It was a week before Christmas last year when the practice of Robert Meaglia, DDS, in Rocklin was broken into through the back door. The burglars took everything they could get their hands on, from toothbrushes to a Gameboy. But the most important thing they stole was the main unencrypted computer that had all of Meaglia’s patients’ information on it.
Instead of holiday shopping, the startled dentist had to spend time on the long process of reporting the incident to the attorney general, state of California and the U.S. Department of Health and Human Services (HHS).
The theft triggered notification requirements under the Health Insurance Portability and Accountability Act (HIPAA) and state law.
“It weighs on you; knowing the potential fines and potential complications that could be coming,” Meaglia said. “I was worried about my patients’ privacy and identity theft and I felt a personal and moral obligation to protect them.”
Meaglia, who wanted to share his experience to help warn other dentists to protect themselves and their patients from such a break-in, called CDA Practice Support Analyst Teresa Pichay after the incident occurred for guidance.
“She explained to me what the new regulations were, sent me information on the HIPAA requirements, including the ADA Practical Guide to HIPAA Compliance, and talked me through completing all of the necessary paperwork that I needed to turn in,” Meaglia said.
Because more than 500 people were affected, Meaglia had to, under the law, notify the media as well as all his patients about the breach.
The Health Information Technology for Economic and Clinical Health Act (HITECH) amended HIPAA in 2009 and expanded patient rights with regard to their health information and added a breach notification rule for covered entities, such as dentists, to follow.
HITECH has significantly increased the maximum amount of fines and penalties for violations. Dentists who are HIPAA-covered entities who haven’t taken the necessary steps to put a plan in place to protect patient data and experience a breach, could face significant fines and penalties depending on the situation — not to mention the impact it would have on the dentist’s professional reputation.
Within a few days of Meaglia filing a report, the HHS contacted him to confirm the incident and to have a brief conversation about it. Everything then sat in limbo until mid-January when he got a letter from the Office for Civil Rights (OCR).
“Their letter was pretty intimidating, especially some of the dollar amounts included for fines,” Meaglia said.
The OCR’s letter let Meaglia know that an investigation would take place to determine if he had been in compliance with the HIPAA Privacy Rule and that investigators would be visiting the practice and needed access to records and “other information during normal business hours or at any time, without notice.”
The letter went on:
“...if OCR’s investigation results in a finding that Rob Meaglia, DDS, is not complying with the Privacy Rule, HHS may initiate formal enforcement action, which may result in the imposition of civil money penalties.”
Those penalties were as follows.
For violations occurring prior to 2/18/2009
For violations occurring on or after 2/18/2009
Up to $100
$100 to $50,000 or more
Calendar Year Cap
“I went into a little bit of a funk because it increased my stress levels. It was hard to focus when I came in for work,” said Meaglia, who also mentioned there have been no office visitations to date.
One of the main things the OCR wants to see from dentists in these investigations is that they have conducted a Security Rule risk analysis as required by HIPAA to protect their patients’ information and minimize liability risk. A recent review of HIPAA enforcement actions reveals that entities were penalized for not having a documented risk analysis or for having an incomplete analysis.
There is no single method or way to conduct a risk analysis that is a surefire path toward compliance with the HIPAA Privacy Rule, but the HHS has laid out a process for common steps. The following are provided as examples of steps that covered entities could apply to their environment.
1. Identify the scope of the analysis.
2. Gather data.
3. Identify and document potential threats and vulnerabilities.
4. Assess current security measures.
5. Determine the likelihood of threat occurrence.
6. Determine the potential impact of threat occurrence.
7. Determine the level of risk.
8. Identify security measures and finalize documentation.
For more details on these steps, visit HHS’s website.
The ADA HIPAA Compliance Kit also is a source for obtaining a risk analysis assessment form. CDA has the HIPAA Security Rule: A Summary resource available at cda.org.
The OCR also wants to know if the practice had encrypted its patient data. Meaglia thought his software company safeguarded his patient information, but under the newly enacted law it became “data masking,” not true encryption.
“My software company initially performed and installed an encryption program which is now considered ‘unsupported’ and is now being replaced by a Microsoft-supported full disk encryption software program,” Meaglia said.
As far as Meaglia’s investigation with the OCR goes, there may not be a final ruling until next year. Coincidentally, the police department later recovered his computer and hard drive in a drug bust, but it was too late, as the patient information had already been compromised, and the fact that the computer was found doesn’t change things in the eyes of the OCR, he said.
In the meantime, Meaglia encourages other dentists to make sure they protect themselves.
“Get educated on this, either get the information through CDA, ADA or contact one of the licensed companies for implanting the privacy procedures and get compliant. It is just as important as any of the OSHA standards. Also, enact a HIPAA policy and procedures manual pertinent to your practice as soon as possible, train your staff and be sure your encryption meets the new standards,” Meaglia said. “CDA has a wealth of resources and it was very comforting to know that they were behind me and spent time researching this and how hard they work to protect us as dentists.”
CDA would like to offer members the following recommendations so they can avoid a similar situation.
Encrypt data at rest.
Encryption is an “addressable” technical standard under the HIPAA Security Rule, which means it is not required. However, data encryption provides a safe harbor from the notification provisions of state and federal data protection laws. If a dentist’s system is capable of encryption, he or she should do it. Dentists can double check with their practice management software vendors about the ability to encrypt data.
Strengthen the physical security of the server and hard drives if encrypting the data is not an option.
Check on ways to secure the drives to something difficult to move. Or, add additional barriers to impede access to the system and access to the office and/or patient files or computers.
Encrypt devices used for backups, such as laptop computers and flash drives.
A dermatology practice lost an unencrypted thumb drive and recently reached a resolution agreement with HHS that called for the practice to pay $150,000 and to comply with a corrective action plan. If dentists cannot encrypt these devices, they should consider using cloud back-up services. If using a cloud backup service, have a business associate agreement with the company.
Purchase a data compromise policy.
TDIC offers this policy, with $50,000, $100,000 and $250,000 limits, as an addendum to property coverage. Such a policy can pay for mailing notification letters to patients, providing affected individuals with credit monitoring and more.
For more information on TDIC’s offerings, visit thedentists.com. View the CDA Practice Support resource HIPAA Security Rule — A Summary or Data Breach Notification Requirements at cda.org/privacy-HIPAA.