In my previous Spear Digest article, “Dental Records Tips: Facts about Fail-Safes,” some significant facts about data back-ups were discussed. In summary, there are significant challenges with the integrity of the data being backed up. Restoring from conventional data back-ups fail 30-50 percent of the time, depending on who you talk to and what articles you read. Another challenge with standard back-up systems is the security of the off-site back-up mechanisms that are commonly utilized.
The 2013 HIPAA Regulations mandate that “covered entities” are responsible for protecting and maintaining the integrity of protected health information, which includes not only the records recorded through practice software (Dentrix, EagleSoft, etc.) but also digital photographs, letters, etc., that may be stored with other software programs, such as Windows file folders.
Specifically, § 164.306.a.1,2 states:
“(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.”
Here are some key facts of which dentists must be aware that may create challenges to compliance:
- Back-ups on portable hard drives are often not encrypted and are vulnerable to breach, even if they are protected with a simple password lock.
- Most servers are not encrypted beyond a password lock.
- “Secure” cloud back-ups may be secured when in the cloud entity (like Mozi, Carbonite, etc.), but the data may not be encrypted from the server to the cloud.
- Many dental offices do not take their portable back-up storage devices off-site each night, making them susceptible to fire or office break-ins.
- Only data that is selected manually by the system administrator is backed up, which may not include all PHI, such as photographs stored in non-selected areas of the on-site server.
- Restoring data from an accurate and working back-up takes, on average, 72 hours before the system – and dependent business – can be fully functional, assuming immediate IT service and a well-recorded system map.
- Many IT providers do not keep meticulously accurate and updated system maps, so restores often involve a great deal of troubleshooting and reconfiguring.
- Conventional back-ups only back up data, not software and network configurations like printer mapping, fax integration settings, internet settings, etc.
- RAID systems copy data from one part of a server to another part and are dependent on the same power source.
- Mirrored servers require IT services, time, and knowledge to switch over to bring the system into operation and do not solve challenges associated with required off-site storage of data.
As an example of a potential – but real – problem with conventional back-up systems, there is at least one actual case of which I am aware in which a dental office employee, doing as she was instructed by her employer, took home in the evening the data back-up of the day that was stored on a portable hard drive. On the way home, she decided to stop at a local mall to pick up some necessary sundries. As luck would have it, her car was broken into, and the portable hard drive was stolen. The device was not encrypted, and the theft constitutes a breach of all of the practice’s electronic protected health information (ePHI). The practice owner, a dentist, faces a lengthy investigation by the U.S. Department of Health and Human Services, possible criminal charges, and major fines of $100 to $50,000 per record – up to $1.5 million. He also must inform everyone whose ePHI may have been compromised about the breach through mail and the media. After all of this, he is also susceptible to civil suits for privacy breach by each individual affected.
Unfortunately, there is likely no insurance program that will touch any of these fines, and the ramifications to this dentist’s reputation and practice are beyond fathomable. Of course, if a criminal penalty is imposed, he will also have significant challenges to his clinical licensure and ability to practice dentistry. I am sure that this dentist believed that he was doing everything correctly and securely. However, he may not have realized that as a dental practice owner not only is he responsible for maintaining the security and integrity of his practice data, but he is also responsible for making sure that his employees are properly trained in privacy and security measures and policies. Incidentally, the office manager who was in possession of the data back-up also faces substantial fines and penalties independently from the covered entity, which is another little known fact about the HIPAA Omnibus Rule.
So, please note: HIPAA is not a myth; it’s a cold, hard fact.
As is now painfully evident, there are many problems with standard back-up systems, not the least of which is federally mandated security. While they may be aware of HIPAA requirements, many IT providers often believe that they are adequately protecting their clients from loss of information, despite the known shortcomings of data back-ups. However, the good news is that there are some systems now on the market that address many of these shortcomings of maintaining the integrity of precious digital information, which is the topic of an upcoming Spear Digest article.
(If enjoyed this article, click here for more advice from Dr. Kevin Huff.)
Kevin D. Huff, DDS, Spear Moderator and Contributing Author www.doctorhuff.net