HIPAA Security Standard Info

 

  • Why encryption is necessary.  One of the biggest problems we have is securing our computer’s information from a potential breach.  Dealing with a breach has huge implications for a dental practice, so encryption is a great preventative measure.  If someone steals your computers and more than 500 patients are involved, you have to notify the patients AND the local media!  If the information is encrypted, the information is not considered usable and no breach has occurred.  Here’s information from the HIPAA folks about what’s required to comply with encryption.  This explains why encryption is the only security precaution that will stop a breach in the event that your computer, device, or a laptop or unencrypted phone (with access to your patients’ information) is lost or stolen. click here

 

 

  • Here is some other info for more specifics about what’s required (the actual encryption and authentication requirements can be obtained from this page so you can give it to your computer guy):  click here

 

 

  • Also, here is the Security FAQ section, directly from HIPAA: click here

 

  • Here’s the actual final HIPAA rules with modifications: click here

 

 

  • Security Breach:  In the event of a security breach of your computer system, you are supposed to follow certain procedures to ensure that patients are notified that their information may have been compromised. For information on breaches according to the  HIPAA Rules, check this out:

 

  • In the event of a breach of unsecured personal health information, we are supposed to report it to the Department of Health and Human Services (HHS). If the breach involves more than 500 individuals in a single geographic area, we are supposed to notify our patients, the local media, and HHS as soon as possible (absolutely within 60 days of the breach); if it’s less than 500 individuals, we are to notify the patient(s) involved, then log it and notify HHS on an annual basis, (within 60 days of the end of the calendar year in which the breach occurred). Here is the site to fill out the HHS notification

 

  • If there is a possible breach, it is assumed that a breach has occurred unless you analyze the situation and determine that the patients’ information was not compromised. If a reasonable person would determine that the information was compromised and a breach occurred, you have to follow the notification requirements; if there is no breach, file this completed form in your HIPAA notebook: HIPAA breach assessment

 

  • Avoiding a breach: If your patients’ information is compromised (your computers are stolen, you lose a backup drive, someone hacks into your system) you have to report this breach unless your information is properly secured and encrypted.   ENCRYPT WHATEVER DEVICES that contain or access patient information!!!

Join my mailing list!


Get
free CE and stay current on the latest information and whatever stupid crap the government has created for us this time!

(And don’t worry…I don’t share your information with others because getting spam sucks!)