HIPAA security is not a game
October 08, 2014
True, there are privacy and security training games that could be useful for a dental practice. One security training module we looked at on the healthit.gov website uses a game format that requires users to respond to privacy and security challenges often faced in a typical small medical practice.
The ADA Complete HIPAA Compliance Kit updates include links to these games. The kit is available to members at ADA.org/HIPAA
and by calling 1-800-947-4746.
The HIPAA kit is also relevant to such evolving threats to health care practices as "ransomware." The U.S. Office for Civil Rights told Congress in a recent report that a HIPAA-covered entity "discovered that files containing PHI (protected health information) were corrupt and inaccessible and later received a 'ransom note' to restore access to the files." The health care entity was not identified and the report had no further information on this particular or other "ransomware" breaches of patient information.
The Health Insurance Portability and Accountability Act requires covered entities to provide notification of breaches of unsecured protected health information. "Ransomware" involves denial of access to electronic information with an offer to restore access on payment of "ransom."
The ADA Complete HIPAA Compliance Kit encourages dental practices to backup patient information and use appropriate safeguards to protect the backup. If the data is maintained by a vendor who meets the HIPAA definition of a "business associate," the dental practice must have a HIPAA-compliant business associate agreement in place with the vendor.
"The [HIPAA] Security Rule is based on risk analysis and mitigation of risk: you must identify potential vulnerabilities and threats to your electronic protected health information and implement risk avoidance measures," the ADA Complete HIPAA Compliance Kit says.
The Department of Health and Human Services and National Institute of Standards and Technology also offer HIPAA security tools and resources at their respective websites www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html