New resource helps dentists stay HIPAA-compliant

An average dental practice data breach can cost a dentist anywhere from $100,000 to more than $1 million. According to the Office of Civil Rights, an average of 4,707 individuals are affected by a breach in a dental practice.

Dentists who are Health Insurance Portability and Accountability Act (HIPAA)-covered entities and haven't taken the necessary steps to put a plan in place to protect patient data and experience a breach could face these significant fines and penalties depending on the situation — not to mention the impact it would have on the dentist's professional reputation.

To help dentists, CDA has released a new, members-only, HIPAA Compliance CD Bundle. ADA sells its Practical Guide to HIPAA Compliance for $250 alone, but CDA has negotiated a price of $125 for its members that includes an additional CD, the CDA Practice Support Template and Forms for Privacy, Security and Breach Notification Policies and Procedures. The bundle helps dentists design and implement a comprehensive compliance program using a step-by-step approach.

For the Template and Forms for Privacy, Security and Breach Notification Policies and Procedures, CDA made it easy to use for staff training and made the necessary additions and revisions to ensure the policies and procedures comply with California law. The template is simple to complete and to update as needed. HIPAA compliance also requires covered entities to conduct a risk analysis of how patient information is used, stored, communicated and disposed. The ADA Practical Guide to HIPAA Compliance includes a sample risk assessment worksheet that dental practices can use. The ADA guide also includes additional forms and a thorough explanation of HIPAA requirements.

For more information on the bundle, click here.

CDA offers members the following recommendations to protect their data.

Encrypt data at rest.

Encryption is an "addressable" technical standard under the HIPAA Security Rule, which means it is not required. However, data encryption provides a safe harbor from the notification provisions of state and federal data protection laws. If a dentist's system is capable of encryption, he or she should do it. Dentists can double check with their practice management software vendors about the ability to encrypt data.

Strengthen the physical security of the server and hard drives if encrypting the data is not an option.

Check on ways to secure the drives to something difficult to move. Or, add additional barriers to impede access to the system as well as access to the office and/or patient files or computers.

Encrypt portable devices, such as laptop computers and flash drives.

A dermatology practice lost an unencrypted thumb drive and recently reached a resolution agreement with Health and Human Services that called for the practice to pay $150,000 and comply with a corrective action plan. If dentists cannot encrypt these devices, they should consider using cloud backup services. If using a cloud backup service, have a business associate agreement with the company.

Purchase a data compromise policy.

TDIC offers this policy, with $50,000, $100,000 and $250,000 limits, as an addendum to property coverage. Such a policy can pay for mailing notification letters to patients, providing affected individuals with credit monitoring and more.

For more information on TDIC's offerings, visit thedentists.com. View the CDA Practice Support resources HIPAA Security Rule — A Summary or Data Breach Notification Requirements at cda.org/privacy-HIPAA.

Updated: 09/24/15

Related Items

The most common type of data breaches in health care settings, including dental practices, is physical breaches. This is unique when compared to other industries. Specifically, more than half of the data breaches in health care settings are a result of devices being physically stolen from a practice, car, home or elsewhere according to the California Department of Justice.

CDA Practice Support recently received a call from a dentist about a disgruntled patient who was accusing the dentist of violating the patient’s HIPAA privacy rights because of a past-due bill. Specifically, the patient claimed that they received a letter from a collection agency and the fact that the collection agency had their information was a violation of the Health Insurance Portability and Accountability Act (HIPAA).

One California dentist decided to share her story to warn other dentists of a relatively new hacking scheme. It is called “crypto-ransomware” and it attempts to extort money from victims by displaying an on-screen alert. These alerts often state that the computer has been locked or that all files have been encrypted, and demand that a ransom be paid to restore access.