Securing Data, Performance Reviews and Emergency Preparedness

Issue #185-9.24.13

In This Issue: Securing Your Data, by Dr. Lorne Lavine Giving Earnest Performance Reviews, by David Dow, Attorney Preparing Your Practice for an Emergency, by Susan Gunn Dr. Lorne Lavine Dental Technology Consultants Printer Friendly Version Seven Deadly Sins? By Dr. Lorne Lavine, Dental Technology Consultants Many offices are now moving towards a chartless or even paperless environment. Practice management data, images, accounting data, documents - almost all of the critical data for the office is in an electronic format. The challenge for many practices is to make sure they properly secure and protect this data. New HIPAA Omnibus rules have attached significant fines and penalties for practices that don’t follow accepted protocols for securing the data. Many practices will offload these requirements to their local IT company, assuming that most IT companies can handle all of the services needed for the average dental practice. However, in my experience, few of the IT companies out there have the experience to provide all 7 of the services that a dental practice needs. The next time you speak to your IT company, see if they are fluent in all 7 of these: 1. Data backup and disaster recovery. Even people with little to no technical knowledge can set up a backup system, which often combines a local device that is removed from the office nightly with some sort of online backup. However, this doesn’t really address the issue that most dentists really need to ask themselves: if your server goes down, how quickly can you get back up and running? For many practices, the answer is around 2 days - that’s about 46 hours longer than it needs to be! That’s what a good disaster recovery system does, gets you back up and operational as quickly as possible, and it is often best handled by an IT company that cannot only set it up, but monitor it daily and help you restore data as needed. 2. Network monitoring. In a lot of ways, computers are like teeth. There’s a reason we put our patients on 3-6 month recalls: to keep a close eye on things, to be proactive when we see problems, and ideally to be able to handle those problems more conservatively. Computers are the same way. By the time you call your IT company with a problem, it’s already too late. Wouldn’t it be better to have your IT company monitoring your computers in real-time, knowing when a problem starts in just minutes? I certainly think so! 3. Encryption is an addressable concern. For dentists following the HIPAA and HITECH rules, they know that protecting the data is of the highest priority. While not mandatory, here's a quote for the HHS website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.” What that means is that since any HIPAA auditor would consider encryption to be reasonable, you can't just say, "Well, we don't think it's reasonable so we won't do it." But forget the above governmental regulation for a second. The Breach Notification Rule says that if your data at rest is ever breached (unauthorized access, hackers, theft, etc.), then you MUST notify all patients in writing, notify the local media, and have your practice listed on the HHS website. You have one "get out of jail free card": encryption. If the data at rest is encrypted and you have a breach, you are exempt from that Breach Notification rule. 4. Encrypted email software. The same applies for what’s called “data in motion” - and for most of us, that means e-mail. If you are emailing e-PHI to your colleagues, then you really need to consider using encrypted email software for this. These systems will integrate easily with Exchange-based e-mail like Outlook, or any of the web-based systems like Gmail and Yahoo. 5. Staying with HIPAA. One of the requirements for HIPAA, especially if you plan to qualify for Federal Funding, is to do a risk analysis and have all the necessary policies and procedures in place. The ADA has a printed manual, which was basically outdated the minute the ink hit the paper. Web-based systems are an excellent alternative, as they can help you with the risk analysis and act as a repository for the documents. 6. Antivirus and antimalware software. Not much to say here - if your IT company doesn’t provide this, time to find a new IT company! 7. Finally, ongoing support. The better IT companies either provide unlimited support for a set monthly fee, or offer blocks of time that are deducted as support minutes are used. If your IT company doesn’t provide most of these services, there are plenty of other providers who can help. Look for comprehensive packages, such as the Practice Byte Guard suite. Lorne Lavine, DMD is the Founder and President of Dental Technology Consultants. Dr. Lavine holds two prestigious certifications, the A+ Certified Technician designation and the Network+ Certified Professional. These designations demonstrate proficiency in computer repair, operating systems, network design and installation. Dental Technology Consultants provides dentists a full range of services relating to the implementation of technology. Interested in having Dr. Lavine speak to your dental society or study club? Click here. Dr. Lavine can be reached at drlavine@thedentistsnetwork.net Hear Dr. Lavine’s FREE podcasts at The Dentist’s Network - HERE Forward this article to a friend David Dow, Attorney Printer Friendly Version The Importance of Being Earnest when Doing Performance Reviews By David Dow, Attorney Why All the Fuss? Imagine this: your hygienist has been a below-average employee since she was hired over a year ago. You finally decide to let her go. She gets an attorney and files a lawsuit claiming wrongful termination. Among your defenses to the lawsuit is the defense that you had good cause for the termination