In April 2018, a dental office in New Jersey, Michael Gruber, DMD, PA reported that their computers were hacked and 4624 patient records were stolen. Now this incident appears on the “Wall of Shame” at the Department of Health and Human Services website. Yes, it can happen to anybody.
Many dentists seem to think that either they do not need to comply with HIPAA (Health Insurance Portabiility and Accountability Act) or that they are already compliant as they have taken HIPAA training provided by their EHR or by a consultant. While HIPAA training is indeed one of the annual requirements to be compliant with HIPAA law, it certainly is not the only requirement.
In the event of a breach like the one reported by Michael Gruber, DMD, PA, as it involved the loss or theft of more than 500 patient records, it became a reportable breach. Dentists, like any other covered entity, are required to comply with HIPAA breach notification rules that involve notifying OCR (Office for Civil Rights), the patients and in some cases, media. This can become an expensive proposition as legal fees, penalties, media costs, postage costs, forensic investigation costs and other related expenses are incurred during this breach notification and investigation phase.
Once a covered entity becomes a victim of a breach, OCR puts the case under investigation and more likely than not, conducts an audit of the practice. One of the first documents requested in this case is a copy of the office’s HIPAA risk assessment or analysis which should be done annually. They would typically also ask to see your HIPAA policies and procedures. Depending on the outcome of the investigation, OCR, as the enforcement arm of the Department of Health and Human Services, might also decide to impose monetary fines for HIPAA violations. In severe cases of criminal negligence or impropriety, federal agencies such as the FBI or Department of Homeland Security or the Department of Justice get involved and there have been examples where a healthcare provider or an employee has been jailed.
Basic requirements for HIPAA compliance for a dental office:
Conduct a risk analysis or risk assessment every year.
Train all your employees (including dentists, hygeinists, assistants and all administrative/ office staff) every year on HIPAA privacy, security and breach notification rules.
Create and maintain HIPAA policies and procedures and ensure that employees are familiar with them and follow them regularly.
Get HIPAA Compliant for 2018:
Avoid penalties today. Do not wait until December to get HIPAA compliant. You can either complete all the requirements yourself or hire a qualified consultant to prepare your policies and procedures and conduct your annual HIPAA risk assessment and training. To see services we provide here at 24By7Security for HIPAA compliance, please visit our HIPAA services page HERE.
By Rema Deo.