It could be worse…

shutterstock_139688779About this time every year, I update my HIPAA research, including evaluating all of the large breaches that have occurred in the past year.  OCR (the Office of Civil Rights) is responsible for enforcing HIPAA regulations and their website has a list of all breaches that have occurred that include the private health information (PHI) of 500 or more patients in a single geographic area (HIPAA’s wall of shame).   I then check out HIPAA’s enforcement proceedings to see specific cases and what penalties were actually levied (HIPAA resolution agmts), and I also consider those incidents that I have personally encountered in the past year.

Since the 2013 changes, there are definite trends emerging.  First, I have noticed that the size of the entity does appear to affect the amount of the fine; in other words, hospitals and other large entities are generally fined more than individual offices for similar offenses.  That doesn’t mean that the fines for smaller organizations are insignificant.  (Well, they may be insignificant to the federal government, but I don’t find a $125,000 fine to be “insignificant” for any small business.  However, no one cares about my opinion on this, so, whatever.)

Secondly, it appears that the largest penalties are reserved for those entities who aren’t making a reasonable effort to comply with the regulations.  For example, although the HIPAA regulations do not absolutely require that encryption be used for all computers and electronic devices that contain patient PHI, they do make it clear that encryption must be considered as a reasonable precaution.  The resulting penalties to those who do not choose encryption also make it clear that, if there’s a chance that your computers and devices could be lost or stolen, then encryption is the proper choice. Those small entities that have not chosen encryption and have then been breached have received penalties ranging from $50,000 to $150,000 per incident.

It is also clear that all computer systems must be current, properly maintained, adequately secured, and all software must be up to date, especially security software.  Firewalls must be sufficient for the size of the system, all security software must be kept up to date and updates should be installed as they become available.  Software that cannot be supported and updated, such as Windows XP, should not be used because it allows hackers easy access to PHI.  (I know it sucks to have to upgrade computers and software, but that’s just a cost of doing business.  If you want to use computers in your dental office, they have to be adequate, or information can be accessible.)

Programs must be regularly maintained and updated, blah, blah, blah.  Check out previous blog posts, my website, and my articles to see information on how to get your office in compliance.

The point of all this is that it appears that making an effort can make a difference.  I have a friend whose office was burglarized and 1600+ paper records were stolen.  Because he had properly trained his people, regularly maintained his HIPAA program, and because he had properly secured the facility (the burglary didn’t result from any negligence on the doctor’s part) and properly reported the breach, he was neither fined nor penalized.  In other words, he did what he was supposed to do and the HIPAA folks didn’t punish him.

That’s huge.  It means that we may have some level of control over our own destiny.  We can do the best we can to regularly maintain our programs, document training, and properly secure our computers, and if something bad happens, we may be able to avoid a large fine or penalty.  That’s good to know.  (Now, let’s not go crazy here…I will still be renewing my HIPAA data breach insurance policy next year, and I still realize that I could get some freak HIPAA inspector that is totally unreasonable, but the bottom line is that the trend is positive).

Anyway, hope this info makes you feel a little better and a little less overwhelmed!  Have a great week!

The future of regulations in dentistry…

regulatory compliance

I’ve been teaching regulatory compliance in dentistry since 1989 and have noticed a disturbing new trend.  For the first time, I’m doubting our ability to comply with government regulations in our own offices.

Here’s the deal.  When the OSHA regulations became a reality in the early 1990s, dentistry had to undergo many changes, but, with effort, it was accomplished. When the original HIPAA Privacy Rules were passed, the regulations were pretty reasonable and compliance was mostly within our control.  The regulations were time consuming, sometimes excessive, often did nothing to promote patient safety, but were manageable to achieve and not too intrusive.

That’s not necessarily the case with the HIPAA Security Rules.  Since the new final rule was passed in January 2013, along with its possibility of a $1.5 million penalty for a single violation, the game has changed.  The security rules deal with securing our patients’ private health information against theft or loss and, for the first time, compliance is not necessarily within our control.

For example, I deal with an office whose email was hacked.  Because of many expensive and extensive precautions they have already taken, the only information that was accessed was patient email lists, but the newest rules state that if the information can be linked to private health information to a degree that the patient could possibly be identified, then it could be a full-blown breach.  At that point, it becomes reportable to the patients involved, the HIPAA folks, and if it involves more than 500 people in a single geographic area, to the local media.  Experts estimate that a large computer breach can cost about $200 per patient in your computer.  Do that math…it’s horrifying.

