These days, it's absolutely possible ...
Almost every lecture or workshop I teach is followed with this question, “Will the HIPAA police fine me?” I used to confidently be able to say, “you have more chance of winning the lottery than getting a fine for violating HIPAA”. Ten years later, my response has shifted firmly into, “it’s possible.”
Several things have changed my answer. For several decades now -27 years to be accurate- HIPAA has focused largely on hospitals and large entities, leaving dental professionals to believe that either HIPAA doesn’t apply to them, or enforcement agencies won’t pay attention to them. This has created a false sense of security for the dental industry.
That all changed in 2019. A practice (1) was turned in by a patient for responding to a negative YELP review with all the details of the appointment as the rebuttal. Then nothing for a few years. OCR, or Office for Civil Rights, was silent about any further penalties against dentists. That again changed in 2021. In one day, OCR announced THREE fines in the dental space, bringing the total to seven dentists that have been fined for HIPAA violations. (2)
Why the sudden uptick in fining dentists? Well, each one of those dentists were egregious in their violations. It’s never just the online review response or the refusal to provide copies of images. Fines are reserved for practitioners that have systemic non-compliance with HIPAA. The most common things that are missing are:
- Inadequate, infrequent or missing HIPAA workforce training for all team members before they are granted access to PHI or computers containing PHI, and then refresh training annually. I’d also recommend discussing specific topics periodically at team meetings to keep up on things between those annual team trainings.
- Lack of a thorough and accurate Risk Analysis. Many people think a Security Risk Assessment is enough. Although a Security Risk Assessment is important and should be done as part of a Risk Analysis, a questionnaire alone is not identifying all your risks and vulnerabilities, let alone making a plan to remediate those vulnerabilities.
- Lack of reasonable and appropriate policies and procedures. I can’t tell you the number of times I’ve walked into a dental practice to review the policies and procedures before a pending investigation, only to be faced with template policies that have nothing to do with the practice. Some aren’t even written for dental!
- Lack of Contingency Plans. Written plans that outline what you do in different kinds of emergencies. Think of it like BLS. You take that course every two years not just because it’s required, but to keep your skills fresh so when you are faced with that emergency, you will go into autopilot instead of panicking. Your written contingency plans are the same.
- Lack of reasonable and appropriate safeguards to protect digital data. I outlined this in great detail in a previous article with The Profitable Dentist: Dentists Can No Longer Hide From HIPAA . If you or your IT Provider are not doing all the things listed, you may quickly find yourself a victim of a cybersecurity incident as well as a HIPAA investigation.
Another common question I get is, “if I have a data breach, will I get sued or get a fine?” It would be amazing if I never got another call that someone had a data breach, privacy or security incident, but the reality is that it’s not “IF”, it’s “WHEN” something will happen. When it happens, those documents and proof of compliance had better have been in place for some time, or the likelihood of a messy, costly investigation that could result in a fine or even patient lawsuits dramatically increases.
It’s also worth noting what these seven dentists were fined for. Two were fined for responding to negative online reviews. One was fined for using patient contact information and communication software to solicit campaign contributions. The rest have been fined for Private Right of Access violations. Under HIPAA, patients have certain rights, including: a right to receive a copy of, inspect, request amendments to, or assign a proxy to their records and more. What most of these fined dentists did was withhold copies of x-rays and other parts of the legal medical record because the patient owed a balance. To clarify, under no circumstances should you ever, ever, ever withhold records. Patient rights should also be outlined in the practice’s Notice of Privacy Practices (that should be displayed and be made available to all patients.) If you are unsure if yours is current, there is a free template that can be edited on the Health and Human Services website. (3)
Cited References:
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html
- https://www.hhs.gov/about/news/2022/09/20/ocr-settles-three-cases-dental-practices-patient-right-access-under-hipaa.html
- https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html