful? Does anyone test a restore from the backups periodically to confirm that the restored data would be usable? Depending on the size and budget of your practice, you could do this yourself, have your in-house IT person take care of it or enlist the aid of an Internet service provider.
If you can’t give definite answers to those questions, chances are your dental or medical practice’s IT systems are not HIPAA compliant. And that’s no small matter. Besides personal health histories, patients’ medical records also include their home addresses, dates of birth and Social Security numbers. If someone’s identity were to get stolen because of lax security measures in your office, it could not only cost you a lot of money but also your practice and your reputation.
If you are committed to the success of your dental or medical practice, make sure you do whatever it takes to get your practice HIPAA compliant before something unfortunate happens.
Are you looking for a trusted IT provider who understands how to help medical clinics with HIPAA compliance? Call us today to learn more about our HIPAA consulting and IT services.