Dr. Joseph Beck became the first ever dentist to be receive a HIPAA violation fine in 2014. This alerted dental offices to HIPAA compliance and the importance of it. Until then, dental offices had not been subjected fines for noncompliance with HIPAA Rules.
The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for what was believed to be the mishandling of the protected health information of 5,600 people.
Since then, many settlements have been agreed with covered bodies for HIPAA violations. Dental office have not be subjected to further penalties since then, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA breaches are now being reached much more frequently than in 2015. Last year was a the busiest on record year for settlements and 2017 has seen this trend continue.
The probability of HIPAA violations being identified has also risen. OCR has already begun the oft-stalled second phase of its HIPAA compliance audit program and dental office may still be chosen for an audit.
During the initial phase of compliance audits in 2011/2012, at least one dental office was subjected to an audit. That round of audits revealed a variety of areas of noncompliance with HIPAA Rules, although OCR chose not to apply any financial penalties. Instead non-compliance was addressed by issuing technical assistance. Now, five years later, covered bodies have had plenty of time to put in place their compliance programs. Financial settlements can be expected if HIPAA violations are found by OCR auditors.
In 2016, the threat of HIPAA compliance audits for dental offices prompted Dr. Andrew Brown, chair of the ADA Council on Dental Practice, to release a stern warning to dental offices on HIPAA compliance, urging them to take HIPAA compliance seriously. Brown commented, “There are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”
If your dental office has not been chosen to demonstrate compliance with HIPAA Rules already, that does not mean a review will not be conducted. OCR has only conducted the first round of its phase 2 HIPAA audit program. The second round will include on-site visits, which are expected to start in early 2018.
OCR also examines all covered entities that experience a breach of more than 500 records. There has been a rise in cyberattacks on healthcare organizations in recent years, and dental offices could be victims of future attack.
Laptop computers holding ePHI can easily be lost or stolen, employees may snoop on records or steal sensitive data, mistakes can easily be made configuring software, and unaddressed weaknesses can simply be exploited. This year, the hacking group TheDarkOverlord attacked a vulnerability and gained access to the records of Aesthetic Dentistry of New York City and stole data – a reportable breach under HIPAA Rules.
If a data breach is suffered, OCR will need to be provided with proof that HIPAA Rules have been adhered to. Complaints about privacy breaches and other potential HIPAA failures can be filed via the HHS website, and can easily lead to HIPAA investigations.
It would be a grevious error to beleve that OCR will not audit small dental practices. OCR has made it clear that all covered bodies, regardless of their size, must comply with HIPAA Rules. It is not only large healthcare groups that may have to pay a financial penalty for non-compliance with HIPAA Rules, as Dr. Beck could affirm.
The danger of data breaches is more prevalent than ever before and OCR is taking a stricter line with healthcare groups that fail to comply with HIPAA Rules and keep electronic protected health information safely. Dental offices should always treat HIPAA compliance seriously and ensure HIPAA Rules are being adhered to.