The Health Insurance Portability and Accountability Act (HIPAA) calls for standards for

administrative, physical, and technical security measures to safeguard the integrity,

confidentiality, and availability of health information data. This act includes civil and criminal
penalties for misuse of health information. It also required Congress to pass privacy legislation
or allow the secretary of the US Department of Health and Human Services to promulgate
privacy regulations.

Tabel 1: Informasi Kesehatan Pribadi.

• Nama • Informasi kartu kredit

• Alamat • No.sertifikat
• Kota and negara • Nomor Lisensi
• No.telepon • Kode ZIP
• No. fax • No. akun
• Alamat e-mail • Tanggal lahir

Security regulations were proposed in 1998 and finalized in 2003. These regulations establish
1

requirements and implementation features, but do not identify specific standards. These
regulations further state that each healthcare provider must assess potential risks and
vulnerabilities to data it maintains in electronic form and develop security measures. The privacy
regulation defines protected health information (PHI, Table 1) and establishes a set of boundaries
within which healthcare organizations must protect health information. A review of HIPAA
regulations is beyond the scope of this paper and is available elsewhere. 2

The key difference between the security regulations and the privacy regulations is that privacy
regulations apply to all communications of patients' protected health information, whether
electronic, written, or oral. In contrast, security regulations apply only to PHI. The security
regulations require that each healthcare provider do the following: (1) ensure the integrity and
confidentiality of the information; (2) protect against any reasonably anticipated threats or
hazards to the security or integrity of the information and unauthorized uses or disclosures of the
information; and (3) ensure that employees comply with the regulation.

Eighty percent of dentists have computers in their offices; 48% of these computers are connected
to the Internet, and an increasing number use a variety of technologies including digital imaging,
digital intraoral cameras, and electronic patient records. Patient information, including clinical
3

information, is being transmitted electronically to third-party payers for preauthorization and

treatment verification. Software applications for rapid electronic filing of dental insurance claims
are readily available, often integrated with clinical information and practice management
systems.

As dental healthcare continues to adopt digital imaging and electronic patient records,
understanding security of patient-related data that is transmitted over the Internet is essential. An
increasing amount of patient-related information is stored and transmitted digitally, and dentists
have a responsibility to develop security procedures and monitoring measures to keep this
information private. When dentists think about computer security, risks that probably come to
mind are either some damaging agent like a virus or third-party eavesdropping on digital
conversations. Sectors of society such as the military and financial markets have already studied
4

computer security issues and developed solutions. While no system can be fully secured, a
balance between security and privacy must be achieved.

Advantages of making dental information available on the Internet include improving quality of
care and reducing dental healthcare costs. In addition, continuous access to patient records
5

would alleviate the need to complete registration forms each time a patient visits a new provider,
thus saving time and expense. The prospect of electronic dental records (EDR) also raises serious
concerns about increased risk of loss of PHI. Society has rightfully attributed special sensitivity
to protecting an individual's health information. An individual with a particular medical
condition might want to limit access to this information. In fact, maintaining security can be an
issue with all forms of health information. The danger of misuse of information will likely be
intensified as more health information becomes available online.

The Internet provides unprecedented opportunities for communication and patient data sharing
among dentists, third-party payers, and health service researchers. However, these advantages
come with a significant amount of risk to confidentiality and integrity of the transmitted
information. One impediment to universal adoption of these technologies is that digital
information is subject to malicious modification and fabrication.6

The purpose of this article is to review proposed HIPAA security regulations. The intent is (1) to
make the reader knowledgeable about safeguards and techniques that can be used to ensure the
security of information transmitted and stored and (2) be compliant with the HIPAA security
regulations. The security regulations require covered entities to adopt administrative, physical,
and technical safety measures to protect electronic PHI. The first part of this paper will review
the safeguards as defined by the security regulations. The second part will look at security
solutions that can be implemented to comply with these regulations.

SAFEGUARDS

Administrative Safeguards

The administrative safeguards require covered entities to conduct a risk analysis to determine
potential risks to the confidentiality and integrity of electronic PHI and to implement risk
management practices to reduce the risks identified by this analysis. The administrative
safeguard also requires covered entities to apply appropriate sanctions against workforce
members who fail to comply with the security policies and procedures of the covered entity.
These safeguards further expect the covered entities to implement procedures to review regularly
records of information system activity, such as audit logs, access reports, and security incident-
tracking reports. One of the important specifications for this safeguard is the adoption of
password protection for office computer systems. Furthermore, covered entities will have to
implement policies for handling security incidents that involve attempted or successful
unauthorized access, use, disclosure, or destruction of information maintained in the office
computer system. This safeguard further requires covered entities to develop a contingency plan
to deal with incidents that could damage systems containing electronic PHI. P.M. Sfikas has
further explained the security regulations in detail.
7