Washington — The U.S. Health and Human Services Office for Civil Rights has issued a warning on the risks of using third-party application software by entities covered by the Health Insurance Portability and Accountability Act.
In dentistry we have many third party apps that access patent data. For example any app that sends appointment reminders (Sesame, Lighthouse 360 and many others including Dentrix) must access the patient data in order to generate the reminder. The patient data is PHI (Protected Health Information) which is what we as dental care professionals are required by HIPAA to protect. If the third party allows the data to be compromised we may be held responsible for a data breach.
Dentists may protect themselves with a BAA (Business Associate Agreement). A BAA spells out the duty the third party has to protect the PHI and transfers liability from the dentist to the third party. Some third parties have been known to provide BAAs that favor themselves and place the liability right back on the dentist. If the third party will not agree to a BAA dentists should avoid them.
It is also good practice to limit PHI access to the minimum the vendor needs to do the job. For example the minimum data needed to send a reminder is the date and time of the appointment, patient name and e-mail address. Our current systems do not provide simple processes to limit access. On the other hand there is lots of other data that might be valuable that the reminder service could use such as date of birth in order to send a birthday greeting. Setting limits is good practice in theory but fails in real world usage.