Menu
Cart

11 Steps to Protect Your Patients’ Information and Get Compliant with HIPAA (Before it’s Too Late)

Cyber security threats are continually evolving and they pose a very real and significant threat to dental practices. Ransomware is malicious software that takes over a victim’s hard drive when they click on an infected advertisement, email, attachment, or website and encrypts the contents of a device – and any other connected electronics – which the hacker then demands bitcoin or cryptocurrency payments to unlock. With an adequate data backup, you may be able to recover from a ransomware situation, but you will still have a mess to deal with.

The HHS-Office for Civil Rights (OCR) is the federal agency tasked with the responsibility for enforcing HIPAA regulations, which include information security requirements for dental offices. Earlier this year OCR declared that Covered Entities who are victimized by Ransomware are to treat the security incident as a HIPAA breach (https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf). Such breaches almost always involved 500 or more persons. HIPAA breaches that affect 500 or more people require the Covered Entity to notify effected patients, OCR, the local television and newspaper media within 60 days of the discovery of the breach. Failure to make timely notification cost a Covered Entity $475,000 earlier this year.

OCR currently investigates every breach that affects 500 or more persons. On the table in those investigations are not just the details of the breach (how it happened, why it happened, what was done to mitigate the situation), but it includes an ‘A’ to ‘Z’ audit of your HIPAA compliance program. This is not something anyone should volunteer for, even if the office’s compliance program is top notch. OCR has become very aggressive, ruthless in their enforcement efforts; this agency scares me.

OCR’s breach investigations take from 1.5 to 6 years to investigate and resolve. While no dentist has paid a large settlement to OCR I know it is coming – soon. Fines to resolve HIPAA violations have risen from $100,000 in 2008 to around $2 million in 2017. Prepare now, so you don’t find yourself heading straight to bankruptcy if a breach happens to you.

 

 

Here are several steps every dental practice should take to prepare for (and hopefully prevent) a HIPAA breach:

  1. Talk with your Risk Management Advisor to ensure you have adequate (type and amount) of cybersecurity coverage. It would not be unreasonable to have one or two million in coverage (really). You can obtain a million dollars coverage (per incident) for about $450 a year. The resources you need to help you through a major HIPAA breach or security incident are VERY expensive. I cannot stress enough the importance of having adequate coverage. A breach can bankrupt your practice.
  2. Ensure your office uses a reputable anti-virus/ anti-malware. There are hackers out there selling ‘anti-virus’ for free (or cheap). Their anti-virus is really a gateway for cyber infections, such as ransomware, keyloggers, spyware and other damaging software.
  3. Ensure your office uses a properly configured firewall. Be sure to keep your firmware up-to-date.
  4. Use a Virtual Private Network (VPN) for all data transmissions (Internet searches, claims submission, and ALL movement of data from one computer to another).
  5. Do not allow patients or other guests to use the same WIFI you and your staff use to conduct business. Offices should not use their business WIFI to stream music. Use your guest WIFI for this purpose.
  6. Train your staff on cybersecurity issues. There are both paid and free services available. Keep in mind free is not always the most appropriate option. These threats evolve very rapidly. Keep up. In the last two weeks, there are three major viruses that have affected healthcare providers worldwide.
  7. Ensure your practice has adequate written policies and procedures relative to the HIPAA Privacy, Breach Notification, and Security Rules. I’ve written and re-written said policies for a client who was being investigated by OCR. I FINALLY got it right. I’m an expert and I’m a pretty smart guy, but it took me multiple tries to pass muster with OCR. What are the odds you’ll get it right with no experience? I’m not a dentist, but I’m pretty sure you would not allow me to perform a root canal on you. As silly as that sounds how does doing your own compliance program make sense?
  8. Ensure you and your staff have adequate training records. In an investigation, OCR will want to see six years of training records. Don’t have them? Better change this going forward.
  9. Ensure your practice’s Notice of Privacy Practices is up-to-date. Odds are unless you are a client, your NPP is not up-to-date. You get an updated NPP from OCR for free: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
  10. Ensure you have Business Associate Agreements signed by you and your HIPAA Business Associates (outside organizations that have access to your patients’ PHI). One practice recently received a $31,000 fine from OCR for not entering into a BAA prior to giving a vendor access to PHI (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH). Need a BAA? OCR has a template you can implement (https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html?language=en). As you can see you have some choices to make to create BAA. Many of these choices have significant implications. Be sure to have your BAA reviewed by a competent consultant and/or your legal counsel.
  11. The HIPAA Security Rule requires dental practices to complete a periodic Risk Analysis. As a rule of thumb – if there are no changes to your I.T. environment then the RA needs to be done at least annually. However, if there are changes to your I.T. environment you must redo an RA. Immediately following an RA you must manage any known vulnerabilities/ risks. This is called Risk Management (RM), which must be done in a timely manner (30 days). Here is more information on the RA/ RM process: https://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.html The feds even put together a Risk Analysis process: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool There are three parts to these tools. Each part is 150 pages. You know, time is money. Sometimes it makes sense to get help, so you can quickly fulfill things you need to fulfill and get on with other things. This is one area it may well make sense to get help, but what do I know, I’m just who vendor who has something to sell you.

