HIPAA security compliance isn’t talked about often in the dental community. But the Office for Civil Rights (OCR) can and are investigating dental offices. If you’re not properly or adequately protecting your patient’s protected health information (PHI) you’re at risk of a hefty fine. In this episode of Talking With The Toothcop, I talk about the HIPAA security rule, business associate agreements, and how a data breach can impact your practice.
Outline of This Episode
- [1:20] HIPAA Security Compliance
- [4:43] The HIPAA Security Rule
- [9:00] Consistently work toward compliance
- [10:13] The Business Associate agreement
- [14:57] Have adequate cyber insurance in place
- [17:38] Will OCR hit practices harder because of COVID?
HIPAA Security Compliance: What a breach looks like
I received an email from OCR (AKA the HIPAA Police) titled: “Small healthcare provider fails to implement multiple HIPAA security rule requirements.” So I opened it. Essentially, Metropolitan Community Health Services has to pay a $25,000 fine to OCR and has to adopt a corrective action plan to settle violations. Why?
Because on June 9th, 2011—9 years ago—Metro filed a breach report that affected 1,263 patients. The OCR investigation revealed long-standing non-compliance. Metro failed to conduct risk-analysis and failed to implement any security rule policies, procedures, or training until 2016. Providers are supposed to safeguard their patient’s information.
The moral of the story? We need to implement measures so we don’t have to report a breach affecting 500+ people. This is a classic example of where prevention could’ve made a world of difference.
The HIPAA Security Rule
The HIPAA privacy rule states that you must have agreements with vendors who have access to information, train your staff properly, and establish notice of privacy practices (how we can use and disclose patient information). The HIPAA Security rule is what people seem to have trouble with. It deals exclusively with the security of protected health information.
One of the key components of the rule is to have someone appointed as the security officer. They establish access control for authorized users and set up firewalls, firmware, antivirus programs, updates, etc. They are tasked with risk analysis and mitigation:
- #1 Identify the potential threats and risks to PHI
- #2 Address the higher-risk or potential risks areas
This is where dental practices have significant gaps and fall short. OCR started conducting audits of covered entities and found that more than ¾ of providers had not addressed security issues or implemented security measures to address the rule. What should security training include? What issues do I see in dental offices? Listen to find out!
The Business Associate Agreement
You need to understand who your business associates are: Who are the vendors you work with who have access to your patient information? IT people? Coaches or consultants? Software providers? Identify those business relationships and make sure you have a signed Business Associate Agreement (BAA) with them. It’s required before they gain access to your patient information.
Let’s drive the point home: A data backup service was audited by OCR and they were connected back to a medical practice. The medical practice couldn’t produce a BAA—and got slapped with a $30,000 fine. It’s a big deal. There was another case in Florida: A former employee of a business had access to patient PHI. A BAA wasn’t in place and they were fined $150,000.
I don’t want to scare you—I want to motivate you. I want you to understand the importance of addressing these issues. How many tooth fillings, root canals, and crowns would you have to do to cover a $30,000 or $150,000 fine? The preventative measures are worth every minute of your time.
How does cyber insurance play a role? Will they cover fines? Keep listening...
OCR takes their job seriously
Very few dentists are in compliance. If they were audited by the OCR it would be a blood-bath. While perfection cannot be expected, there’s room for improvement for the industry. You must show consistent and periodic effort. OCR just loves to kick people’s butts, pandemic or not. They are proactive on the educational side and actively involved from a preventative standpoint. But they will take heavy-handed action when there is a breach of compliance. It is so important to protect your patient’s information. Hear all about it in this episode!