because the hygienist was an underperformer. But there is a problem. In the annual performance review that you did three months before the termination, you rated the hygienist’s overall performance as “Very Good.” Now you are faced with the difficult task of explaining why a “Very Good” performer was terminated for poor job performance. Does this sound like something that could happen to you? Have you ever been guilty of giving inflated performance reviews? Unfortunately, this is a scenario that frequently plays out in the workplace and in employment litigation. Annual performance reviews are a common part of the employment relationship. If done correctly, written performance reviews can be an effective tool in managing employees by identifying strengths and areas for improvement, and giving employees the chance to provide feedback. A typical written performance review rates employees in various categories of performance, such as productivity, job knowledge, interpersonal skills, job performance, judgment, time management, attitude, communication, safety and attendance. A typical review will provide for a rating in each category ranging from “Unacceptable,” “Needs Improvement,” “Good,” “Very Good” and up to “Excellent.” Oftentimes employers and supervisors are reluctant to give low ratings because they want to avoid confrontation and avoid disappointing employees. Most employees expect to receive “Excellent” and “Very Good” ratings in every area of performance and are offended if they are rated “Good.” Employers and supervisors commonly inflate the ratings on performance reviews so good performers are rated “Excellent”, average to below-average employees are rated “Very Good” and underperformers are rated “Good.” While this is convenient and accomplishes the goal of avoiding workplace conflicts, inflated ratings defeat the entire purpose of the review. If employees are not told where their performance false short and needs improvement, they will have no incentive to improve. Poor performance reviews may prompt underperformers to start looking for another job. Inflated reviews will keep them working for you. As described in the situation above, inflated ratings can also lead to difficulty in managing employees down the road when you finally try to deal with the performance problem. As a result, it is important that employees be given thoughtful and accurate performance ratings. When rating employees in the various areas of performance, it is helpful to provide information justifying or supporting the rating, such as identifying the number of absences and tardies for employees with attendance problems, referencing the frequency of patient complaints for employees whose work quality is deficient, or identifying problems with insurance billing for office managers. If there are specific examples of poor performance, they should be identified. At the same time, exceptional performance should also be recognized in performance reviews with specific examples of good work. A good performance review can be a great morale booster for employees who feel underappreciated. A kind word can sometimes go a long ways.   During the review, the employee should be given the opportunity to read through the written evaluation, and you should go through the evaluation step-by-step with the employee, discussing each performance area. Employees should be praised for their good performance, and equally important, areas where performance needs to improve should be emphasized. But it is not enough to merely tell an employee where performance falls short. An effective employer will discuss steps an employee can take to improve performance. During the performance review employees should also be encouraged to provide feedback regarding their job goals, the environment, and areas where they believe office operations can be improved.  At the end of the review, the employee should be asked to sign the review paper, acknowledging receipt of the review. A typical signature block will read: “My signature above acknowledges that I have received this review, not that I agree with the ratings and comments.” Employees should be given the opportunity to respond to the review in writing if they desire. Employees who receive poor performance reviews will be more likely to submit a rebuttal, and may do so in great detail. There typically is no reason to respond to employees who submit a “rebuttal” to the performance review. There is little value in being drawn into a debate with the employee whether the ratings are fair, accurate or deserved. The point of the review is to document performance problems, not prove that there are, in fact, performance problems. Written responses to performance reviews should just be attached to the performance review and placed in the personnel file.  David Dow is partner in the San Diego office of Littler Mendelson APC, a nationwide firm representing employers in all aspects of labor and employment law. Mr. Dow can be reached at (619) 515-1802 or ddow@littler.com Forward this article to a friend Susan Gunn Printer Friendly Version A Common Cause By Susan Gunn Moore, Oklahoma was devastated by an EF5 (210mph) tornado on May 20th. Twenty-four lost their lives, including fourteen children, with 377 others injured. This loud and dangerous tornado stayed on the ground for at least 39 minutes over 17 miles. Its path was heavily populated with established neighborhoods and schools, just like many of yours. Witnesses described it as a black storm wall, which at one point was 1.3 miles wide! Now, there are only a handful of sticks (trees) and houses left standing. One afternoon, I stood at the Plaza Towers Elementary School site. Where children should have been playing, laughing and scurrying about, it was deafeningly silent, the neighborhood void of anything