.svg){kind=icon}
Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
“We recently made the decision to change our practice management software. Our practice had been using the previous platform for about 10 years. We’ve completed the migration process and we’re now 100% on the new software. Are there any HIPAA requirements that apply to the old software that we need to be aware of?”
Thank you for your question and congratulations on the successful migration. Those have the potential to be a real headache! Let’s take a look at the HIPAA law to see how it applies to your situation.
The HIPAA Law
We typically focus on privacy and security when talking about HIPAA, but in addition to the rules that address how to keep data confidential, HIPAA also sets standards for ensuring the availability and integrity of PHI. Let’s quickly define these terms. Confidentiality is ensuring that people who should not have access to data cannot get access to it. Availability is ensuring the people who should have access to data can get access when they need it. Integrity means the data is accurate and complete. Let’s view a migration of practice data from one practice management software to another through the lens of these three requirements.
Confidentiality
To ensure nobody can gain unauthorized access to your PHI, make sure you:
- Properly dispose of or securely store any old hardware or data backups associated with the old software (45 CFR 164.310(d)(2)),
- Remove or disable any old remote access tools used by the previous vendor for support (45 CFR 164.308(a)(4)(ii)(C)).
- Check with your old software vendor to ensure they do not have any patient data stored on their systems and if they do, request they securely dispose of it (45 CFR164.504(e)(2)(ii)(J)).
Integrity
Integrity is ensuring the data in your new system is the same as the data in the old system. In other words, you want to make sure the migration succeeded. There is always a risk of data corruption during a migration, so it requires careful planning and attention to detail to ensure that patient health information is transferred safely and accurately. Make sure this planning, and the migration itself, are adequately documented to prove you ensured the data was transferred correctly. If you had the new software vendor or an IT provider migrate the data, ask them for a report on the migration and ensure there were no errors reported.
Availability
Availability in this scenario largely comes down to data retention. You need to ensure that after your migration you can still provide access to patient data for the necessary amount of time. States require medical records be retained for between five to ten years, and HIPAA requires you to retain records regarding your HIPAA compliance for six years. You'll also need to ensure that you have access to patient records previously managed by the old software, even if you're not actively using it anymore.
Finally, let's have a word about documentation. In the world of HIPAA compliance, thorough documentation is your best friend. Keep records of the migration process, any agreements or contracts with the old software provider, and steps taken to ensure the proper handling and disposal of PHI related data. These records will be very important if you find out that something went awry down the line.
Summary
In conclusion, while your new practice management software is your focus now, don't forget about the remnants of the past. HIPAA compliance remains a top priority, even when transitioning to new systems. Stay vigilant, stay organized, and continue to protect your patients' PHI with the utmost care. Your dedication to security and privacy will serve your practice and patients well in the long run.
Here's to a seamless and compliant future with your new software!
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.
