This is an article written for Sally McKenzie’s newsletter The Dentist’s Network which can be found Here
By Amy Wood, President of ACS Technologies, LLC
Wouldn’t it be great if HIPAA was as easy as 123 or even ABC? Well, turns out it can be as easy as People, Process and Technology – or as I like to call it, PPT. Additionally, when you have PPT in place, it benefits many other aspects of your practice as well.
As confusing as HIPAA may be, especially for smaller practices to decipher, it can be broken up into three simple things: People, Process and Technology. If you look at all aspects of HIPAA with these three things in mind, it becomes easy to decode and then implement in your practice.
Let’s start with People. As an employer, if you properly train your staff and then provide tools to enforce that training, your people will become one of your strongest defenses. When training your team, you have many options to choose from. There are pre-recorded videos, webinars, and consultants that offer live trainings to review the basics of HIPAA – where you and your staff can ask pertinent questions and receive personalized answers. In addition, it is imperative that you review the Process and Technology parts of your Compliance Program with your staff, meaning your HIPAA Policies and Procedures as well as the technology vulnerabilities and security. When it comes to training, the best offense is a good defense.
Next comes the Process. The Policies and Procedures that you are supposed to be training your staff on must be created. You could purchase a manual with stock templates or try to find them on the internet, but I’ve found the most comprehensive policies are a joint effort between the practice staff, the doctor, a HIPAA consultant and the IT Provider. This way, what is written on paper is actually what is being done.
For example, if your policy says you will have Business Grade Anti-Virus on all computers that is updated at least daily and documented as such (as is recommended), but you buy an anti-virus license once per year and set it to ‘auto update’, your policy really isn’t being followed.
Last, and often most confusing, is the Technology. While this part of HIPAA is only about 20% of the puzzle, it tends to be the most talked about because it’s constantly changing. Think about it – ten years ago you were just implementing computers to schedule appointments, and now you are doing appointment reminders, patient health histories, and 2D/3D images of the teeth and head. You can access it from home and send it to colleagues to collaborate. The changes over the years have been incredible.
Unfortunately, the same goes for cyber threats. As information becomes easier to create and move, the more vulnerable that information becomes and the more frequently you have to adapt to new threats.
What exactly is the best way to secure your technology?
It used to be that locking the door and buying an anti-virus program was enough to keep the bad guys out. That’s not the case anymore. Now there’s encryption, cages and cables, firewalls, patching and updates, ‘smart’ equipment and lots of backups. Unless you are fluent in Geek, this can be daunting. Many of the programs and tools that automate this are only accessible to larger businesses.
Fortunately, many IT Providers are adopting a Managed Services Provider Model, where they provide a set of these programs and tools within your price range because they can be aggregated across many clients. This type of IT Provider essentially acts as your Systems Administrator, meaning they are an outsourced IT Department for your practice.
This is a different type of engagement than most dentists are used to and is still relatively new in this space. Most dental practices are used to calling the tech guy when something is broken. Personally, I miss those days. We were the smart guys who were like knights in shining armor. Things have certainly changed in the last few years. With all the malware, ransomware and hacking that has been happening, now if something happens we are the guys who ‘let you get hacked’. It’s no longer about fixing broken things; it’s about preventing things from being broken into.
There is baseline security that can not only thwart most attempts to get into your business, but can also have all the tools in place proactively if something does get past all your defenses. I call this the ‘Magic Bullet Theory’. If you remember the initial reports of the JFK assassination, they talked about this ‘Magic Bullet’ that had an abnormal and impossible trajectory. Using that same theory, if you think about a threat to your Protected Health Information, in a secured and managed system, that threat would have to get past multiple layers of defense that have different points where they overlap. With all of these defenses in place, the likelihood of something getting through is extremely low.
If your IT Provider isn’t doing these things, someone needs to – whether it be you, your team or another vendor. You stay up on current standards of care for patient treatment. It’s worth it to have a conversation regarding the current standards of care about your digital security.
Amy Wood is President of ACS Technologies, LLC. She utilizes her experience as a Data Breach Consultant and a Healthcare IT Provider to provide comprehensive education with real and relatable examples, ensuring that practices are addressing HIPAA proactively, rather than reactively, in a reasonable and appropriate manner.
Amy educates to private practices and clinics, dental associations, study clubs and disability groups as well as to vendors and Business Associate practices. She runs ACS with her husband, Scott, and lives in Santa Rosa, CA with their three daughters.
Amy can be reached at firstname.lastname@example.org