Much of the heightened level of risk facing a modern dental practice pertains to their patients’ Protected Health Information (PHI). PHI relates to the past, present, or future physical or mental health or condition of a patient and provides a reasonable basis to believe that it can be used to identify the patient. This includes healthcare/dental information containing any of a number of patient identifiers including name, date of birth, Social Security number, telephone number, medical record number or ZIP code. Even a patient’s name and reason for an appointment can be enough to qualify as PHI. 3
Cyber criminals pay far more for PHI than credit card information or Social Security numbers alone.4 Unlike a credit card, patients can’t simply cancel and replace their life history. PHI is just the sort of information cyber criminals need to impersonate someone effectively when attempting to open fake credit card accounts or submit fraudulent tax returns. Patient information can also be used to create fake billing for Medicare or Medicaid or in conjunction with an unethical medical provider to write prescriptions for narcotics that are subsequently sold on the street at a very high profit margin.5
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) affects healthcare providers, healthcare plans and various types of vendors working with PHI. Dental offices using computers, electronic data storage, the Internet, etc. are considered “covered entities” and subject to HIPAA’s requirements. “Business associates” are also subject to HIPAA. They are non-employees that create, receive, maintain or transmit PHI. This includes vendors, consultants and sub-contractors of either who have access to patient information.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) was intended to stimulate use of electronic health and dental records with financial incentives for providers. It effectively strengthened HIPAA by adding direct accountability for business associates and enhancing its enforcement provisions. In addition, The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) was placed in charge of enforcing HIPAA’s Privacy and Security Rules.
The HIPAA Omnibus Final Rule was enacted in early 2013. It effectively codified HITECH rules regarding security, privacy and enforcement into HIPAA directly. This included breach notification requirements, direct liability for business associates and increased fines. The Omnibus Final Rule also removed earlier statutory language requiring a “significant risk of harm” of data loss and makes any use or disclosure of PHI not in accordance with HIPAA a reportable breach.
HIPAA has three primary Rules:
Privacy Rule: each covered entity and business associate subject to HIPAA has a duty to prevent unauthorized access to patient files. This relates to electronic, paper and even spoken information regarding patients.6
Security Rule: relates to electronic patient files. Covered entities (including dental offices) must take steps to prevent unauthorized access to electronic PHI. The Security Rule has administrative, physical and technical safeguards focusing on steps to improve an organization’s security practices.7
Breach Notification Rule: requires covered entities and business associates to provide notice when a data breach involving unsecured PHI has occurred. Proof of actual data theft is not required. HHS defines a data breach as an impermissible use or disclosure of PHI, unless there is a low probability the data has been compromised. There is also a publication requirement mandating a press release to the local media for any breach over 500 patient records. And, as if that’s not bad enough, knowingly failing to report a breach in excess of 500 PHI records to HHS within 60 days can actually result in jail time. But it’s not all bad news: data that is encrypted is considered secured and does not trigger the Breach Notification Rule.8
Individual state laws may also apply, as there are data breach notification laws in 47 states, as well.9 A number of law firms practicing in this area have charts available online that summarize the provisions of the various state laws.10
A dental practice can come into OCR’s orbit through a random audit or as a result of a complaint left on the HHS website (which OCR is required to investigate).11 If that happens, you need to be ready.
In a dental office setting, there are a few points to focus upon initially. For starters, every dental practice should have a written HIPAA compliance policy clarifying everyone’s role in keeping the office HIPAA compliant and protecting PHI.
HIPAA also requires someone in your office to be responsible for compliance with the Privacy and Security Rules. In a larger organization, this is typically a designated privacy officer. In a smaller office, the office manager or one of the dentists may take on the privacy responsibility.
Staff training is critical. Employee education can save your office from avoidable HIPAA violations. Your privacy officer should organize regular trainings to clarify everyone’s role in keeping the office compliant. Be sure to document these trainings and have everyone sign a written statement that they have completed their HIPAA training. If an audit letter does arrive, documenting your compliance actions shows them that you’re taking risk seriously and makes the audit process easier.
Be sure to use detailed written business associate agreements with any organization that handles paper or electronic PHI. This will clarify how your vendors, consultants, etc. will handle PHI, which (if any) subcontractors will have access to PHI and what measures will be taken to secure it. This is a critical step. The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published in 2015, found 59% of business associates had suffered a data breach in the prior two years.12
Any organization subject to HIPAA must perform thorough and accurate Security Risk Assessments to evaluate potential risk and vulnerabilities to PHI. A corresponding Risk Management Plan is used to address the issues identified in the Security Risk Assessment. Keep in mind this is an ongoing process that must be performed regularly and documented. HHS offers helpful information and a Security Risk Assessment Tool to assist a covered entity or business associate in achieving HIPAA compliance.13
On a somewhat related note, if your office accepts credit cards for payment, it will also be required to comply with the Payment Card Industry Data Security Standard (PCI DSS).14 PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), which was established in 2006 by the major card brands in America and Japan (including American Express, Discover, MasterCard and Visa). The purpose of PCI DSS is to set minimum security standards that organizations must maintain in order to protect card holder data.
In addition to information available via HHS,15 there are a number of resources available for additional assistance regarding information security standards, practices and emerging risks. The United States Computer Emergency Readiness Team (US-CERT) – which is part of the Department of Homeland Security – offers a number of security-related resources, with sections for technical and not-so-technical people.16 US-CERT’s offerings include explanations of a number of common issues, as well as regular vulnerability and threat alerts.
The National Institute of Standards and Technology (NIST) works to develop cyber security standards across a number of fields, including the standards used as reference for HIPAA compliance. NIST’s Computer Security Resource Center (CSRC)17 offers a host of security tools, guidelines and other resources, including the Special Publication (SP) 800 series covering a wide range of security topics.18 One of these is a detailed guide to implementing the Security Rule.19
In addition, there are a number of commercial alternatives tailored to the needs of dental and healthcare practices, including the Revised ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit 20 and HITRUST’s Common Security Framework.21 Well-versed security professionals are a good alternative, as many specialize in HIPAA compliance.