When you mention HIPAA to most dentists or dental office managers you will most likely receive a negative response. Implementing HIPAA can be challenging with complicated risk assessments, creating and following Privacy and Security Policies and Procedures, and training staff on their responsibilities. Worst of all, HIPAA isn’t a revenue generating activity, and usually gets shuffled to the bottom of the deck of priorities.
Ignoring HIPAA is becoming a risky strategy and is increasingly leading to fines and penalties from HHS’s Office of Civil Rights (OCR). In spite of the threat of government action, there is a positive side to HIPAA compliance. Implementing HIPAA guidelines can do the following:
1. Protect your practice’s business information
2. Strengthen your relationship with your patients
HIPAA is a great guide to help you protect your practice by giving you a codified set of Security and Privacy standards every practice should and is required to follow. Every practice holds patient’s Protected Health Information (PHI) in both physical and electronic formats, but have you stopped to think about the other sensitive information you store? Virtually every practice maintains sensitive information about employees’ salaries and practice profit and loss information.
Security and Privacy specifications outlined in HIPAA are very thorough and will lead you through the process of protecting all the data you are holding. This includes, proper workstation management, creating disaster recovery plans, and establishing firewalls to protect your networks from hackers. These are just a few of the security processes that HIPAA requires that will protect your practice.
Your patients entrust their personal health information to you. Patients have a reasonable expectation that their dentist will protect all their information, and we have already seen significant malpractice suits where HIPAA was used as a standard of care. This means HIPAA compliance for a dentist is not only a federal requirement, but your patients expect you to protect their privacy as a part of your contract. Protecting your patients’ information strengthens the trust between the practice and patients.
Dr. Joseph Beck, an Indiana dentist, was sued by the state for mishandling PHI of over 5,000 patients. Beck hired a company to dispose of his patients’ records which were later found in a dumpster. Though no identity theft was reported, this is considered a breach. As a result, Beck’s license to practice dentistry was revoked and he was fined $12,000.1
On July 11, 2016, HHS Office for Civil Rights (OCR) made good on their long awaited promise to begin Phase Two HIPAA Audits. Letters were delivered via email to 167 employer sponsored health plans, health care providers (dental offices) and healthcare clearinghouses. These organizations are classified as covered entities. Business Associates of these covered entities will be audited the Fall of 2016 and audits are scheduled for 2017.2
Value of healthcare data
The rising number of healthcare hacks demonstrates that healthcare data has tremendous value in the wrong hands. In some estimates, medical records are 10 to 20 times more valuable than credit cards because multiple pieces of information are stolen. The information within a record can be sold as an entire package or broken out into different data groups and sold to different people.
Experian stated in their 2016 Data Breach Industry Forecast “We predict that healthcare companies and healthcare providers will remain one of the most targeted sectors by attackers, driven by the high value compromised data can command on the black market, along with the continued digitization and sharing of medical records.”3
Real World Cost of Ignoring HIPAA
When we talk about HIPAA compliance, much of the emphasis is on avoiding fines and penalties from the Office of Civil Rights (OCR) and/or your State Attorney General. There are several actions that will open your practice to investigation. They are:
1. Breach of patient or employee PHI through a hacker or loss of devices with unencrypted files
2. A complaint by a patient who feels their PHI has been improperly handled
3. Selection by OCR for a random audit
The cost of a real world breach can extend well beyond any amount OCR might dole out. Once you calculate these costs, you may want to reconsider the need for a wellexecuted HIPAA compliance plan. Here is the cost of a sample breach:
Lost device with 600 patient records, no encryption or password protection
1. All patients must be notified of breach.
2. If the Notice of Privacy Practices (NPP) does not clearly state patients will be notified by email, the state may require notification by first class mail.
3. Legal professionals must review the notification plan and advise on other legal ramifications that may occur as a result of the breach.
4. Credit monitoring must be offered to patients if their financial data may have been compromised.
Estimated Real World Cost: $213,000
Based on the report “Cost of Data Breach Study: Global Analysis” sponsored by IBM and conducted by the Ponemon Institute (June 2016), the per capita costs for the healthcare of $355 is the highest of any industry.4 That converts to $213,000 for a practice with 600 patients.5, 6
Cost with a properly implemented hiPAA Compliance Plan: $0
If the device had been encrypted and password protected as the practice’s HIPAA plan should specify, there would be no reason to notify patients since this is not considered a breach. Cost with a properly implemented HIPAA Compliance Plan: $0.
The costs outlined above are tangible ones that we can put a specific dollar amount against, but there is also the potential for an even larger cost – the loss of your patient’s trust.
According to a study conducted by TransUnion Healthcare, more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach; and nearly seven in 10 respondents (65 percent) would avoid healthcare providers that experience a data breach.7 This means that of the 600 patient’s health information is lost, you can expect to lose 390 of the patients. As you can see, this doesn’t paint a pretty picture for your bottom line!
Ironically, OCR often audits covered entities based on breach complaints filed, which means if you haven’t created and implemented your HIPAA compliance plan, in addition to accounting for the real world costs, you must now also expect OCR fines and penalties. On the other hand, if you can show that you have a HIPAA compliance plan in place OCR will often forgo fines and penalties, and provide suggested measures to correct your compliance plan instead.
Regardless of how minor a breach, the costs of mitigating that breach will always exceed the cost of proactively protecting your agency with a well developed and properly implemented HIPAA compliance plan.
1. www.ada.org/en/publications/ada-news/2015-archive/ march/indiana-dentist-is-first-sued-by-state-forviolating-hipaa
5. The cost is calculated on both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
6. www.03.ibm.com/security/data-breach/, Page 10, 2016 Cost of Data Breach Study: Global Analysis,Ponemon Institute (June 2016)
7. newsroom.transunion.com/transunion-survey-nearlyseven-in-10-patients-would-avoid-healthcare-provider- sthat-undergo-a-data
Becoming HIPAA compliant may seem confusing and expensive, but there is a solution. With HIPAA Prime™ from Total HIPAA Compliance (www.TotalHIPAA.com), becoming HIPAA compliant is easier than ever. Using Total HIPAA’s online solution, you complete a required HIPAA Risk Assessment. Total HIPAA reviews your information, communicates items that need resolution and creates a compliance plan for your practice. Dental practices are Covered Entities and are required to have a HIPAA Compliance plan in place.
The nationally known insurance agency, Chris D Callen, Insurance Agent, who has been serving the insurance needs for dentists nationwide for over 34 years has set up a special discounted program for any dentists that wish to use this program. Please visit TotalHIPAA.com/callendental to receive 5% off your purchase of HIPAA Prime or call (800) 344-6381 ext. 103 and use Promo Code: callendental. Don’t wait!
Jason Karn is the Chief Compliance Officer for Total HIPAA Compliance (THC). THC provides HIPAA compliance documents and online training tools – customized for dental practices. Jason guides dental practices in completing required HIPAA compliance plans.
As the cofounder of Total HIPAA’s training and compliance solutions, he is a frequent national speaker on HIPAA and a regular HIPAA social media blogger. Jason is also the content creator and co-presenter of the 2015 and 2016 NueMD 5-part webinar series – Steps to HIPAA Compliance – as well as presenter of webinars for Agents and Employers. (www.TotalHIPAA.com)