     “Is this all I have to do to be compliant with HIPAA”, you ask? Not but it’s a good start, a very good start. The fact of the matter is you will never be ‘done’ getting compliant. Rules, regulations, and legal interpretations are continually evolving. Get connected with someone you know, like and trust (and who knows what they are talking about) to coach you, guide you through the ongoing process of staying in compliance with HIPAA and other government rules and regulations. Compliance may not seem important until you have a problem, then compliance consumes you. I encourage you to take my word for it because experience is a difficult teacher and OCR is a nasty headmaster that should not be reckoned with.

Make today your greatest ever!

- Tink

 

Duane Tinker (aka The Toothcop)

Compliance Consultant

Dental Compliance Specialists

    Dental Compliance Specialists helps make dental offices safer for patients, dentists and their employees. We help our clients develop and maintain their compliance programs including OSHA/Infection Control, HIPAA, DEA regulations and prescribing practices, Radiation Safety, OIG/Medicaid Compliance, Record Auditing, and more by providing actionable systems, easy-to-use tools, robust training, and accountability. Most of our clients have never been in trouble and want to keep it that way. Sometimes, though, dentists call when they are in trouble. In either case, we are there to make a meaningful difference. If you need help call us at 817-755-0035.


    Share this post



    ← Older Post Newer Post →


    3 comments

    • Hi, my name is Eric and I’m betting you’d like your website dentalcompliance.com to generate more leads.

      Here’s how:
      Talk With Web Visitor is a software widget that’s works on your site, ready to capture any visitor’s Name, Email address and Phone Number. It signals you as soon as they say they’re interested – so that you can talk to that lead while they’re still there at dentalcompliance.com.

      Talk With Web Visitor – CLICK HERE http://jumboleadmagnet.com for a live demo now.

      And now that you’ve got their phone number, our new SMS Text With Lead feature enables you to start a text (SMS) conversation – answer questions, provide more info, and close a deal that way.

      If they don’t take you up on your offer then, just follow up with text messages for new offers, content links, even just “how you doing?” notes to build a relationship.

      CLICK HERE http://jumboleadmagnet.com to discover what Talk With Web Visitor can do for your business.

      The difference between contacting someone within 5 minutes versus a half-hour means you could be converting up to 100X more leads today!

      Try Talk With Web Visitor and get more leads now.

      Eric
      PS: The studies show 7 out of 10 visitors don’t hang around – you can’t afford to lose them!
      Talk With Web Visitor offers a FREE 14 days trial – and it even includes International Long Distance Calling.
      You have customers waiting to talk with you right now… don’t keep them waiting.
      CLICK HERE http://jumboleadmagnet.com to try Talk With Web Visitor now.

