I’ve been teaching regulatory compliance in dentistry since 1989 and have noticed a disturbing new trend.  For the first time, I’m doubting our ability to comply with government regulations in our own offices.

Here’s the deal.  When the OSHA regulations became a reality in the early 1990s, dentistry had to undergo many changes, but, with effort, it was accomplished. When the original HIPAA Privacy Rules were passed, the regulations were pretty reasonable and compliance was mostly within our control.  The regulations were time consuming, sometimes excessive, often did nothing to promote patient safety, but were manageable to achieve and not too intrusive.

That’s not necessarily the case with the HIPAA Security Rules.  Since the new final rule was passed in January 2013, along with its possibility of a $1.5 million penalty for a single violation, the game has changed.  The security rules deal with securing our patients’ private health information against theft or loss and, for the first time, compliance is not necessarily within our control.

For example, I deal with an office whose email was hacked.  Because of many expensive and extensive precautions they have already taken, the only information that was accessed was patient email lists, but the newest rules state that if the information can be linked to private health information to a degree that the patient could possibly be identified, then it could be a full-blown breach.  At that point, it becomes reportable to the patients involved, the HIPAA folks, and if it involves more than 500 people in a single geographic area, to the local media.  Experts estimate that a large computer breach can cost about $200 per patient in your computer.  Do that math…it’s horrifying.

Here’s my problem with the entire situation.  Regardless of how many precautions you take, every office can be hacked.  Hackers have accessed the CIA and NSA’s database; ironically, Health and Human Services’ own healthcare.gov website has been a  frequent victim of hacking attacks.  With all the taxpayer money they have available to protect their databases and websites, they are still unable to completely protect private information, so what are our chances of being able to avoid a focused data breach attempt?

When I’ve discussed this situation with various HIPAA people over the years, they’ve assured me that by demonstrating that you’ve made a consistent, concerted effort, you avoid the largest fines.  They also say that they recognize that smaller businesses cannot afford a $1.5 million fine and would adjust penalties accordingly.  That being said, their idea of a small fine and mine are not the same.  Plus, I never trust the government when their message is “we’re the government…we’re here to help”. When a Massachusettes dermatologist’s office lost an unencrypted flash drive, they were given a $150,000 fine, despite the fact that there was no evidence the information had been accessed or compromised.  I know $150,000 isn’t a lot to a government employee playing with taxpayer’s money, but that’s a lot of money to us.

SO, how can we protect ourselves if we’re uncomfortable handling it completely on our own?  One option is to hire a company to take over HIPAA compliance in your office.  They will train, document, test your computer system to ensure it’s as safe as possible from hackers, and, from what I understand, they have coverage to help indemnify you in the event of a breach or violation.  Personally, I wouldn’t pay for someone else to handle my OSHA compliance, but I’d consider paying for that for HIPAA.  There is too much out of our control, and too much risk of exposure.  Experts are now saying that dental and medical offices are the number one targets for identity theft hackers, so we know we have a decent risk of having an issue, and the penalties are potentially huge.

Another option is to get an extra cyber liability policy that helps you protect yourself in the event you suffer a data breach.  The one we have gives you $1,000,000 security and privacy liability, plus it covers notification and regulatory compliance services.  It costs us about $450 a year, which is a total bargain, I think.  There are plenty of policies out there, so do your research and see if that extra bit of coverage might give you a little peace of mind.

Bottom line, do the best you can, protect yourself as much as possible and move on.  Freaky stuff can always happen, and you can only do the best you can do.  I hope giving y’all some information might be helpful.  Happy Holidays, y’all!!!!

Please do your own research on medical topics from reputable sources…don’t believe everything you see on facebook or other internet sources.

For example, this article looks totally reputable and is all over Facebook: click here for article . It is supposedly from a Johns Hopkins scientist who states that the flu shot is ineffective and dangerous. Without getting into the whole vaccine debate, here are a few points of interest to consider in this specific article…

Peter Doshi is not a Johns Hopkins expert on the flu. In fact, he is neither an epidemiologist, nor a virologist, and has never personally conducted any medical research on infectious diseases, including the flu. His degree is in anthropology and he completed a fellowship in comparative effectiveness research at Johns Hopkins. He is not employed by Johns Hopkins, and his view is not supported by the university. In fact, Johns Hopkins requires that all health care employees get a flu vaccine in order to prevent flu transmission among patients and employees.Click here to see Johns Hopkins employee flu policies.

If you’ve been watching the news, there have been a huge amount of HIPAA breaches this fall.  Making sure our computers are protected sufficiently is the best way to protect our patients’ information and to keep HIPAA out of our businesses.

Check this out.  This is what HIPAA refers to as its “Wall of Shame” and lists all of the breaches that involve more than 500 patients in a single geographic area.  If you look through the list and pay close attention to individual doctors and dentists, you’ll see that most of the breaches are due to computers and devices that weren’t encrypted properly and were either lost or stolen.

Encrypting your hard drive and devices prevents breaches.  Yet it costs some money up front, but in the event you lose, or someone steals, your computer or Ipad, or smartphone, or backup flashdrive or hard drive, if they are encrypted it’s not a breach.  That’s a pretty huge deal.  Here’s documentation directly from the HIPAA folks that specifies that encrypted items prevent breaches:  HIPAAEncryptionGuidance .

Otherwise, you need to make sure your computer security is current and is sufficient for the type of system utilized by your office.  You need the proper security software, passwords, firewalls, and systems in place to ensure that your system is protected during use.  Discuss this with your computer dude to make sure you have the proper level of security so that information is protected as much as possible.  Here’s some really helpful FAQs about Security, directly from HIPAA: Click here

Hope this info helps!

Sometimes a picture’s worth a thousand words!! (One of my favorite gifts from a doc!)

Most of us admit that HIPAA scares the crap out of us!  It’s arbitrary, the program is often difficult to understand and can take a huge amount of time to maintain, and if we violate the rules, we can go to prison or get a fine of up to $1.5 million per incident.  No wonder we’re all freaked out!

My experience that the best way to get your office in shape with HIPAA is to hold your nose and dive in!  Truthfully, our perceptions about what we have to do are often worse than the reality.  HIPAA in dentistry is often just common sense…always disclose the minimum amount necessary, never talk about patients outside the office, regularly maintain and upgrade your HIPAA program by doing regular risk assessments, make sure that patients’ information is as safe as possible, have business associate agreements in place, send people a copy of their charts when they request it (even if they owe you money), have a manual and have your HIPAA officer keep it current, make sure your computer hard drives are encrypted and adequate security measures are in place for your system.

Here is a great website you can sign up for and they will keep you up to date on potential HIPAA issues: (click here for the website) .  It’s not specifically dental, so don’t let it freak you out, but it’s good to see what kind of issues are arising in the areas of HIPAA privacy and security.

Another great source of info is HIPAA’s question and answer website: (click here to go to HIPAA’s website) .  On this website, you can type in a search term (like sign in sheets, for example) and it will show you all of the questions people have asked on that topic and tell you how the HIPAA folks answered it.  You can also browse by category on the drop down menu. By poking around on this website, you’ll start to see that a lot of the issues we encounter are best handled by simply using common sense!  It’s also a great source because you can often find the answer to questions you may be concerned about.

Hope y’all find this useful.  Have a great weekend!

(And GO DAWGS!!!