HIPAA Security and Encryption

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law to protect Protected Health Information (PHI).  

- The HIPAA Privacy Rule regulates the use and disclosure of all PHI. 
- The HIPAA Security Rule establishes detailed standards to protect the integrity, confidentiality, and availability of electronic PHI (ePHI).

The responsibility for HIPAA compliance falls to each dental office. In order to ensure your computer systems are HIPAA compliant, implement following steps.

  1. Provide physical security for the server
  2. Setup admin password for Windows and restrict access to the server and workstation to authorized users.
  3. Follow networking guidelines by your IT person.
  4. BACKUP  your data on external flash drives such as SanDisk CruzerTM  with password protected vault. Refer to the user's guide on backup steps.
  5. Use Virus Protection  such as offered by Norton or McAfee or Vipre.
  6. Setup Security  profiles in Practice-Web for all users (user groups, user names, passwords).
  7. Encrypt  your data using BitLocker below. 

Practice-Web Inc. follows HIPAA guidelines and standards for security and privacy.  Practice-Web uses CDT codes exclusively, the ADA claim form, while electronic claims are sent to the clearinghouse as well as data for electronic prescription in a HIPAA compliant format. We are also making efforts to meet future security requirements.

If you need to send PHI to Practice-Web for any reason, please be sure to sign and date the Business Associate Agreement and make a copy. Keep one for your records, and return one to us for our records.  In summary, Practice-Web will: 

  • Use appropriate safeguards to prevent use or disclosure of PHI.
  • Minimize, to the extent possible, any harmful effect that results from the use or disclosure of PHI.
  • Report to the customer any use or disclosure of PHI not provided for by the Business Associate Agreement of which it becomes aware, including breaches of unsecured PHI.
  • Create internal practices and records relating to the use and disclosure of PHI.
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions and conditions that Practice-Web Inc. agrees to.

We do not include language agreeing to retain PHI for five years since we will not do so. If an outside person or entity does a service on behalf of the practice, and it involves PHI, you should enter into Business Associate Agreements. If you need more information, or examples of the forms that patients and business associates must sign, you can request information from the American Dental Association at www.ada.org.

Use of PHI by Practice-Web:  In the process of providing customer support, Practice-Web employees may be exposed to PHI, including but not limited to customer databases collected for debugging, troubleshooting or conversions; screenshots showing patient information; X12 files (insurance batch files); and EOBs.  All instances of data transit used for customer support are HIPAA compliant and encrypted. We do not use email for data transit because it is not HIPAA-compliant.

How Data is Protected

Data in storage:  The data from Practice-Web application is stored in the database (usually MySQL) and images in the A to Z folders.  It is each practice's responsibility to take steps to protect this data.

Data in transit:  Practice-Web does not move patient data off of your network in any automated fashion. There are some optional features of Practice-Web that involve sending patient data to, or from, your Practice-Web database such as transmission of electronic claims and electronic prescription which are HIPAA compliant.

Track Authorized Use of Practice-Web:  In version 14.3 and greater, a log is created in the Audit Trail when a user logs on, logs off, or closes Practice-Web.  You can also track who logs in/out of Practice-Web using the Windows audit feature. Set up Windows so that each user is required to log in separately, then use the Security Log to view valid and invalid log attempts.
  - For servers: http://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx 
  - For other computers: http://technet.microsoft.com/en-us/library/cc976395.aspx
To view the Windows audit log go to My Computer, right-click and choose Manage, expand Event Viewer, expand Windows Logs, left-click on the Security log.

Security Risk Analysis

As part of the Security Rule, dental practices must conduct a security risk analysis, document it, and develop safeguards to protect ePHI.  We recommend purchasing a HIPAA Compliance Kit from the ADA, or from some other company.  These kits have sample security risk analysis reports for small dentist offices that might be helpful.  Another useful resource is the Security Risk Assessment Tool provided by healthit.gov (see link below).

Other security risk analysis resources:

Other Resources
Encryption

Practice-Web does not provide technical support for encryption.  For assistance, consult your IT person. The couple of methods of encryption below are provided as a resource for your IT person to help make encryption decisions. It is not for regular users.

A. Encrypting File System   (EFS) is a low cost, useful technology for Encrypting the MySQL folder, or any files that are going to be accessed by a single user (or a limited number of users where it may be practical to add permissions file by file).  EFS does not work well for encrypting the A to Z folders because it does not work well for files shared by multiple users.

Implementing EFS for MySQL Databases

1. Back up your database to external encrypted media (optional but highly recommended). 
2. Login as the user that runs the MySQL service.
3. Navigate to the directory containing your MySQL data (default is C:)
4. Right click the folder named MySQL (default is C:MySQL).
5. Select Properties, then General tab, and click Advanced.
6. Select the checkbox that reads 'Encrypt contents to secure data'.

How does EFS Work

EFS has added features with each new Microsoft Operating System, but this base document is where to look for the latest complete document from Microsoft:http://technet.microsoft.com/en-us/library/bb457065.aspx

B. BitLocker is a simple, powerful, encryption solution that will protect an entire hard drive. Users will not notice it because you do not specify protection by file or folder, but the entire drive. BitLocker Drive Encryption is only available for certain Microsoft Operating Systems. Before implementing BitLocker, see Microsoft's website for authorized information and instructions about BitLocker for your operating system. Each operating system may have different instructions, for example BitLocker for Windows 7 information is currently found at http://windows.microsoft.com/en-us/windows7/products/features/bitlocker.

