HIPAA Security Rule Compliance and the High Stakes for Dentists
HIPAA compliance is a vital part of managing your dental practice. Compliance not only helps protect your patients’ information but also your reputation as a dentist. Cyberattacks in the healthcare sector are on the rise, which means it’s even more important for dentists to stay informed and compliant. This article will cover the HIPAA Security Rule and why it matters for your dental practice.
Recently, a Texas dentist was the victim of a ransomware attack. He was blocked from accessing his data unless he paid a large ransom. Luckily, they did not have to pay the ransom because they had a backup of their records. This case is just one example of how cybercriminals have begun to target dental offices.
Whether you have a solo practice or you belong to a group practice, you or your DSO are likely defined as a “covered entity” under HIPAA (the Health Insurance Portability and Accountability Act), and you are likely required to comply with HIPAA.
There are several different laws and rules within HIPAA, but this article will focus on the Security Rule and how compliance can help you protect your patients’ information and your practice.
HIPAA: What’s at Stake for Your Practice
You’ve probably heard the expression, “There’s no such thing as bad publicity.” But as it turns out, there is such a thing as bad publicity if you make the news for a major data breach.
Whether you own a solo practice, a mobile practice, or you belong to a DSO; there’s a lot at stake when it comes to HIPAA compliance. Even if you’re looking to sell your practice, your reputation and compliance matters.
The importance of safeguarding your patients’ private information can’t be overstated. Not only can you lose patient trust, but HIPAA violations can also lead to hefty fines and penalties. The costs can be extremely high from a financial standpoint and it can be a long process to repair the damage to your reputation.
Additionally, a cyberattack is also likely to cause a major disruption to your practice and cause a drop in productivity for your employees. Some estimates show that a data breach in healthcare can cost a provider around $400 per compromised patient record. For some dental practices, a breach may be so costly to clean up that the dental practice is forced to shut down. That’s why investing time into HIPAA and security compliance is time well spent.
You’ve worked hard to gain patient trust and build your practice, so you don’t want to put those things at risk. Staying up to date and compliant with HIPAA is a good practice for safeguarding your patients’ information and your practice. In the end, it’s not just about compliance; you’re investing in your own peace of mind.
Why Would Cybercriminals Target Dental Offices?
As the dental industry has evolved, so too have cybercriminals. Cyberattacks are becoming more sophisticated and targeted.
Angelina Hendricks, Chief Technology Officer of Planet DDS, says, “Targeted attacks in the healthcare sector are on the rise. With dental offices housing and sending larger amounts of sensitive information, they have become a more attractive target to cybercriminals. Dentists need to stay compliant and vigilant.”
Just last month, the FBI co-authored an advisory alert to inform those in the healthcare sector to be on alert for tactics by cybercriminals targeted to infect systems with ransomware. The FBI and other agencies warn healthcare providers to take steps to protect their practices and networks from these imminent threats.
Could it Happen to Me?
Just because your practice hasn’t experienced a breach doesn’t automatically mean you’re in compliance, and it also doesn’t mean there won’t be a first time. In fact, HIPAA breaches have become all too common. Just last year in 2019, there were a total of 418 HIPAA breaches in the United States. In total, a staggering 35 million Americans had their protected health information compromised in 2019.
That’s almost 1 in 10 Americans.
This sobering statistic is a reminder that a breach can happen to anyone’s practice. While HIPAA compliance doesn’t guarantee that a breach will never happen, it helps prevent breaches and helps your practice detect, respond, and mitigate if a breach occurs.
HIPAA Security Rule
Although it’s not easy to tell from its name, when HIPAA was first enacted, Congress intended to improve employees’ ability to move their patient data when they were between jobs and to prevent fraud and abuse in the health insurance and healthcare industry. HIPAA encouraged the use of digitizing patient records, which in turn made it necessary for the healthcare industry to safeguard the security of patient data.
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by covered entities, which includes many dental practices. The Security Rule under HIPAA goes a step further to safeguard electronic protected health information (ePHI).
Any protected health information that is stored, transmitted, or received in any electronic format or media is considered ePHI. Under the Security Rule, practices must implement three types of safeguards to protect ePHI: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
Why Are Safeguards So Important for My Dental Practice?
Under the HIPAA Security Rule, entities are required to implement safeguards that help them comply with HIPAA, respond to emergencies, and protect data. These safeguards are also designed to help entities respond swiftly to breaches.
“In the event of a breach, the faster a dental practice can respond, the quicker and more efficient their recovery. Longer recovery times tend to translate to less efficiency and higher costs,” noted Hendricks.
The Three Safeguards Under the HIPAA Security Rule
There are three safeguards required under the HIPAA Security Rule. While not exhaustive, these are some examples of each type of safeguard.
Administrative Safeguards: policies and procedures on how the entity will comply with HIPAA.
Examples include:
- ongoing training of employees on how to handle ePHI,
- a contingency plan on how the entity will respond to emergencies,
- identifying classes of employees who will have access to ePHI,
- and internal audits for identifying potential violations.
Physical Safeguards: physical control of access to protect data.
Examples include:
- monitoring and controlling equipment containing health information,
- limiting access to health information to properly authorized individuals,
- requiring visitor sign-in and escorts,
- and controls on the removal of hardware and software from the network.
Technical Safeguards: controlling access to computer systems to protect communications that contain ePHI.
Examples include:
- protecting information systems from intrusion,
- encryption when information is sent over open networks,
- authenticating entities when you communicate with them,
- risk analysis,
- and risk management programs.
HIPAA compliance was never intended to be a one-time deal. It’s meant to be an ongoing process. By staying compliant, you ensure that you will have procedures in place to respond and mitigate promptly, even in the unlikely event of a breach.
Make sure your practice has implemented the three types of safeguards required under the HIPAA Security Rule. Managing your risk proactively not only protects your patients, but also gives you more peace of mind.
Try our free demo to find out how Denticon can help enhance security for your practice.