Dr Phillip Palmer, September 2017
While practice owners protect themselves with premises security, insurances for fire, injury and break-ins, it seems that practice owners either don’t see their patient records and database as valuable or they don’t feel that, if compromised, it could be a liability for them. They couldn’t be more wrong…
Patient data in a dental practice is among the most valuable assets a practice has and is incredibly vulnerable the way that most practices operate. Often login details get written down and left lying around on a desk near the computer. Other practice owners give out their login details to staff that ask or have given staff unfettered access to login whenever and to whatever they want.
What could possibly go wrong?
Everyone has heard horror stories of practices with non-owner dentists that have surreptitiously made plans to set up their own practices nearby and take goodwill with them. When they take this unethical behaviour a little further, you have what happened to a Prime Practice client recently where a non-owner dentist managed to make a copy of the patient data files while they were working in the practice, and later directly email/mailed them details of their new practice. It got worse for the practice when an old patient of the practice rang to complain that they felt the practice should have protected their information and not allowed their privacy to be breached and compromised through a security breakdown (see below for liability).
Patients need to reveal a lot of confidential information to their health care provider that they don’t want out in the open. Personal information like addresses, private contact details, insurance status, pre-existing health conditions, and occasionally credit card information. Patients should feel safe when submitting sensitive information about themselves. Security of that data is vital to reinforce the trust in the practice’s professionalism and care. In the case of any data breach, the bond of trust is likely to be broken.
What is the extent of the liability?
The liability to your practice doesn’t stop at the potential loss of patients through non-owner dentist poaching or their loss of confidence in your ability to keep their records confidential.
By not taking reasonable precautions to secure the personal information of patients, the practice has also left itself open to a legal suit. Businesses that collect and or hold personal information are required to comply with the Privacy Act which includes significant obligations for the protection of personal information held and material financial penalties.
The fine? Up to $1.7m!!! Details here.
The act requires that “If an entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure.”
The amended Privacy Act defines personal information as including any of the following: The person’s name and address; Medical records & health information; Photos & videos; Biometric & genetic information; Likes & dislikes; Opinions; Places of work; Racial or ethnic origin; Memberships; Beliefs; Criminal record; Sexual preference or practices.;
So…What Can You Do?
Most dental practice owners are quite relaxed about the access they give their staff to the dental software within the practice. Often when we go into dental practices we find that login details have been written down and left lying around on a desk near the computer. Other times we will find that practice owners have given out their login details to staff.
Obviously a good first step is to contact your practice management software provider and get whatever help they can give you to optimise security.
However, here are some things that they should all advise you to do.
- Perform daily backups of the database to external media (offsite backups or regularly take a backup home).
- Your backups should include other files that are important such as the patients’ letters/documents/etc. Keep in mind that patient and privacy is not just about computer records, it’s about ALL records, paper, letters, physical models, online records, emails etc.
- Keep the data on a dedicated server computer that no-one uses on a daily basis – i.e. a non-workstation computer. We often see practices saving money by also using their server as a regular desktop computer.
- Put the server in a secure place. It should be:
- Off the ground and physically away from possible floods, spills, collisions, etc.
- If possible in a locked room (or off site/cloud if possible) that is secure and is only accessible by very few people.
- Do not give any staff a login to the server.
- Don’t write down your login details in an easy to find place and ensure staff members don’t.
- Don’t share your login details with others and ensure that your staff members don’t.
- Limit staff access to the database to reasonable workhours. Letting staff have unfettered access the database at all hours from anywhere increases the liability enormously.
- Ensure that the ability of the database to be copied/exported are limited to the practice owner.
A secure database will give you peace of mind that you don’t run the risk of breaking the law or being fined. It should also help you maintain the trust of patients who give you their private details, and expect those details to be protected.
Could your practice be at risk? Contact us here to find out more.
Dr Phillip Palmer ran a successful dental practice in the Sydney CBD for 34 years.
He is the founder and director of Prime Practice, which is the industry-leading practice management company in Australia and New Zealand, helping dentists manage and grow their businesses at any stage of their career. He is also a director of Practice Sales Search, Australia’s leading dental practice brokerage firm.
Phillip has a deep understanding of all the different management, financial and professional issues that face dentists and is regarded as Australasia’s leading expert on the business of dentistry.
Australia leading practice management software, Dental4Windows, has enhanced security features to protect your patient database and access to your PMS. These include: Different levels of access for different users; Automatic closure of programmes to protect unauthorised access; Audit trails and Security modes with access to the security area being recommended as limited to the principle of the practice. For further information contact Centaur Software on 1300 855 966 or go to www.centaursoftware.com.au