Calls to Dental Protection for advice regarding practice data corruption or loss are occurring with increased frequency. Dr Simon Parsons, Dentolegal Consultant at Dental Protection, explores the facts
Incidents we have assisted members with have varied in severity. However, in some cases, despite the best efforts of IT experts, all clinical records, including treatment notes, chartings, digital radiographs, scanned referrals and financial records, were irretrievable from the server. Regretfully, there have been some circumstances where appropriate backup has not been undertaken, compounding this loss.
Naturally, the members involved have been incredibly distressed as they have an inability to know who was attending the practice next to see them, and what treatment was still planned for any of their patients. There is exposure to future complaints in the absence of records to defend their care, and many practitioners are unaware of any legal and ethical implications of the data loss and their responsibilities in this area.
Let’s review these concerns in the context of some commonly asked questions.
What are my responsibilities around the loss of data?
We’ve previously discussed the issues relating to any need to report a data loss or breach to regulatory authorities in our article “Health privacy and how to report data breaches”.
The data breach must be assessed regarding whether the breach is notifiable and needs to be reported to the Office of the Australian Information Commissioner (OAIC). This is a critical step as, not only are we professionals and should act accordingly, but also the fines for failing to report a notifiable breach are significant.
Whether notifiable to the OAIC or not, it is important to inform all affected patients of the event and of your strategy to address data recovery or rebuilding. This can be extremely difficult if there is a total loss of the database. It is wise to ensure this communication indicates whether the patient’s data was breached or merely lost; the latter does not pose the same level of risk to affected patients in terms of their privacy and the risk of identity theft.
What recovery strategies are helpful?
It can be helpful to source as much information as possible from affiliated third parties to try to rebuild treatment histories. This can mean contacting health funds, dental laboratories, government agencies (eg Veteran’s Affairs, Medicare) and the specialist referral base to see if copies of some of the records could be obtained. There can be limitations to what information such bodies are prepared to provide. When received, this needs to be manually entered into a new database.
Within the practice, a robust manual system will be needed to create the new dental records. This will include systems to document clinical notes, infection control tracking, new medical histories and patient contact details for every patient, and a temporary appointment book. Additionally, future radiographic and study model records would be created, in most instances, at no charge.
So what must I look for to ensure a robust IT system?
With most practices relying on practice management software and hardware, it is critical that secure offsite backup is in place. This backup should be automated to reduce human dependency and be located sufficiently remotely to the practice to make catastrophic loss of all data sources unlikely. If backing up to the cloud rather than a physical drive, ensure all connections are securely encrypted and that the backup provider can demonstrate compliance with Australian Privacy Principles, such as OAIC’s Privacy for health service providers and the IPC’s Health Privacy Principles.
As many cloud services do not physically exist within our state, territory or country borders, there is an obligation to ensure that data being transferred is managed in accordance with these regulations.
It is prudent to regularly check the content of backups for the integrity of the data within. Backup drives must be securely stored, encrypted and password protected to minimise the risk of their loss or theft. They should not be plugged into a terminal behind a reception desk, which might be regularly unmanned throughout the day while staff are assisting in clinical procedures.
Corrupt software can arise in many IT platforms and it is wise to have in place arrangements to keep critical software up-to-date. Vendors regularly supply patches to fix security and stability issues. A failure to access these updates may leave practice systems vulnerable.
Most practices will have an interface between their software and the internet and it is essential that firewalls, antivirus and malware protection and password-protected access is in place for these systems. These should all be updated regularly.
Practices may also be wise to appoint a privacy officer role to a member of staff so that a trusted individual can oversee compliance with privacy and IT security, and report any vulnerabilities or breaches to practice owners.
What if I am already doing all this? Is there anything else I should do?
At Dental Protection we recommend you plan for critical eventualities. It is likely that at some point in time your IT systems will go down and often patients will be in treatment at the time. Having a recovery plan in place can be invaluable in these situations and should outline the contact details of hardware and software vendors, backup details and locations, VPNs, ISP arrangements and contingencies (such as how to connect to cloud-based appointment books via secure mobile should the NBN be out of service). Having preprinted dental record templates (odontograms, headings for key consultation and examination findings, common item codes and their prices and so on) can simplify and facilitate the management of patients while systems are being restored.
Finally, it can be helpful to print the next day’s daysheet well before the close of business each day, and use it to ensure labwork has arrived, appointments have been confirmed and antibiotic cover reminders have been given. These are of particular use if you arrive the next day at a practice only to see a blank screen when you turn your computer on!
Who said you don’t need paper anymore?
RiskBites – Dental Protection’s podcast series, Practical Data Protection
Dental Protection, The Privacy Act