Does My Dental Practice Need to be HIPAA Compliant?
After speaking to many IT providers and a few dental practices the consensus is dentists believe they do not need to comply with HIPAA regulations.
I thought it was time to discuss this and put an end to the debate.
Why Discuss Dentists and HIPAA Now?
2019 has seen a lot of dental practices victimized by ransomware attacks. In each attack, the dental practice was not the origin of the initial breach but due to a lack of phishing and ransomware mitigation, the dentists were ultimately severely impacted.
In the most recent incident, a Colorado-based MSP was compromised by attackers. The attackers then utilized MSP’s remote support software to connect to more than 100 dentists to launch a ransomware attack.
Many of these dentists are still closed weeks after the attack.
One of the software companies provided backup services for the dentists which meant they had no ability to restore from backup.
PM Consultants, an Oregon-based MSP, providing IT consulting services to dental practices including software updates and backups, was a victim of ransomware in July. It was reported that dental practice customers in Oregon and Washington were unable to access patient files. The company owners announced in late July in an email to their customers that they were shutting down their business, partially due to the ransomware incident. As of October 28, three months after the attack, PM Consultants’ website continues to be offline, and their phone is disconnected.
One common theme in all these attacks was the lack of security put in place by the MSP, mostly in the form of MFA.
Why Are These Dentist Cyber Attacks So Important?
I bring up these three incidents to highlight that dental practices are being attacked and could conceivably be held liable under HIPAA regulations especially if there is no Business Associate Agreement in place.
Many dentists will argue that they are not held to HIPAA standards for patient privacy.
I have personally spoken to dentists in my area who show signs of weak security and a lack of HIPAA best practices without even a Security Risk Assessment being completed.
Things I have seen include in just the last 2 months:
- Using free email accounts like Gmail, Yahoo, Hotmail and in one case AOL
- Not having a secured website
- Leaving workstations unlocked and unattended
Dentists will insist they don’t need to follow HIPAA best practices.
I even had one dentist tell me flat out they don’t fall under HIPAA guidelines and they have no intention of doing anything about it.
How Do You Know Dentists Are Required to be HIPAA Compliant?
It’s simple really. The easiest way to figure out HIPAA is to look at past fines and settlements.
Yes, you read that right. They responded to a review on Yelp and that response included PHI. The original reviewer filed a complaint with HHS and the result was a $10,000 fine.
Now, if you’re a busy dental practice $10,000 is not a big deal to you. What’s more important here is that the OCR determined the dental practice did, in fact, violate HIPAA regulations.
This means that Dentists are required to have a HIPAA compliance program. This means that dentists can be fined for HIPAA violations.
This means that a complaint to the Office of Civil Rights (OCR) for anything can result in an investigation by the OCR, and a significant fine if there is negligence.
Negligence can include things such as flat out ignoring HIPAA or using a Hotmail account to communicate Protected Health Information (PHI) to clients. Negligence can cost you $50,000 per record.
Let’s Put It All Together
Hospitals and Healthcare Providers have and continue to be fined when there are ransomware attacks and/or data breaches. They also get fined for not encrypting devices that get stolen or having paper healthcare records disappear.
If the OCR can fine a dental practice for responding to a Yelp review with PHI, then it’s logical that dental practices should be concerned about being fined for much more serious breaches.
What Does That Mean for Dentists and HIPAA?
To put it bluntly, dentists are required to be HIPAA compliant.
What it really means is dentists need to start looking at their HIPAA compliance program. There is a big difference between ignoring HIPAA and at least trying to address it.
Look around at your practice.
- Are you using a free email account for communication with patients?
- Are computers unlocked and unattended?
- Do you have a Security Risk Assessment (and action plan) on file?
- Do you have Business Associate Agreements for your vendors?
- Is your staff trained on Phishing? Are you?
These are just some of the questions you should be asking.
If even after reading this blog, you decide that HIPAA is not a requirement for your practice (it is) then consider this.
HIPAA is not about fines and guidelines. It’s about patient care and rights.