Assess computer networks for regulatory compliance
Read the following information about a typical dental practice:
Community Dental has two offices in the same city the North office and the South office. These offices offer the same dental services to patients. Patients can make appointments to either office at their convenience to see the dentist of their choice. Both offices are similarly equipped.
The professional staff includes the dentists, hygienists, dental mechanics, and administrative staff (receptionist, billing clerk, and office manager).
Each Community Dental office has a waiting area served by a receptionist who uses a computer to check in patients, schedule one of the examination rooms, and answer the phone. The waiting room has a door opening to the outside. A second door admits patients into the rest of the facility. Background music plays inside the waiting area. There is also a large aquarium on display.
Each examination area is partitioned off from the adjacent ones. Each has a computer and LCD screen used to pull up patient information and record new dental data such as x-ray interpretations, examination and test results, and procedures done for the patient. A low-level sound masking system is installed in this area.
After their treatment, the patient visits the billing clerks desk, which of course has a computer and a printer. Here patients pay (cash co-pay, credit card, or check), insurance information is verified, and an appointment is made. This clerk also mails out postcard appointment reminders and answers the phone.
The Community Dental dentists share a private office that has a computer and a printer. Here they can review patient data, access the Internet, and exchange email with their patients, colleagues, and acquaintances.
A database server containing patient data sits in a closet, next to a small tape library used for backup. Next to it sits a VPN server, firewall/router, and cable modem connected to the Internet. The VPN server accepts incoming connections from the dentists home computers. It also provides a permanent VPN connection between the North and South Offices. In this way, all patient data is available at all times at either office.
Most patient data is stored electronically on the database server, but some data such as x-rays and third-party labs results are still in physical form. Community Dental also depends on third party service providers to build crowns, braces, false teeth, soft dental protectors, and such. Information is exchanged with service providers using telephone, fax, letter, and email.
The network infrastructures management and maintenance are outsourced.
Community Dental also maintains an informative website to advertise its practice. The site is remotely hosted.
Answer the following questions in essay style. Make any sensible assumptions necessary in order to continue your analysis. Feel free to use the discussion board to share your assumptions with others in the class:
What is all the electronic and non-electronic private health information (ePHI) that is stored, processed, and transmitted at Community Dentals two offices?
Assess the practices organization. Where is it most likely HIPAA compliant? What changes should be made to move the practice closer to compliance?
Assess the practices physical and technical safeguards. Where is it most likely HIPAA compliant? What changes should be made to move the practice closer to compliance?
Community Dental exchanges data with service providers and uses a third party to manage its IT infrastructure. What administrative and organizational safeguards should the practice expect these providers to adhere to?