Here’s my problem with the entire situation.  Regardless of how many precautions you take, every office can be hacked.  Hackers have accessed the CIA and NSA’s database; ironically, Health and Human Services’ own website has been a  frequent victim of hacking attacks.  With all the taxpayer money they have available to protect their databases and websites, they are still unable to completely protect private information, so what are our chances of being able to avoid a focused data breach attempt?

When I’ve discussed this situation with various HIPAA people over the years, they’ve assured me that by demonstrating that you’ve made a consistent, concerted effort, you avoid the largest fines.  They also say that they recognize that smaller businesses cannot afford a $1.5 million fine and would adjust penalties accordingly.  That being said, their idea of a small fine and mine are not the same.  Plus, I never trust the government when their message is “we’re the government…we’re here to help”. When a Massachusettes dermatologist’s office lost an unencrypted flash drive, they were given a $150,000 fine, despite the fact that there was no evidence the information had been accessed or compromised.  I know $150,000 isn’t a lot to a government employee playing with taxpayer’s money, but that’s a lot of money to us.

SO, how can we protect ourselves if we’re uncomfortable handling it completely on our own?  One option is to hire a company to take over HIPAA compliance in your office.  They will train, document, test your computer system to ensure it’s as safe as possible from hackers, and, from what I understand, they have coverage to help indemnify you in the event of a breach or violation.  Personally, I wouldn’t pay for someone else to handle my OSHA compliance, but I’d consider paying for that for HIPAA.  There is too much out of our control, and too much risk of exposure.  Experts are now saying that dental and medical offices are the number one targets for identity theft hackers, so we know we have a decent risk of having an issue, and the penalties are potentially huge.

Another option is to get an extra cyber liability policy that helps you protect yourself in the event you suffer a data breach.  The one we have gives you $1,000,000 security and privacy liability, plus it covers notification and regulatory compliance services.  It costs us about $450 a year, which is a total bargain, I think.  There are plenty of policies out there, so do your research and see if that extra bit of coverage might give you a little peace of mind.

Bottom line, do the best you can, protect yourself as much as possible and move on.  Freaky stuff can always happen, and you can only do the best you can do.  I hope giving y’all some information might be helpful.  Happy Holidays, y’all!!!!

Flu vaccinations save lives. I’m just sayin’…



Please do your own research on medical topics from reputable sources…don’t believe everything you see on facebook or other internet sources.

For example, this article looks totally reputable and is all over Facebook: click here for article . It is supposedly from a Johns Hopkins scientist who states that the flu shot is ineffective and dangerous. Without getting into the whole vaccine debate, here are a few points of interest to consider in this specific article…

Peter Doshi is not a Johns Hopkins expert on the flu. In fact, he is neither an epidemiologist, nor a virologist, and has never personally conducted any medical research on infectious diseases, including the flu. His degree is in anthropology and he completed a fellowship in comparative effectiveness research at Johns Hopkins. He is not employed by Johns Hopkins, and his view is not supported by the university. In fact, Johns Hopkins requires that all health care employees get a flu vaccine in order to prevent flu transmission among patients and employees.Click here to see Johns Hopkins employee flu policies.

Also, there’s no doubt that Big Pharma profits from disease; however, keep in mind that vaccines are not particularly profitable products. Vaccines have short shelf lives and do not generate long term profits, plus the required research to get a vaccine to market is incredibly expensive. In fact, we have faced several vaccine shortages in the past because many pharmaceutical companies have stopped making them because of the relatively small profits and the risk of potential liability following individual adverse reactions.The real money is in treating chronic diseases and conditions; they could make more money if they’d let people get the flu and treat the resulting chronic conditions and complications.

Bottom line, if you sort through all the posturing in this article, Doshi’s position is that the flu vaccine is not 100% effective and doesn’t work for everyone. That is totally correct. However, many studies have confirmed that it is generally very effective, safe, and it significantly reduces hospitalizations and severe illness in the most vulnerable populations, including children and the elderly.

Finally, I don’t know how anyone can argue that influenza is not a serious public health threat. Every year, more than 200,000 Americans are hospitalized, and 36,000 die from complications of the flu. Sounds pretty serious to me.

Check it out for yourself and do the kind of research that will allow you to make an educated, informed, reality-based decision.

Good luck.

Laney Kay, JD, MPH
(talking about liability, safety, and disease transmission is what I do!)

Taking care of business…

If you’ve been watching the news, there have been a huge amount of HIPAA breaches this fall.  Making sure our computers are protected sufficiently is the best way to protect our patients’ information and to keep HIPAA out of our businesses.

