Dental Website HIPAA Compliance Part II

Last month we dove into a subject that’s not on every dentist’s radar. But like an open margin on a crown, it’s the little things that lead to problems. Bad players look for vulnerabilities in large and small entities, and healthcare is a prime target. For example, in February 2024, a ransomware attack occured on Managed Care of North America, a large dental insurer. This single incident compromised the data of nearly 9 million people [Fierce Healthcare]. And the attackers leaked the data after the company refused to pay a $10 million ransom

There’s also a group known as The BlackCat ransomware gang that has become notorious for targeting healthcare entities, including dental practices. These attacks not only disrupt operations but also put patient data at risk [Dentistry IQ].

Reducing the risk of getting caught in an expensive and stressful security or compliance breach starts with following these five components. These are the most common dental website HIPAA compliance violations.

1) HIPAA Notice Of Privacy Practices

HIPAA requires all covered entities give patients a notice of how their PHI may be used, handled, or disclosed. The notice must also outline their legal rights regarding their PHI.

This probably isn’t news to you, and your practice has likely been dispersing these for years. But do you know what HIPAA states about the notice and your dental practice website?

HIPAA states that covered entities, including your practice, must post their Notice Of Privacy Practices on their website so that it’s not hidden or hard to find. Even more, the rule states that a user shouldn’t need to make multiple clicks to get to the ‘patient forms’ section of your website.

Consider these simple ways to meet the rule:

1. Post the notice on your website homepage.
2. Put a link to the notice in the footer of your website’s pages
3. If you use a text link, BOLD the link
4. Place an anchor text of “HIPAA Notice of Privacy Practices” instead of ‘Privacy policy

2) Failure to Use SSL (Secure Sockets Layer)

HIPAA requires that all covered entities use the SSL standard on their website. SSL (Secure Sockets Layer) is a communications security that links a server and another system. When a web browser connects to your website, SSL encrypts the data that’s shared back and forth. This encryption is similar to scrambling letters so that nothing can be read since it looks nonsensical.

You can tell if a website has SSL in place by looking at thee address bar. If the address starts with http:// then SSL isn’t in place. If the address starts with https:// then your website is encrypted with SSL. It’s a subtle difference in the display, but it’s a major difference in security.

3) Non-HIPAA Compliant Contact Forms

Every form on your website, including contact forms, appointment request forms, and other information request forms, need to be HIPAA compliant.

Consider these five factors as a filter to determine if forms fulfill the rule:

1. Limited Access: Only authorized persons should have access to the form data.
2. Data Transfer: When a user fills out a form and hits submit, the data is transferred out of the form to a secure server. In this transfer, the data must be encrypted with TLS 1.2 encryption standards.
3. Data Storage: Any stored data must be encrypted using the gold standard, AES 256 encryption.
4. Data Backup: In situations where systems have been compromised or breached, you must have a defined data recover process.
5. Deletion: All covered entities must outline a process to permanently delete the information that is no longer being used.

The best way to to evaluate if your forms are HIPAA compliant, contact your website design company or IT Manager. if you don’t have an IT manager and your website design company doesn’t understand the strict HIPAA standards, our team can evaluate your forms.

4) Patient Photography Without Consent

Social media, reputation management, online reviews, and online photography are powerful tools to use with clients, but they can cause problems for dental practices. It’s permissible to take a photo of a patient if you’re using the image internally for the care of the patient. But if the photo is identified with a specific patient and is used in any way for educational purposes, transferred to other entities, or used in advertising and marketing, you must have a signed HIPAA consent form.

Consent forms must include language that gives the covered entity the legal right to use the photo for a specified period. The consent form should include the following:

1. Involved parties.
2. Description use.
3. Authorization to use
4. An expiration date
5. The patients right to revoke consent
6. Statement that health benefits are not conditional based on consent

5) Business Associates and Sub-Associates Fail to Provide BAA’s

A BAA is required whenever a covered entity shares PHI with a business associate since covered entities can have direct contact with patients, but business associates have access to PHI without direct contact. Be sure you have these agreements on file with anyone that falls into this classification. Examples of associated businesses include:

• Collection agencies
• IT vendors
• Marketing agencies
• Transcription services
• Practice management software vendors
• Phone Answering services
• Website Hosting companies
• IT resources providing remote backup services
• Accounting services

Eliminate Website Compliance Headaches with Method Pro

At Method Pro, we specialize in dental practice digital management. Whether your website needs a complete overhaul or you simply need to enhance your HIPAA compliance to stay out of trouble, we help our clients stay focused on dentistry. Reach out to discuss your concerns, and ask us about a free audit of your current compliance and risk!