except concrete pads. There was a sole house across the street still partially standing, defying gravity. There was no neighborhood garage sale, no kids playing in yards, no trees. It was breathtaking to see with my own eyes. Imagine your own neighborhood leveled in just a few minutes. An estimated 1150 homes were destroyed. Hundreds more were destroyed to the point of requiring demolition. Three schools must be rebuilt. Countless businesses destroyed or damaged, including dental colleagues and practices. I recently had the privilege of volunteering a few days with my 16 year old goddaughter Gwen at ServeMoore, a para-church organization that mobilized the night of the tornado by a simple text. They had never operated a crisis center, and yet, FEMA was amazed at their organization in such a short period of time. They processed donations, monetary plus thousands of major & minor tools. Their focus is cleanup and repair, even now three months after the tornados, until all the needs are met. It was started by people who believed they needed to help, with volunteers from every continent and every state. They had over 3000 volunteers the first week. We spoke with so many affected by the tornados, both physically and emotionally. Their stories were filled with courage, determination, strength and heartache. Two of the women we met were recent widows, trying to figure out how to fix their houses alone. One fell off the roof and broke her kneecap. Both have been taken care of by ServeMoore volunteers. At another home, we finished demolishing a backyard deck, initially demolished by the tornado. The family is currently unable to live in their own home but they were so overwhelmingly grateful for the cleanup help. They were still in a sense of shock, having also lost friends and neighbors. But never once did I hear whining or complaining. I was amazed at the fortitude of those who survived. “Oklahoma Strong” is their mantra for a reason! In my research after coming home, I read articles about how FEMA uses the “Waffle House” index as a means to measure how the community is bouncing back. Waffle House, Home Depot and Walmart all have strong risk management plans in place, FEMA explains in their 2011 FEMA blog.  “The success of the private sector in preparing for and weathering disasters is essential to a community’s ability to recover in the long run,” states Dan Stoneking, Director of FEMA’s Private Sector. Why is a business’ risk management plan so important? Dan answers, “Up to 40 percent of businesses affected by a natural or man-made disaster never reopen, according to the Insurance Information Institute.” Located a half mile from the tornado’s path, the Moore, OK Waffle House was closed only until management could get the generators going that next afternoon. They also provided emergency supplies to the victims. The time to prepare is not during a natural disaster. So how can you create your risk management plan? FEMA has a website full of information about developing a preparedness program, with step-by-step instructions. A few notable areas needing your attention: Insurance. Do you have enough insurance coverage for all potential natural disasters to rebuild and equip your practice? If you have recently remodeled or bought new equipment, it’s possible that your coverage is not adequate. Call your insurance company to review your coverage. Documents. Are all of your important business and personal documents safe? A bank lock box is secure and will typically withstand natural disasters. Contact information. If a tornado of Moore’s magnitude wiped out both home and office, would you know how to contact your staff to ensure their well-being?  Technology backups. Do you know what is being backed up and when? The practice, image and accounting software data should all be backed up off site. I use Mozy.com and Carbonite.com and the peace of mind during a crisis is overwhelmingly reassuring.  Financial buffer. An open line of credit or a practice savings account is necessary for any crisis. You will need immediate available cash. How will your practice survive during a natural disaster? I hope you never have to find out, but prepare now if it ever does. Susan Gunn has over 20 years of business automation experience, has written 25 books for professional practices and has been an Advanced Certified QuickBooks Pro Advisor since Intuit® established the program. She is a Certified Fraud Examiner, a Member of the Academy of Dental Management Consultants, and lives in Arlington, TX.  Dentistry Today magazine has recognized Susan's experience and expertise by naming her as a "Leader in Consulting" since 2006.  For more information, go to www.SusanGunnSolutions.com Susan Gunn can be reached at susan@susangunnsolutions.com Forward this article to a friend

The Dentist's Network Newsletter Information: To unsubscribe: To discontinue receiving The Dentist's Network Newsletter, click on the link at the very bottom of this page for instant removal, To report technical problems with this newsletter or to request technical help, please send a descriptive email to: webmaster@thedentistsnetwork.net To request services, products or general inquires about The Dentist's Network activities please send a descriptive email to: info@thedentistsnetwork.net Copyrights 2006 The Dentist's Network - All Rights Reserved.

This CoolerEmail was delivered to you by The Dentist's Network. You can take your email address off The Dentist's Network's email list, or update your preferences and/or send comments to The Dentist's Network. If you request to be taken off The Dentist's Network's email list, The Dentist's Network will honor your request pursuant to CoolerEmail's permission-based email terms and conditions. Postal address: 3252 Holiday Court, Suite 110, La Jolla, Ca 92037