Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
“Recently, the computer that we used to take CT images crashed. Our IT provider said the hard drive failed and that the images and information stored on the drive could not be recovered. He replaced the drive and reloaded the computer and everything seems to be working again. I’m concerned about the lost images and patient information. Can you share some HIPAA advice for the situation?”
Thank you for your question and my condolences on the data loss. A computer crash is an unfortunate event in most circumstances, and it is particularly frustrating when the computer contains healthcare information. In this age of digital everything, most practices rely solely on computers to store vital patient data, including CT images. But what happens when that computer suddenly crashes, and all your precious data goes kaput? Well, it can be a compliance headache to say the least, and it can open your practice up to liability.
The HIPAA Law
When a computer crashes and patient data is lost, you're not just dealing with inconvenience; you're opening yourself up to potential legal trouble. States require medical records to be retained for between five and ten years, and HIPAA requires you to retain records regarding your HIPAA compliance for six years. If a patient requests their medical records and you can't provide them due to data loss, you could face hefty fines and legal action.
That's why having a reliable data backup and recovery system is not optional for a dental practice. There is literally no valid excuse for losing data, especially PHI. Before we dive into the nitty-gritty, let's clarify a few things. While we typically talk about HIPAA’s privacy and security rules, the confidentiality rules, HIPAA actually sets the standards for ensuring the confidentiality, integrity, and availability of PHI. Your question will help us dig into the rules concerning data availability.
When HIPAA addresses PHI availability, it is really talking about business continuity planning. In plain English, it means having a plan for when things go south, like a computer crashing. The plan describes how your practice will continue functioning in the event of a business interruption. Section 164.308(a)(7) requires your business continuity plan to address regular data backups, disaster recovery procedures, and contingency plans to ensure that patient data remains safe and accessible.
Now that we’ve discussed what we need to do to avoid this situation, let’s discuss what to do now that we’re in it. When PHI is lost, a practice needs to do the following:
- Document the incident. Work with your IT provider to document how your plan failed to protect this data. Your IT provider should be able to tell you exactly why this data was lost. We’re not asking them to explain the technical reason the hard drive failed. After all, we know that hard drives fail; they are not designed to last forever. But they do need to show where the data backup and disaster plan failed.
- You may want to reevaluate your IT partner. You need someone who understands the unique requirements of healthcare and HIPAA regulations. They should be well-versed in encryption, access controls, and data recovery techniques specific to healthcare systems.
- Update your plan. Review and update your data backup and recovery procedures.
- Learn from the experience. Use this setback as an opportunity to strengthen your data security practices and invest in reliable backup and recovery solutions.
Remember, prevention is better than cure. Don't wait for a crisis to realize the importance of a solid data backup and recovery plan. The HIPAA law requires that you expect these types of events to happen in your practice and that you have a plan to maintain the confidentiality, integrity, and availability of PHI.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.