By Ron Vesely, Arevtech president and founder
Dental practices of all sizes are increasingly using Managed IT Service Providers (MSPs) to help lower costs, increase efficiencies, and ensure compliance of IT systems with regulatory requirements. While MSPs have been around for years, the services they provide can differ greatly.
When evaluating your current technology provider or looking for an MSP for your dental practice, there are many requirements to consider, but a non-negotiable item is their ability to maintain HIPAA and PCI-DSS compliance — for both their business and your practice.
Your technology provider is joined at the hip with your dental practice when it comes to regulatory compliance and the potential liability resulting from a data breach or other incident. As a result, choosing the wrong provider can give you a false sense of security while leaving your practice exposed.
To ensure that your technology provider is qualified and capable of delivering the right services for your practice, here are some fundamental questions to ask:
1. Is your technology provider an MSP or Break/Fix only?
An MSP is a technology provider that actively manages your IT systems and assumes responsibility for providing a defined set of services either proactively or as the MSP determines that services are needed. MSPs use agreements to guarantee the monitoring and management of a practices IT systems for a flat monthly fee.
A Break/Fix technology provider offers services on a pay-as-you-go basis, relying on the practice to contact them when services are needed. Break/Fix providers are unable to comply with regulatory requirements because they don’t actively monitor and manage your IT systems.
2. Have they provided you with their HIPAA Business Associate Agreement?
The HIPAA privacy rule requires that a covered entity (your practice) obtain satisfactory assurances from its business associate (technology provider) that the business associate will appropriately safeguard the protected health information (PHI) in which it comes in contact. These assurances must be in writing, whether in the form of a contract or other agreement, between your practice and your business associate.
In past investigations by the Office of Civil Rights (OCR) where Business Associate Agreements (BAAs) were not properly executed, covered entities that had nothing to do with the breach that incited the investigation were still held liable for the loss of data.
If you do not have a signed BAA from your technology provider, you should not allow them access to PHI, either physically or remotely. Doing so could increase your liability should there be a data breach.
3. Do they perform recurring risk assessments?
A risk assessment will help your dental practice ensure it is compliant with the HIPAA requirements – in terms of physical, technical, and administrative safeguards. It also assists in showing potential areas where a practice might be putting PHI at risk. The law also requires you to retain a management plan and evidence of compliance to document the remediation of discovered issues, in the event of an audit.
It’s important to not assume that one analysis is all that’s needed. Technology will continue to evolve, and practices will likely integrate new systems to keep pace. Recurring assessments will not only help keep your practice HIPAA compliant, they will also ensure that as new tools are added, your ePHI remains secure.
4. Do they specialize in delivering IT services for dental practices?
This is important as you want whomever you hire to understand the healthcare market, the challenges and goals of your dental practice, your organization and processes, and what it takes to ensure your practice is compliant.
5. Are the services being provided compliant with HIPAA and PCI-DSS regulatory requirements?
Ask for a record of exactly what services are being provided.
When it comes to most end-user license agreements (EULAs) that people encounter in their daily lives, it’s safe to say that the majority of people usually skip to the end and agree to the terms as quickly as possible.
While you might not be concerned with your personal software usage terms and conditions, you need to pay attention to the terms of a managed services agreement! This is one business contract that’s vital to understand prior to pressing forward.
Compliance means peace of mind
As technology is a major contributor to your practice’s success, it is imperative to know that everything is in the best of hands.
While many busy dentists may assume that their IT provider is protecting their private information, that’s not always the case. As the owner of a dental practice, you not only have a legal responsibility, but you also have an ethical responsibility to protect your patients’ data. By asking your technology provider the right questions, you can help ensure that your dental practice is safe and compliant, and steer clear of the high risks of being found non-compliant.
Ron Vesely is the president and founder of Arevtech, a premiere IT service and solution provider specializing in the unique computer and technology needs of dental practices.