You’ve heard HIPAA consultants drone on about the risk of being chosen for a HIPAA audit by the Office for Civil Rights. But the truth is something else entirely. Since 2012, OCR has managed to audit about 500 practices nationwide. Put another way, practitioners stand a better chance of being struck by lightning than being audited for HIPAA compliance!
So where is the real HIPAA threat, if not from fines? The answer is deceptively simple: data breaches.
Even if HIPAA is something of a paper tiger, the risk of sustaining a data breach is real. The Ponemon Institute declared that the typical practice stands a 94% chance of a data breach in any 18-month period. Odds are, your practice has already sustained a breach—perhaps several.
In years past, failing to report a breach was a common response. Practitioners and office managers merely held their breath or shrugged their shoulders. Now, that lackadaisical response is dangerous. Privacy attorney Shawn Tuma put it best when he said, “Practice owners put their entire practice at risk when they sustain a breach and then look the other way.”
Why? Because every day, social media is used to connect the dots, allowing patients to find others who’ve also been affected by an undisclosed breach. Our HIPAA consultants receive frequent calls from attorneys looking for offices that sustained a breach. HIPAA isn’t individually actionable, so a class-action lawsuit is often the only way forward for patients who have been compromised. Costs associated with such a suit would bankrupt most practices. Thanks to Facebook, Twitter and eager class-action attorneys, we’re now seeing the tip of the class-action iceberg.
There are four steps the typical dental practice can take to stave off data breaches and avert HIPAA disasters. They’re often not particularly comfortable actions, but they are necessary in today’s litigious climate; and can be taken this week.
First, train team members on breach prevention. Sophisticated ransomware attacks can fool IT experts, but you should still make an effort to train employees to spot suspicious emails and avoid link-based pitfalls. Team members should understand your practice is a target for data thieves of every description. If you and your employees honestly believe no one will bother trying to steal your patient data, you’ve probably already lost the battle for patient privacy. Smart offices know the nature of the threats they face and take them very seriously.
Second, make patient privacy awareness an ongoing project. No practice is HIPAA-compliant in perpetuity. The law changes over time, as does information technology. Most of the privacy challenges we see today were almost unheard of a decade ago; team members now have unprecedented ability to harm your practice by allowing data thieves access to your patient data. Keeping awareness at something of a fever pitch is vitally important. Task your privacy officer (you do have one, right?) with providing weekly security reminders to ensure patient privacy remains at the forefront of employee thinking.
Third, make sure the back door is locked. Fully a quarter of all data breaches are caused by business associates, and many practices find themselves on the back foot. Too often, business associate agreements (BAA) are outdated, inadequate or don’t make the business associate liable for the breach. Many leading dental service providers refuse to sign BAAs offered by clients, claiming that legal review of these documents would cost too much time and effort. But the truth is something else: these business associates want you to sign their BAAs, because by doing so, you’d relieve them of the liability a current BAA places on them. A good rule of thumb is, somewhere in every current BAA, it should unequivocally state that the business associate is directly subject to the HIPAA Security Rule. Harder to find, but just as essential is the requirement that the business associate trains its employees on patient privacy. Dental labs are notoriously remiss on this one point. Ask yourself: “How would our patients feel if they knew we sent their information to someone who couldn’t be bothered to provide the rudimentary safeguard of employee training?”
Fourth, make sure your privacy officer is competent, and that patient privacy is a job priority. If your privacy officer can’t find your server or respond to halfway complex IT questions without outside help, and doesn’t know what documents should be kept on hand, you probably need to find someone else for the job. Small healthcare offices find themselves woefully unprepared for accelerated patient privacy concerns. Often, the privacy officer of record is no longer with a practice. If there is one on staff, odds are excellent they’re wearing several other hats, and minimal time is devoted to HIPAA compliance. Larger offices or multifocal practices typically have even more at stake, because the privacy officer is often occupied with “more important” concerns. At one small hospital our HIPAA experts visited, the privacy officer had eight other job titles.
If the unthinkable does occur and you sustain a data breach of any sort, don’t be tempted to sweep the incident under the rug. Breach notification requirements are constantly changing. At the very least, you should consult a privacy attorney or call the Texas Attorney General’s office to discuss current reporting requirements and breach data thresholds.
Deciding not to report a data breach isn’t the answer—your patients will find out soon enough when their personal information is hijacked. When patients figure out your office was responsible, they’ll get mad, and they’ll get a lawyer. Or more often than not, a lawyer will get them.
Finally, be prepared to spend some money. Remediating a patient data breach is always far more expensive than preventing one in the first place.