Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

"I am answering a HIPAA risk assessment for our practice and it keeps asking if we have 'reasonable and appropriate' safeguards in place. What does that even mean? How do I know what is ‘reasonable and appropriate’?"

This is a common question that I hear from dental practices and it’s a great one. When you see the phrase "reasonable and appropriate" in the context of HIPAA compliance, it can feel frustratingly vague. Wouldn't it be easier if there was a checklist that every dental practice could simply follow? However, the truth is that this flexibility in the law is actually a benefit, not a burden.

The HIPAA Law

Under HIPAA, the law requires covered entities to implement security measures that are reasonable and appropriate for their specific circumstances. It recognizes that what’s reasonable and appropriate for a small dental practice with five employees is likely very different from what’s reasonable for a DSO with hundreds of locations, or a major hospital system.

This flexible approach allows you to tailor your security measures to fit the size, complexity, and capabilities of your practice. Instead of a one-size-fits-all approach, you can assess the risks specific to your practice and implement safeguards that effectively address those risks without imposing unnecessary burdens.

So, how do you determine if a safeguard solution is reasonable and appropriate for your practice?

We can look at legal case law for guidance. Courts have a long history of trying to define reasonableness. Almost every lawsuit out there makes a claim that the other party was negligent. In order to prove negligence the plaintiff basically needs to show that the other party owed them a duty to act as a reasonable person would in the situation, and that they failed to do so.

Let’s look at the infamous McDonald’s hot coffee case to see this in action. Do you remember those headlines? People mocked this case as the ultimate example of a frivolous lawsuit - but most legal scholars agree that it was a legit case with a just outcome. The basic facts were that a 79 year old woman ordered coffee from McDonald's and then spilled it on her lap and suffered serious burns that required an extensive hospital stay. She asked McDonald’s to cover her medical bills and, when they refused, she sued for gross negligence and she won a substantial award. She won the case because her attorney was able to show that McDonald’s had a duty to serve safe coffee, but their coffee was unreasonably hot. There’s that word of the day. You see, McDonald's coffee was served between 180 and 190 degrees, but other similar restaurants served their coffee a bit more tepid, between 140 and 150 degrees. This lower temperature was deemed to be the reasonable standard industry practice and McDonald’s coffee temperature was, therefore, unreasonable. A key thing to know is that to determine the standard industry practice, the court looked at restaurants that were similar to McDonald's. They didn't look at Sally's Diner or some fancy foo-foo coffee bar. They compared McDonald's to places like Burger King and Dunkin' Donuts.

When it comes to determining reasonableness under HIPAA, a similar process can be followed. To know if your safeguards are reasonable, you would compare them to standard industry practices at similarly situated dental practices. In section §164.306(b), the HIPAA law outlines four specific factors to consider when determining whether a specific measure is both reasonable and appropriate for your practice.

1. The size, complexity, and capabilities of your practice: Simply stated, small single location practices are not held to the same standard as large DSOs with hundreds of employees and specialized capabilities.
2. Your technical infrastructure, hardware, and software capabilities: The security solutions need to adequately address the known risks to patient information that come with the specific technical infrastructure, hardware, and software that your practice actually uses.
3. The cost of security measures: While protecting patient data is essential, the cost of implementing safeguards should be balanced with your practice’s financial resources.
4. Probability and criticality of potential risks to PHI: Assessing the likelihood and impact of the specific risks to protected health information your practice faces should guide your decisions. High risks would justify implementing more advanced and costly safeguards, while lower risks would not.

When determining what is reasonable and appropriate for your practice, use these four factors to guide your decisions. Consider your practice’s size, technical capabilities, budget, and the specific risks you face. Then, document how these factors influence what safeguards are both reasonable and appropriate for your unique situation.

Summary

Here comes the most important part, the requirement to implement 'reasonable and appropriate' safeguards does in fact mean that dental practices are required to implement reasonable and appropriate safeguards. These are not optional. A practice can't decide that it’s just too difficult or too expensive to address the 42 safeguards listed in the Security Rule. Just like McDonald's had a duty to serve safe coffee, dental practices have a duty to protect patient data and all reasonable steps must be taken to ensure the safety of the patient and their information. You need to determine and implement security measures that reasonably and appropriately address these HIPAA required safeguards.

Remember, the goal of HIPAA is to keep patient information private and secure, and, as we’ve discussed in past posts, implementing reasonable and appropriate safeguards tailored to your practice is just a part of providing outstanding quality care.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.