Sharing the Risk
In 2013, the Omnibus Rule expanded HIPAA requirements to include business associates and their subcontractors, holding them to the same standards as dentists and other healthcare providers.
As a technology integrator, we have to sign a business associate agreement that we will share the liability for ePHI with my dental clients. As a HIPAA business associate, we will not use any technology that will expose patient information and make my company liable. For us, our technology partner Datto Inc. is the solution, end of story.
An ePHI data breach can be as easy as putting patient information on an unencrypted thumb drive, storing ePHI on an unencrypted laptop, or posting something inappropriate on social media. By law, dental offices and their business associates must protect the
confidentiality of ePHI
integrity of ePHI (prevent unauthorized alteration or deletion)
availability of ePHI.
Part of what we do is try to be consultants, educating the client on what they need. Most small businesses don’t have a compliance officer on staff. We show them the technologies that minimize their risks and vulnerabilities. HIPAA is really about risk management.
Failure to manage risk can be costly. HIPAA non-compliance penalties range from $100 to $50,000 for each violation.2 In some cases, “each violation” means each patient record exposed—totaling millions of dollars in fines for large healthcare organizations.
Even small practices can face business-crippling HIPAA fines. In 2015 reference PA dentist that lost licence to practice medicine. and jailtime for 3 dr.s
Dental practices—and MSPs who are their business associates—need to understand that the future is about compliance. Technology is a big portion of that compliance. Every dental office must understand the transformation that is occurring as we become compliant. How technology is being used is absolutely key to fulfilling that, especially for a small dental office that doesn’t have a compliance department keeping an eye on things.
The HIPAA Security Rule recommends healthcare providers to establish procedures for obtaining necessary ePHI during an emergency.4 Contingency plans must include data backup to a different secure location, disaster recovery measures, emergency mode operations and testing procedures.
Availability of patient data in an emergency is why all of our backup solutions are stadardized on Datto Inc.'s platform. Since 2013 we’ve used it on every new client. We can back up data to the cloud and restore it at a moment’s notice. Having data readily available at any time provides better patient care and helps with compliance. Having that data in a format that’s ready to spin up is priceless.