For the past five years, the Office for Civil Rights has continually threatened widespread HIPAA enforcement action via large-scale office compliance audits.
To date, fewer than 500 healthcare offices nationwide have been subjected to these inspections, leading us to conclude that practitioners are more likely to be struck by lightning than subjected to a HIPAA audit by the OCR. As one of my East Texas dentist clients said, “The HIPAA dog won’t hunt anymore.”
But that doesn’t mean dentists are off the hook. Far from it!
The real danger remains data breaches. Even small breaches can generate penalties of serious consequence. Some years ago, we saw a practice fined $50,000 for a breach involving fewer than 500 patient records. Most of us thought $50,000 was a pretty hefty deterrent; but it seems small today, in comparison to the threat dental practices now face.
Social media has made it possible for patients to connect the dots following exposure of their personal information. If your office sustains a data breach, it won’t take patients too long to determine that your practice was the source of their data.
The new dog that will hunt: class action attorneys. While HIPAA isn’t individually actionable—meaning that patients cannot sue you for breaching their privacy or violating their rights under the law—class action suits against careless practitioners are rising in popularity. Whereas the OCR might have been an object of fear over much of the past decade, governmental inaction has made patient privacy a paper tiger.
The real threat now comes from attorneys who have both the time and information necessary to put together breach class action suits that will devastate practices that sustained data breaches.
That makes preventing data breaches a top priority. While practices don’t necessarily have to follow every letter of the law to prevent breaches, good PHI hygiene certainly helps.
Here are five steps to preventing a data breach:
Train your team members.
Of course, HIPAA training is a State and Federal requirement, but it’s the effectiveness of the training that counts. Give your employees patient privacy training that requires them to demonstrate comprehension and retention of the content. Otherwise, you’ve just provided the employee with a nice mini-break in the middle of the day, and no one benefits.
Have correct paperwork in place.
How does HIPAA paperwork matter with respect to data breaches? Quite simply, provision of correct paperwork helps employees understand that patient privacy is serious business. More importantly, if you do sustain a breach, the fine for a HIPAA violation will be substantially decreased if you can demonstrate ‘good faith effort,’ and correct paperwork is the first step.
Your practice should have at least six documents in regular use, including a:
- Visitor Privacy Policy
- Employee Privacy Policy
- Notice of Electronic Disclosure (a Texas-specific requirement)
- PHI Release forms
- Notice of Privacy Practices (a lengthy document)
- Acknowledgement showing patients have received the NPP from your staff
Conduct a HIPAA risk assessment.
To demonstrate any degree of ‘good faith effort,’ your office should have completed a HIPAA Risk Assessment within a year of any reported data breach. This is perhaps the hardest step to complete for the average practice—and for good reason. Most companies offering HIPAA Risk Assessments charge several thousand dollars for the process.
Make sure Business Associate Agreements are up-to-date.
There’s a 25% chance that any data breach you sustain will be committed by a Business Associate—another entity who has been allowed to access your practice patient information.
Business Associate Agreements (BAA) have been around for a long time, but the newest iterations have real teeth. Double-check existing BAAs to be sure they were rewritten after the implementation of the Omnibus Rule in late 2013. If your BAAs predate the Omnibus Rule, then you’ll need new BAAs. Take a hard look at who can access your data and be sure you’ve thought of everyone.
Offer breach prevention education.
If your team members aren’t aware of the dangers of ‘phishing attacks,’ the ramifications of ransomware or the reasons why data harvesting is so profitable, they can hardly be expected to stop breaches before they happen. Steer your employees to some of the readily available breach prevention material on the internet.
Finally, be certain your team members understand that a data breach is only a social media post away. One central Texas client found this out the hard way when he was investigated by the OCR for using a patient’s name in a reply to a social media website review.
Even if you’ve already concluded that the HIPAA dog isn’t hunting anymore, that’s no assurance a data breach won’t devastate your practice. Thanks to social media, patients will need only a few posts on various outlets to discover how their information was used for phony tax returns, illegal prescriptions and even healthcare insurance fraud. When they find out who’s to blame, patients—and their class action lawyers—will be the new dogs on the hunt. By comparison, the ensuing legal battle will make OCR fines seem like a walk in the park.