      If you’d like to unsubscribe click here http://jumboleadmagnet.com/unsubscribe.aspx?d=dentalcompliance.com

      Eric Jones on
    • Good day,

      My name is Eric and unlike a lot of emails you might get, I wanted to instead provide you with a word of encouragement – Congratulations

      What for?

      Part of my job is to check out websites and the work you’ve done with dentalcompliance.com definitely stands out.

      It’s clear you took building a website seriously and made a real investment of time and resources into making it top quality.

      There is, however, a catch… more accurately, a question…

      So when someone like me happens to find your site – maybe at the top of the search results (nice job BTW) or just through a random link, how do you know?

      More importantly, how do you make a connection with that person?

      Studies show that 7 out of 10 visitors don’t stick around – they’re there one second and then gone with the wind.

      Here’s a way to create INSTANT engagement that you may not have known about…

      Talk With Web Visitor is a software widget that’s works on your site, ready to capture any visitor’s Name, Email address and Phone Number. It lets you know INSTANTLY that they’re interested – so that you can talk to that lead while they’re literally checking out dentalcompliance.com.

      CLICK HERE https://jumboleadmagnet.com to try out a Live Demo with Talk With Web Visitor now to see exactly how it works.

      It could be a game-changer for your business – and it gets even better… once you’ve captured their phone number, with our new SMS Text With Lead feature, you can automatically start a text (SMS) conversation – immediately (and there’s literally a 100X difference between contacting someone within 5 minutes versus 30 minutes.)

      Plus then, even if you don’t close a deal right away, you can connect later on with text messages for new offers, content links, even just follow up notes to build a relationship.

      Everything I’ve just described is simple, easy, and effective.

      CLICK HERE https://jumboleadmagnet.com to discover what Talk With Web Visitor can do for your business.

      You could be converting up to 100X more leads today!

      Eric
      PS: Talk With Web Visitor offers a FREE 14 days trial – and it even includes International Long Distance Calling.
      You have customers waiting to talk with you right now… don’t keep them waiting.
      CLICK HERE https://jumboleadmagnet.com to try Talk With Web Visitor now.

      If you’d like to unsubscribe click here http://jumboleadmagnet.com/unsubscribe.aspx?d=dentalcompliance.com

      Eric Jones on
    • Hello, my name’s Eric and I just ran across your website at dentalcompliance.com…

      I found it after a quick search, so your SEO’s working out…

      Content looks pretty good…

      One thing’s missing though…

      A QUICK, EASY way to connect with you NOW.

      Because studies show that a web lead like me will only hang out a few seconds – 7 out of 10 disappear almost instantly, Surf Surf Surf… then gone forever.

      I have the solution:

      Talk With Web Visitor is a software widget that’s works on your site, ready to capture any visitor’s Name, Email address and Phone Number. You’ll know immediately they’re interested and you can call them directly to TALK with them – literally while they’re still on the web looking at your site.

      CLICK HERE http://jumboleadmagnet.com to try out a Live Demo with Talk With Web Visitor now to see exactly how it works and even give it a try… it could be huge for your business.

      Plus, now that you’ve got that phone number, with our new SMS Text With Lead feature, you can automatically start a text (SMS) conversation pronto… which is so powerful, because connecting with someone within the first 5 minutes is 100 times more effective than waiting 30 minutes or more later.

      The new text messaging feature lets you follow up regularly with new offers, content links, even just follow up notes to build a relationship.

      Everything I’ve just described is extremely simple to implement, cost-effective, and profitable.

      CLICK HERE http://jumboleadmagnet.com to discover what Talk With Web Visitor can do for your business, potentially converting up to 100X more eyeballs into leads today!

      Eric
      PS: Talk With Web Visitor offers a FREE 14 days trial – and it even includes International Long Distance Calling.
      You have customers waiting to talk with you right now… don’t keep them waiting.
      CLICK HERE http://jumboleadmagnet.com to try Talk With Web Visitor now.

      If you’d like to unsubscribe click here http://jumboleadmagnet.com/unsubscribe.aspx?d=dentalcompliance.com

      Eric Jones on

    Leave a comment