Check this out.  This is what HIPAA refers to as its “Wall of Shame” and lists all of the breaches that involve more than 500 patients in a single geographic area.  If you look through the list and pay close attention to individual doctors and dentists, you’ll see that most of the breaches are due to computers and devices that weren’t encrypted properly and were either lost or stolen.

Encrypting your hard drive and devices prevents breaches.  Yet it costs some money up front, but in the event you lose, or someone steals, your computer or Ipad, or smartphone, or backup flashdrive or hard drive, if they are encrypted it’s not a breach.  That’s a pretty huge deal.  Here’s documentation directly from the HIPAA folks that specifies that encrypted items prevent breaches:  HIPAAEncryptionGuidance .

Otherwise, you need to make sure your computer security is current and is sufficient for the type of system utilized by your office.  You need the proper security software, passwords, firewalls, and systems in place to ensure that your system is protected during use.  Discuss this with your computer dude to make sure you have the proper level of security so that information is protected as much as possible.  Here’s some really helpful FAQs about Security, directly from HIPAA: Click here

Hope this info helps!


Staying on top of HIPAA…

hipaa sux cupSometimes a picture’s worth a thousand words!! (One of my favorite gifts from a doc!)

Most of us admit that HIPAA scares the crap out of us!  It’s arbitrary, the program is often difficult to understand and can take a huge amount of time to maintain, and if we violate the rules, we can go to prison or get a fine of up to $1.5 million per incident.  No wonder we’re all freaked out!

My experience that the best way to get your office in shape with HIPAA is to hold your nose and dive in!  Truthfully, our perceptions about what we have to do are often worse than the reality.  HIPAA in dentistry is often just common sense…always disclose the minimum amount necessary, never talk about patients outside the office, regularly maintain and upgrade your HIPAA program by doing regular risk assessments, make sure that patients’ information is as safe as possible, have business associate agreements in place, send people a copy of their charts when they request it (even if they owe you money), have a manual and have your HIPAA officer keep it current, make sure your computer hard drives are encrypted and adequate security measures are in place for your system.

Here is a great website you can sign up for and they will keep you up to date on potential HIPAA issues: (click here for the website) .  It’s not specifically dental, so don’t let it freak you out, but it’s good to see what kind of issues are arising in the areas of HIPAA privacy and security.

Another great source of info is HIPAA’s question and answer website: (click here to go to HIPAA’s website) .  On this website, you can type in a search term (like sign in sheets, for example) and it will show you all of the questions people have asked on that topic and tell you how the HIPAA folks answered it.  You can also browse by category on the drop down menu. By poking around on this website, you’ll start to see that a lot of the issues we encounter are best handled by simply using common sense!  It’s also a great source because you can often find the answer to questions you may be concerned about.

Hope y’all find this useful.  Have a great weekend!

(And GO DAWGS!!!  IMG_0111



The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was originally enacted to ensure portability of health insurance, simplify the admin­istration of health insurance coverage, and standardize elec­tronic transactions between healthcare providers and insurance companies. The section of HIPAA that concerns dentistry is the Privacy Rule, which addresses patient pri­vacy issues and regulates how private health information can be used and disclosed. Your mission will be to deter­mine what level of security must be undertaken in your office to ensure the highest level of patient privacy without compromising patient care.


When healthcare facilities began to use electronic means to access and disseminate private health information, it became obvious that uniform laws were needed to ensure the pro­tection of patients’ privacy. The Privacy Rule ensures that private health information is disclosed only when necessary, only to the extent necessary, and only to those who need the information in order to provide healthcare to the patient.


The Privacy Rule will go into effect April 14, 2003.


Essentially, the Privacy Rule deals with all personal medical records and any other individually identifiable health infor­mation, either written or oral, that is created or received by a healthcare provider. This includes information about the patient’s past, present, or future health, as well as any payment information.


It applies to your office only if you submit or receive claims electronically or through a clearinghouse, if you check patients’ eligibility or claim status through electronic means, or if you send paper claims to a service to be converted into electronic claims.  (From a risk management perspective, posting privacy policies and having patients sign a consent form is proba­bly a good idea. It is very likely that this eventually will become the standard of care in dentistry, so you probably will have to make these changes anyway)


There are severe civil penalties (up to $100 for each offense) and criminal penalties (up to $250,000 and/or 10 years in prison) for violations of the standard. Obviously, it is important to make a “good faith” effort to get your office into compliance.

