We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff. FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.
HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.
At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:
Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market. HIPAA law also specifies strict breach notification requirements in the event of a breach. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen. A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS. This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.
Many small practices think that they are too small to be targeted. False again! If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches. The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow. The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.
We often hear from dentists that they do not believe they need to comply. Also False! In fact, just recently, in January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to theft of a laptop and and other portable electronic device respectively. Robert Smith, DMD of Tennessee reported 1500 records breached after a hack. Several other providers such as physicians, hospitals, pharmacies, health plans and business associates have experienced breaches in the recent past. It can and will happen to anyone regardless of size - please do not think that it won't happen to you!
HIPAA Training is not HIPAA Compliance. Practices should take these requirements seriously as they are here to protect patients and medical professionals. Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.