The Office of Civil Rights (OCR) just announced fines totaling $4.3 million against MD Anderson Medical Center to resolve violations related to three data breaches. That’s the fourth largest HIPAA violation penalty ever issued.
Why you should pay attention
As a practice owner, you might be wondering, “how is this relevant to me? MD Anderson is a huge enterprise. I’m one dentist.”
It boils down to this: healthcare providers of any size are charged with protecting their patients’ PHI, and could face a similar fate if they fail to. As a healthcare provider and a covered entity, your practice is included.
How it could have been prevented
The fines were prompted by three data breaches that were easily preventable. The breaches occurred when a doctor’s laptop computer was stolen, and two USB memory sticks were lost. None of the three memory devices were encrypted. Had they been, the theft and loss of the devices would not have been considered data breaches.
To MD Anderson’s credit, before the breaches occurred, it did conduct a HIPAA risk assessment (required by law) and identify the issues that caused the subsequent breaches. However, MD Anderson didn’t fix the problems.
What are first steps to protecting your practice?
- Firstly, encrypt all of your memory devices.
- Conduct a HIPAA risk assessment to uncover the deficiencies in your practice’s policies and procedures (or lack thereof).
If this sounds intimidating, contact a company with experience in dealing with these issues in dental practices.