 54 The Journal of Practical Hygiene Jan/Feb 2003


It’s not as bad as we once feared. You don’t have to sound­proof your offices, put doors on each operatory, or recon­figure the walls so that they reach to the ceiling. You don’t have to remove computers from your operatories or have special shields for your monitors-although passwords and screen savers should be used. Provided that your charts are located in an area that is inaccessible to non-employees, they don’t need to be kept in a locked cabinet. Yes, you can still call in a prescription for a new patient; you can mail appointment reminders; you can give out imprinted toothbrushes and magnets; and you can call patients by name in your reception area. You can also fax personal health information to another doctor if you are disclosing it for treatment purposes.


Here are some basic steps to get started with HIPAA compliance:

·Buy and read the HIPAA compliance manual that offers samples of policies and forms.

  • Designate one person in the office as the Privacy Officer who will ensure that the established privacy policies are enforced.
  • Develop written privacy policies and post them in a conspicuous place.
  • Inform your patients that you have adopted these pri­vacy policies and provide information as to how it affects their rights. Have your patients sign forms acknowledg­ing that they were informed of these rights and give per­mission for treatment under those parameters,
  • Evaluate your relationships with business associates (eg, attorneys, dental labs, collection services, answering services, consultants) and determine which ones have access to your patients’ private health information. Have those associates sign a Business Associate Contract.

 Well, at least now you have an understanding of HIPAA so you can get started on your quest for compliance. Good luck!

HIPAA: Facts, fiction, and how to do it

HIPAA. Okay, you’ve heard of it, you understand a little of it, you’ve ignored it as long as possible, and now you have to do something about it before April 14, 2003. The good news is that HIPAA is truly not a big deal. It’s confusing, it’s boring, but it’s not really difficult, so settle in, get some coffee so you’ll stay awake, and let’s get this over with.

Let me introduce you to HIPAA, the Health Insurance Portability and Accountability Act. It is a huge piece of legislation that was intended to fix many aspects of health care and health insurance, and includes sections that ensure portability of health insurance, simplify the administration of health insurance coverage, and standardize electronic transactions between health care providers and insurance companies. This is also the law that sets up Medical Savings Accounts and requires insurers to cover patients with pre-existing conditions. The section of HIPAA that concerns dentistry is the Privacy Rule; it addresses patient privacy issues and regulates how private health information can be used and disclosed. This private health information includes all personal medical records and any other indi­vidually identifiable health information, either written or oral, that is created or received by a health care provider. This includes information about the patient’s past, present, or future health or physical condition, as well as any payment information.

Some dental offices are not affected by HIPAA at all. If you submit elec­tronic claims, if you verify insurance eligibility or coverage electronically, and/or if you submit paper claims to a billing service that converts them to electronic claims, then you are covered by HIPAA and mustcom­ply with its requirements. If you do not do any of these things, you are not cov­ered by HIPAA and you don’t have to do anything, at least not at this time.

Okay, on to some basics. Why was HIPAA enacted? Why are we having to take all these precautions to protect patients’ privacy?

Why Was HIPAA Enacted?

As with most legislation, the lawmakers had good intent. When Congress held hearings about patient privacy, hundreds of individuals came forward with horror stories about their private medical information being released without authorization. In Tampa, Florida, a disgruntled public health worker sent the names of more than 4,000 people who tested positive for HIV to two newspapers. Many large companies self insure their employees; employees of some of these companies had been fired without cause when their employers had discovered that these employees have a potentially expensive medical condition. Medical doctors had sold their patient lists to marketing and pharmaceutical companies without patient permission, thereby allowing this information to be easily accessed to the general public. Pharmacists and hospitals had disclosed personal information to friends and family members without first obtaining permission; one patient’s children found out that he had AIDS when they were informed by a pharmacy clerk.

No one would argue that medical information should be protected. We are all patients as well as health care professionals, so we have a vested interest in making sure that patients’ personal information remains private. Our goal is to determine what level of security must be undertaken to ensure the highest level of patient privacy without compromising patient care.

The good news is that the Privacy Rule considers the size and type of the facility when determining what level of security is needed to provide adequate privacy protection. For example, a hospital with a huge staff and thousands of records will have different security concerns than a small dental facility. As a result, because of the size and nature of our facilities, there is very little we have to do to satisfy the HIPAA requirements.

Compliance: Rumors and Truth

There were all kinds of rumors about the horrible things we would have to do to comply with HIPAA.

