A new rule will require you to protect patient privacy by securing their records. Begin the process now!
by Ekram Khan
As modern dental practices become more dependent on information technology, the need will increase for the secure acquisition, management, and transmission of the data in a patient's record. Up to this point, the responsibility for data security has largely been left to the discretion of each individual practice. With the passing of HIPAA, it is mandated by law that the data contained in a patient record be securely stored and protected from disclosure to unauthorized parties. Noncompliance with HIPAA regulations carries stiff penalties of up to 10 years in prison and $250,000 in fines.
At this point, you are probably asking, "What is HIPAA and why are there such ominous repercussions for noncompliance?" HIPAA is the Health Insurance Portability and Accountability Act, passed in 1996. Its original intent was to insure "portability" when an employee covered by a group insurance plan changed employers. That intent grew to encompass a variety of concepts centered around administrative simplification, standardization of insurance-code sets, national identifiers, and privacy rights. This was done with the belief that mandating standardization of the manner in which health information is processed would reduce costs and administrative overhead associated with processing insurance claims. It would serve as a way to manage patient information and protect privacy rights.
Although HIPAA was passed in 1996, the HIPAA standards are being finalized along a timetable that might extend into 2002. The compliance deadline for large organizations (annual revenues exceeding $5 million) is 24 months after the final publication of rules. For small organizations (annual revenues less than $5 million), the deadline is 36 months. The rules that have reached final publication are for transactions, code sets, and privacy. In this article, I will examine how the final rule for privacy affects your practice. I also will discuss the software/hardware technologies that will assist you in meeting the requirements for compliance with HIPAA standards for privacy.
The HIPAA Privacy Rule applies to the protection of a patient's health information (in electronic form) from unauthorized disclosure to health-care providers, insurance companies, employers, clearinghouses, and any party who may be involved in the use of such information.
No matter how or why a disclosure of personal information is made, the harm to the individual is the same. In the face of industry evolution, the potential benefits of our changing health-care system — and the real risks and occurrences of harm — we must build protection of privacy into the routine operations of our health-care system.
What does all of this mean for your dental practice? Since electronic health records are being referenced, your practice-management software, computer network, staff, and any parties involved in the exchange of patient health information with your practice must be governed by written policies or procedures that control access to patient records. Physical and technical safeguards also must be implemented to enforce these policies and procedures. Physical safeguards include controlled access to facilities that house computer systems which store or have access to patient data. Technical safeguards must be provided for software, services, and products that secure your technology infrastructure. These safeguards can be hardware-based (such as tokens, smart cards, fingerprint scanners, etc.) or software-based (such as passwords, cryptography, Public Key Infrastructure, digital signatures, etc.). The HIPAA standards do not specify the use of a particular technology platform, but they do specify security objectives that must be achieved in order for an organization to be compliant.
Public Key Infrastructure (PKI) technology stands out as a comprehensive technology platform that addresses the concerns raised by each of the security requirements. What is Public Key Infrastructure technology? An industry-leading PKI technology vendor provides the following explanation:
"The core of PKI technology is the key pair. With PKI, each end user is issued a key pair, consisting of a public key and a private key. The key pair is a pair of numbers with a unique mathematical relationship. Keys are used for encryption/decryption and digital signing. Data that is encrypted with a public key can be decrypted only with the corresponding private key. Private keys are used to generate and attach a digital signature and the corresponding public key to verify that signature.
For example, a private key is tightly held by the owner in software embedded in the Web browser or in hardware downloaded to a smart card or token. The corresponding public key is available to others who are communicating, conducting transactions, or exchanging data over the Internet with the owner of the key pair.
A PKI system indisputably binds the identity of the owner to the key pair. In a well-managed PKI, a trusted authority (i.e., a "Certificate Authority") corroborates the identity of the owner. This is what makes PKI a robust method for security and enables organizations to trust the identity of individual users.
The digital certificate is a data file that embeds the user's public key. It follows a rigid format (the X.509 standard for certificates) to include information on the holder of the certificate and on the authority that issued the certificate. It also includes information on the digital signature of the Certificate Authority (CA), the organization that vouches for an individual.
The digital certificate is presented as proof of an individual's identity in cyberspace, much like a driver's license is presented in the physical world. Since an individual's digital certificate embeds the public key of the public/private key pair, it is tied to the corresponding private key held by that individual.
Competitive health-care organizations are moving quickly to harness the power of the Internet to reap the economic rewards and improve quality of care. Major forces, based on market demands, risk of litigation, and impending regulations, call for securing health information. Creating and implementing policies, procedures, and technological solutions to ensure that your practice is HIPAA-compliant will be a major undertaking. Begin the process now because enforcement of HIPAA is just around the corner.
Editor's Note: More information on how PKI applies to each of the key HIPAA security requirements can be found in an expanded version of this article at www.dentaleconomics.com.
Ekram Khan is founder and CEO of CIEOS, Inc., a consulting firm specializing in high-tech dental systems integration and product development. He has a background in medical information systems and computer networking for health-care applications. He is currently a member of the ADA Standards Committee on Dental Informatics. He can be contacted by phone at (973) 720-9999, Ext. 15; by email at firstname.lastname@example.org; or visit www.cieos.com.
Breach of privacy has serious consequences
The following examples of privacy breaches are from the Federal Register DHHS Standards for Privacy of Individually Identifiable Health Information (Vol.65, No. 250). They illustrate the relevance of this rule:
- A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, Feb. 10,1999).
- A Utah-based pharmaceutical benefits-management firm used patient data to solicit business for its owner, a drug store (Kiplinger's, February 2000).
- An employee of the Tampa, Fla., health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, Oct. 10, 1996).
- The health-insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Conn. (The Hartford Courant, May 14, 1999).
- A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, Aug. 1, 2000).