The section below provides unofficial instructions to encrypt Practice-Web data.  After installation, interaction is not required unless you are making hardware changes to your system.

Mandatory BitLocker Prerequisites

(clarification on these requirements should be obtained from Microsoft)

  • Supported operating system (see above).
  • Minimum of 1.5GB of available disk space (may be unallocated or available for reallocation from an existing partition).
  • A BIOS which supports clearing of system RAM on reboot.
  • Disk partition requirements (this can be handled with the BitLocker Preparation Tool from Microsoft (see below)). We mention this here because in practical terms it meant that we used a new machine, not our current primary server which already had multiple partitions that did not meet the requirement).
Optional BitLocker Requirements

If you do not have Trusted Platform Module (TPM), you will need to use a portable USB drive (like a thumb drive) in order to power cycle your computer.  We do not recommend or cover that option. Activate TPM on your computer.

  • Trusted Platform Module (TPM) Chip (hardware)

  • Trusted Computing Group BIOS

Implementing BitLocker
  1. First create a backup of all data on the machine.  Make sure you can reinstall the operating system, if needed.
     
  2. Enable BitLocker feature of Windows, if needed.
    The steps to enable BitLocker may differ by operating system.  For example:
    - If using Server 2008, go to Server Manager, Features, and enable the BitLocker features. 
    - If using Windows 7, go to Control Panel, Programs and Features, Turn Windows Features on or off, and turn BitLocker on.
    - If using Windows Server 2012, you may skip downloading and running the Bitlocker Preparation Tool (step 3).
    - If you do not see the feature, re-check your operating system version or contact Microsoft for support. If prompted, reboot your system.
     
  3. Download and run BitLocker Preparation Tool, available on the Microsoft website. You will need to reboot your system. For Windows servers, while in test or pre-production you may need to turn off Internet Explorer Enhanced Security from the desktop (Server Manager, Local Server, Enhanced Security Configuration Setting, then turn it off for administrators).  This security feature is usually turned on, but can make it difficult to use internet browsers and prevent some Microsoft downloads.
    Details about why you need the BitLocker Preparation Tool:  BitLocker requires two partitions or 'volumes' on the hard disk drive, and not partitions that you likely have. One is called the 'system volume' and contains unencrypted system boot data. The other partition is the 'operating system volume'. This is the partition which is encrypted and contains the operating system, user data and your patient data. Your 'system volume' has to be at least 1.5GB in size and must be created before proceeding with the BitLocker Drive Encryption. This volume can be created one of three ways: 
    1) use unallocated space on a hard drive, 
    2) take space from an existing volume, or 
    3) merge the the boot files onto an another existing volume other than the operating system volume. 
    If you have multiple partitions on a single physical hard drive already, you may need to reinstall your operating system. Luckily, you do not need to understand the above completely because in order to ease the process of creating the system volume, Microsoft provides the BitLocker Driver Preparation Tool.
     
  4. Turn On BitLocker
    BitLocker status on your system may be viewed and controlled from the BitLocker Control Panel which is accessed from your system Control Panel. For instance, on Server 2008, if your control panel is in Classic View, go to Start, Control Panel, BitLocker Drive Encryption.  If you are in Control Panel Home mode, go to Start, Control Panel, Security, BitLocker Drive Encryption. 
    a)  You will see a very simple interface where your only option is to 'Turn on BitLocker Encryption'. If you see something else like 'A TPM was not found. A TPM is required to turn on BitLocker. If your computer has a TPM, then contact the computer manufacturer for a BitLocker-compatible BIOS' then see Mandatory BitLocker Prerequisites above and Trusted Platform Module (TPM) below. If you see the message 'This device can't use a Trusted Platform Module...', you also need to turn TPM on.
    b)  Select 'Turn on BitLocker Encryption' . A dialog will warn you that BitLocker Encryption decreases performance and allow you to cancel.   
    c)  Select 'Continue with BitLocker Drive Encryption'.
    d)  Set BitLocker startup preferences as desired.  If you are prompted to enter a memory stick, then you did not have TPM enabled or chose the option of using a USB startup key.  We do not recommend because it is a pain, but you may continue: insert a removable USB memory device into a USB port when prompted, then 'Save' to save the Startup key to the device. 
    e)  You will be prompted to save a recovery key. You will need this to unlock the system if you have to move the hard drive to another system, or if BitLocker detects a problem with the integrity of the system. If you used a memory stick for your startup key, do not save the recovery password on the same USB device as the startup key, but instead insert a different device. It is recommended that multiple copies of the password be kept. It is also advised that the password be printed out and kept safely on file. We only printed it; if you choose to just write it down, you should have someone check what you wrote. 
    f)  After saving the recovery password, click Next.
    g)  Make sure that 'Run BitLocker system check' is set and click Continue.
    h)  Your system will restart and encrypt the drive.  There is a dialog with a progress bar.
    i)  You will be required to enter startup key or PIN (depending on configuration settings) on next boot.

Group Policy Settings for BitLocker
These policy settings allow BitLocker to be used without a TPM or to change BitLocker configuration if your system does have TPM. We do not cover this here.

Disabling BitLocker
Use BitLocker Control Panel from your system Control Panel to temporarily or permanently disable encryption.