Fortunately, it’s not as bad as we once feared. You don’t have to soundproof your office. You don’t have to put doors that close on each operatory or reconfigure your walls so that they reach to the ceiling. So long as your charts are located in an area that is inaccessible to patients or other non-employees, you do not have to keep your charts locked in a cabinet. Although posting a schedule is probably fine because it helps ensure that care is being provided to the correct patient, try to minimize the amount of private information that appears next to the patient’s name and try to post it where it is not easily visible to any other patients. ( One method of protecting patients’ privacy would use abbreviations that are not obvi­ous to patients who might view the sched­ule; instead of writing” denture” next to “Mrs. Lisa Jones, ” you might write “LD” for “lower denture,” or “LCD” for “lower complete denture,” etc.). You don’t have to remove computers from your operatories or have special shields for your comput­ers; just make sure that you take reason­able precautions to protect your patients’ information. Use passwords and set your screen savers so that person­al information is visible only when in use.

You can call in a prescription for a new patient. You can send appointment reminder cards in the mail, you can give out imprinted toothbrushes and magnets, and you can call patients by name in your reception area. You can use sign in sheets, but limit the requested information to name, address, phone number, etc. You can fax personal health information to another doctor if you are disclosing it for treatment purposes.

These are not unreasonable demands. In fact, most of these pre­cautions are sensible and good business practice. It makes sense to do things like lowering your voice when you discuss private information with a patient, or going to a more private location if you’re discussing something that could be potentially embarrassing. Health care providers are allowed to make “incidental disclosures” which are disclosures that occur as a by-product of an otherwise permitted disclosure, but the general rule should always be to disclose the minimum amount of information necessary to accomplish your goal. (Examples of “incidental disclosures” would be a patient overhearing you talking to another patient as they walk by an open door, or other patients hearing a patient’s name when you call for him in the reception area.)

We also have to be careful when disclosing information to other business associates. Dental offices often work with dental labs, collection agencies, answering services, dental consultants, attorneys, and accountants, and all of these entities may have access to your patients’ person­al health information while performing their duties related to your office. (Employees, janitorial services, repair technicians, contractors, and delivery people are not considered to be business associates.) It is necessary to analyze your relationships with these business associates and determine whether they have access to your patients’ personal information. If they do, you need to enter into a formal business associate agree­ment in which they state that they are aware of your privacy policies and agree to abide by them.

It is very important to make a good faith effort to protect your patients’ private information. Civil penalties can be up to $100 for each offense (with a cap of $25,000 per year for multiple offenses), and criminal penalties can be up to $250,000 and/or 10 years in prison for deliberate, wrongful misuse of personal health information. The good news is that there’s no “HIPAA police” running around looking for violators, but that doesn’t mean we shouldn’t do whatever we need to do to get our office into compliance.

What Exactly Do We Need To Do?

The good news is that whipping your office into shape is pretty easy. First, buy a HIPAA compliance manual that offers samples of policies and forms. [Editor’s Note: The American Dental Association sells a HIPAA privacy kit for $125 that contains all the necessary forms and information for meeting the Privacy Standard. The ADA also sells a videotape/DVD of the privacy seminar the Association is conducting nationwide. The videotape/DVD is $99.95, or $200 when combined with the privacy kit. Call (800) 947-4746 to purchase.] Read the manual so you have an idea of the HIPAA requirements and evaluate your office to see where your office needs to improve its privacy policies. Designate one person in your office to be the privacy officer and develop and adopt written policies. Post a copy of your privacy policies in a prominent place. Meet with your employees and explain the need for protecting patients’ private health information, then explain the specific privacy policies that your office has adopted. Have your employees sign a form acknowledging their understanding of your office’s privacy policies and put the signed forms in your HIPAA notebook. Next, inform your patients that you have adopted specific privacy policies and offer them a copy. Have them sign two forms: one acknowledging that they received copies of your privacy policies; and one “consent” form that informs them of your practice’s privacy policies and states that they consent to treatment with those procedures in place. Place both of these forms in the patients’ charts.

That’s it. See, I told you it wasn’t a big deal! HIPAA’s privacy rule is much less invasive and much less demanding than we feared, and it does serve the purpose of protecting patients’ privacy. My advice is set a date, get busy, and get it over with! Happy HIPAA!

Laney Kay, JD has taught OSHA-related and regulatory courses across the Southeast since 1989. Her husband is a general dentist in Marietta, so she has had exposure to regulations’ effects on dentistry since the beginning. She has authored several articles on regulatory issues for this publication and others.