HIPAA has been around for 20 years now, yet many dental practices have barely started their HIPAA compliance journey. Despite two decades of regulation, I see multiple violations before even passing the front desk in many offices. As a HIPAA Risk Assessor, I’m trained to look for these things. But have you considered how many of your patients also see these risks?
An office manager at the office of one of my clients had just completed the annual HIPAA class a few days before taking her mother to her primary care physician. The front desk person in that office printed her mother’s information on the wrong form and instead of shredding it, she crumpled it up and tossed it in the garbage. “Wait, you’re going to shred that, right?” she asked. “Of course I am,” the front desk person said with a meek laugh as she smoothed the paper and put it in the shredder. Her mother’s information might have been compromised had my client’s office manager not known what to look for.
Being told that you’re doing something wrong is never fun, but what about the people who notice your violations and say anything to you? A friend of mine moved and a few months later asked me about a few things she’d noticed that “weren’t quite right” with her new dentist. Instead of notifying the office about her concerns, she left the practice. The practice is still not secure with patient information.
Another example is from one of my employees. Shortly after starting with us, she visited her dentist who her family had been seeing for years. While sitting in the waiting area, the front desk person shouted across the waiting room, asking waiting patients about family members’ treatment, payment, insurance information, and medical issues. Our employee told us she was afraid to go back to that office knowing how blatantly they were ignoring basic.
Unfortunately, these stories are not uncommon. Your patients are watching. In states like California that have Private Right of Action laws, patients can sue if their information is compromised in your care.
What things are not compliant that patients are seeing?
Anytime I walk into an office, these are the top violations I see in almost every practice.
• Conversations, especially within earshot of other people. You never know who is listening.
• Outdated notice of privacy practices (NPP). Many practices have NPPs from 2003, or they use something they found on the internet and didn’t update for their office. One time I saw a notice that was supposed to be for a dental practice, but it contained an optometrist’s contact information. The Department of Health and Human Services created colorful, easy-to-ready NPPs for download on their website because they want people to easily access compliance.
• Printed schedule or computer screen. Most current practice management systems have settings to limit what information you see on a schedule. You can have no name, first name, last name, or initials. While it may appease the staff to see who is coming in next, you don’t want patients to see others on your schedule, or what their procedure is.
• Open Wifi. I know more about 90% of the offices I walk into by accessing their wifi before I even speak with the doctor. I have a free app on my phone that runs a quick scan once I have access to the practice’s wireless. I can see all devices, cell phones of patients and staff, office computers, printers, tablets, laptops, and the server. If I can do that with a free app, a thief or even a bored 14-year-old with a laptop can siphon patient information and an office would never know about it. “But I have a password” is the response I hear. “The password you just gave me and the last four patients?” A colleague recently did a Twitter search for “Hacked Dentist Wifi” and came up with a list of patients who had publicly posted on Twitter that they had accessed their dentist’s network and could see everything.
These are the easily identifiable vulnerabilities patients can see within a few minutes of visiting your practice. When you dig a little deeper, there are all kinds of risks that haven’t been considered. Doing a thorough risk assessment will identify your vulnerabilities and allow you to address them. The government doesn’t expect you to be Fort Knox, but they do expect you to have basics in place. In fact, there is a lot of leniency if you are up front about your risks and are able to offset those risks until a permanent solution can be implemented.
Technology and HIPAA: Where are the risks?
The risks on the tech side of your business are ever evolving. Five years ago the biggest threat was backup failure from a portable backup drive. Now we’re dealing with encryption, cybersecurity, ransomware, hacking, and IT people that don’t support your needs. The threat landscape certainly has changed since HIPAA was enacted 20 years ago.
Shadow IT/Multi IT
Verizon does an annual study that repeatedly shows that Shadow IT, or multiple people making IT choices and decisions, is the top cause for data breaches. My own panoramic films were involved in a data breach due to Shadow IT. An employee thought she was “helping” by making an unauthorized backup of data to a thumb drive, and lost it. The IT staff had a secure protocol for that and the employee breached thousands of records that contained my name, birthdate, last four digits of my social security number, and my entire medical record number—in other words, enough to steal my identity.
When it comes to IT, it’s not about cleaning up messes; it’s about proactive security. The only way it can be done is to have one vendor that is ultimately responsible for making technology decisions. Multiple vendors having unattended access and making changes will increase your chance of causing a data breach.
Inadequate/Incomplete risk assessment
A lot of practices want HIPAA to be quick and cheap. It isn’t. A thorough risk assessment and risk management plan is the single most important thing you can do for your practice in regards to HIPAA. I tell people that if it’s not intrusive and uncomfortable, then they aren’t doing it right. Not only is it required under HIPAA, but it allows you to identify risks and do something about them. Inadequate or incomplete risk assessments are the top reason for penalties in breach investigations.
There are a lot of options out there when it comes to risk assessments, but I advise practices to look for one of two types of Risk Assessors: a privacy and security expert, or a privacy expert that works with your IT (if they’re doing what they’re supposed to do for your practice).
Secure your server
Think about the information you have in a single patient record—name, birthdate, social security number, insurance information—a virtual treasure trove for an identity thief. With full medical records demanding around $500 per record on the black market, you have a very large asset in your office. The average American dentist has roughly 2,500 active charts in addition to 10 years of stored inactive charts. With conservative numbers hovering around 4,000 charts, dentists are looking at around $2 million to a thief. What would you reasonably do to protect $2 million?
Fortunately, there are easy and affordable solutions for dental practices. With servers, we’re looking at physical theft or loss. This is addressed by locking it or encrypting it. But having encryption is not the end all and be all. You have to prove it was in place, document its configuration, and show evidence of testing it. In addition, there are many considerations with encryption. The safest place to encrypt data is where the data is created.
Properly vet business associates
Are your business associates insured? Do they take responsibility in their Business Associate Agreement? Do they have documented risky behavior? I see more business associates in the dental vertical that are doing risky things to their customers than in any other health-care space. It’s worth it to ask them difficult questions, or better yet, have an experienced risk assessor ask questions.
Choose a good IT partner
Everyone has an IT “guy” they love, but is the person doing all that is legally required for your dental practice? The Omnibus Final Rule of 2013 placed regulation on IT providers. With Omnibus, IT providers are expected to know and identify any security deficiencies in your practice and offer you paid solutions. If they don’t, they can be held liable for any breaches. If you have to ask for something security related, such as backups, updates, secure email, or a firewall, then chances are the IT person isn’t doing any of the things you and the federal government expect of an IT professional in the health-care space.
It can take years to establish a trust relationship with an IT company. Regardless of your current relationship, you have to ask yourself if your current IT is doing what’s best for your practice and your patient information, if not, you should seriously consider switching.
Source: Amy Wood is President and HIPAA Compliance Officer of ACS Technologies, a firm based in Northern California specializing in Data Breach Investigations, Breach Mitigation and comprehensive HIPAA Compliance and works closely with Arevtech, LLC
Author: Amy Wood