In 2015, Dr. Joseph Beck was first ever dentist to receive a HIPAA breach penalty, which sent a warning to dental clinics about HIPAA compliance. Until then, dental offices had avoided fines for non-compliance with HIPAA Rules.
The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The penalty of $12,000 was for the alleged mismanagement of the protected health information of 5,600 clients.
Since then, many settlements have been agreed with covered groups for HIPAA violations. No more penalties have been issued to dental offices, although there is nothing to prevent OCR or state attorneys general from fining dental offices for failing to adhere with HIPAA Rules and settlements for alleged HIPAA violations are now being agreed much more frequently than in 2015. Last year was a record year for settlements and 2017 continued in lien with this trend.
The chances of HIPAA violations being discovered has also risen. OCR has already begun the much-delayed second phase of its HIPAA compliance audit program and dental offices may still be chosen for an audit.
During the initial phase of compliance audits in 2011/2012, at least one dental office was audited. That round of audits showed many areas of noncompliance with HIPAA Rules, although OCR chose not to issue any fines. Instead non-compliance was addressed by issuing technical guidance. Now, five years on, covered entities have had plenty of time to implement their compliance programs. Financial settlements can be expected if HIPAA breaches are identified by OCR auditors.
Last year, the risk of HIPAA compliance audits for dental offices led to Dr. Andrew Brown, chair of the ADA Council on Dental Practice, to release a stern warning to dental offices on HIPAA compliance, pleading with them to take HIPAA compliance seriously. Brown commented, “There are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”
If your dental clinic has not been selected to show compliance with HIPAA Rules already, that does not mean an investigation will not happen. OCR has only completed the first round of its phase 2 HIPAA audit program. The second round will include on-site visits, which are expected to begin in early 2018.
OCR also looks into all covered entities that suffer a breach of more than 500 records. There has been a rise in cyberattacks on healthcare groups in recent years, and dental offices can could all too easily come under attack.
Laptop computers storing ePHI can easily be lost or stolen, staff may snoop on records or steal sensitive information, mistakes can easily be made configuring software, and unaddressed flaws can easily be exploited. This year, the hacking group TheDarkOverlord targeted a flaw and gained access to the records of Aesthetic Dentistry of New York City and stole data – a reportable breach under HIPAA Rules.
If a data breach is suffered, OCR will need to be given evidence that HIPAA Rules have been followed. Complaints about privacy violations and other possible HIPAA failures can be submitted via the HHS website, and can easily result in HIPAA investigations.
It would be a serious mistake to think that OCR will not look into small practices. OCR has made it clear that all covered groups, regardless of their size, must adhere with HIPAA Rules. It is not only large healthcare groups that may have to pay a financial penalty for non-compliance with HIPAA Rules, as Dr. Beck could confirm.
The danger of data breaches is greater than previously and OCR is taking a harder line on healthcare groups that fail to adhere with HIPAA Rules and keep electronic protected health information safe. Dental office should therefore take HIPAA compliance seriously and ensure HIPAA Rules are being complied with.