As we have seen in the previous articles, there are numerous HIPAA rules and regulations that must be followed. Non compliance can often lead to fines and penalties that can be quite substantial.
However, in my mind, there is nothing more devastating to a practice than needing to declare a breach.
Data breaches have become common. There are reports in the news almost weekly about breaches in large corporations such as Target and Neiman Marcus. While these breaches can be upsetting to consumers, they don’t fall into the HIPAA rules as they don’t involve protected health information. A breach at a dental practice, unfortunately, would definitely be a HIPAA violation and requires a set of steps that must be taken.
Breaches can take many different forms. One of the most famous was a dentist in California whose server was stolen. This is an obvious breach of data. Other breaches would include someone hacking into your network, a former employee copying patient records before leaving the practice, emailing patient records to the wrong patient, etc.
So, what are the steps that must be taken? There are currently three things you must do by law:
1. You must notify all patients in writing, and not only inform them of the breach, but inform them which data was breached. This often includes social security numbers and credit card info. This, to me, is the most devastating part of the law. Our clients, who have reported a breach, have claimed a loss of 25-40% of their patients on average. It’s also considered proper protocol to offer credit checks for all affected patients to ensure there's been no identity theft.
2. You must notify the local media, such as local newspapers and TV stations.
3. You must have your practice listed on the Health and Human Services website. This site is affectionately called the Wall of Shame. There are currently around 1300 practices listed.
The thing I find most frustrating about the Breach Notification is that most dentists are unaware that they have a “get out of jail free card” when it comes to this rule. That card is encryption. If you have encrypted the data at rest, and encrypt your data in motion, then you are exempt from the rule. The most common breach is loss or theft of a mobile device, such as a laptop or backup external hard drive. Encrypting these devices is relatively easy. There are free programs like Bitlocker and Veracrypt that can encrypt data. You’ll want to work with an IT professional to set it up properly but you just need to pay for the labor. Compared to the fines you face (up to $50k for the lowest level and $1.5 million for the highest level), encrypting your data makes sense for every dental practice.
While the Breach Notification rule can be devastating for a dental practice, properly planning to protect your critical data can ensure that you never have to go through this process. This is one of those situations where an ounce of prevention is definitely worth more than a pound of the cure!