Okay folks – we need to talk about your data backup.
Dental offices, as covered entities, must meet Implementation Standards to get in compliance with the HIPAA security rules. There are two types of implementation standards: required and addressable. Required means it must be done and there is only one right way to do it. Addressable means it must be done, but you have options. However, if you aren’t going to do it, you must document in writing why. Substantiate. Substantiate. Substantiate.
Backing up your data (the act/action) is an addressable implementation standard. You’ve got to do it, but the “how” is up to you. Having a written data backup plan (key word: written) that includes how you backup your data is a required implementation standard. Experience tells me that most dental offices backup their patients’ data, but few actually have the required written data backup plan. You’ve got to write it down.
To take this a step further, grab your steel toe boots…
The HIPAA Security Rule requires you (as a required implementation standard) to ensure your restoration capabilities in case of the loss of electronic protected health information (ePHI). This means you must ensure your data is accessible at all times. Saying “oops, the hard drive on our server failed and when we booted from our data backup, we lost our patients’ ePHI’ is not acceptable. It is a violation of federal law. The issue may never surface, but if it does then it may be a real pain in the neck.
Here’s how this scenario plays out…
An unhappy patient files a dispute or a complaint to their insurance carrier who investigates the patient’s complaint but has no recourse. The one tool that the insurance carrier uses is to have their Special Investigative Unit (SIU) audit your records (yes, they can do this). The carrier looks up your claims history, selects a sample of claims to audit, and sends auditors to your practice or notifies your office in writing you are being audited and to submit records related to the specified claims.
You and your staff review the demand letter (or deal with the auditors as they stand in your lobby) angry and in denial. Whether you refuse or comply, if the insurer (or other party) paid you, they can audit you. The audit occurs and you have nothing to audit because your data backup failed and you lost all your records for a certain time period, the time period the carrier wants to review your claims. You submit an affidavit certifying you have no records for the carrier to audit. Based on your affidavit, the carrier determines there was no justification for reimbursement and demands repayment of every claim for which they audited. Then, they extrapolate the ‘error rate’ based on 100% of claims not supported by clinical documentation. They demand 100% repayment of every claim they paid to you for the audit period. Messy, huh?
To make matters worse…the carrier submits a complaint to your state dental board and the Office for Civil Rights (OCR) for a HIPAA violation based on your reported data loss due to failure to ensure the effectiveness of your data backup. The state board may not be too concerned, but OCR – they receive about 20,000 complaints per year. They don’t have the capacity to investigate every complaint, so they have to pick and choose the complaints that have the greatest potential for all to learn from (OCR posts their settlements on the ‘Wall of Shame’). Healthcare provider? Check. Data loss due to HIPAA violation? Check. Potential to impact many people with publicized settlement? Check.
When OCR gets involved and opens an investigation, they don’t just look at the alleged violation. OCR looks at the practice’s overall compliance efforts for the 6-year period preceding the issue at hand. With all that HIPAA requires for each of the last six years, how compliant was your dental practice? How willing are you to “settle” with OCR for 6, maybe 7, figures (dollars)?
Well, this situation got out of hand quickly. As ridiculous as it sounds, this type of situation plays out with healthcare providers (dentists) across the country.
Here are some key takeaways, and hey maybe you know these already. Awesome!
1. Have a written data backup plan that describes that you have it and how you backup your ePHI.
2. Ensure you have on-site and offsite (redundant) data backups.
3. Periodically test your restore capability. Call your I.T. company and ask how to do this. Don’t let anyone talk you out of this. NIST Guidelines indicate this should be done quarterly. However, it may not be feasible for a small healthcare provider, such as a dental office, to do this process quarterly. (I recommend yearly testing at a minimum).
4. If you don’t know for sure that your backup data will restore properly, then the only proper assumption is that it won’t.
Now is the time to check your data backup capabilities and to document your plan!