The future of regulations in dentistry…

regulatory compliance

I’ve been teaching regulatory compliance in dentistry since 1989 and have noticed a disturbing new trend.  For the first time, I’m doubting our ability to comply with government regulations in our own offices.

Here’s the deal.  When the OSHA regulations became a reality in the early 1990s, dentistry had to undergo many changes, but, with effort, it was accomplished. When the original HIPAA Privacy Rules were passed, the regulations were pretty reasonable and compliance was mostly within our control.  The regulations were time consuming, sometimes excessive, often did nothing to promote patient safety, but were manageable to achieve and not too intrusive.

That’s not necessarily the case with the HIPAA Security Rules.  Since the new final rule was passed in January 2013, along with its possibility of a $1.5 million penalty for a single violation, the game has changed.  The security rules deal with securing our patients’ private health information against theft or loss and, for the first time, compliance is not necessarily within our control.

For example, I deal with an office whose email was hacked.  Because of many expensive and extensive precautions they have already taken, the only information that was accessed was patient email lists, but the newest rules state that if the information can be linked to private health information to a degree that the patient could possibly be identified, then it could be a full-blown breach.  At that point, it becomes reportable to the patients involved, the HIPAA folks, and if it involves more than 500 people in a single geographic area, to the local media.  Experts estimate that a large computer breach can cost about $200 per patient in your computer.  Do that math…it’s horrifying.

Here’s my problem with the entire situation.  Regardless of how many precautions you take, every office can be hacked.  Hackers have accessed the CIA and NSA’s database; ironically, Health and Human Services’ own website has been a  frequent victim of hacking attacks.  With all the taxpayer money they have available to protect their databases and websites, they are still unable to completely protect private information, so what are our chances of being able to avoid a focused data breach attempt?

When I’ve discussed this situation with various HIPAA people over the years, they’ve assured me that by demonstrating that you’ve made a consistent, concerted effort, you avoid the largest fines.  They also say that they recognize that smaller businesses cannot afford a $1.5 million fine and would adjust penalties accordingly.  That being said, their idea of a small fine and mine are not the same.  Plus, I never trust the government when their message is “we’re the government…we’re here to help”. When a Massachusettes dermatologist’s office lost an unencrypted flash drive, they were given a $150,000 fine, despite the fact that there was no evidence the information had been accessed or compromised.  I know $150,000 isn’t a lot to a government employee playing with taxpayer’s money, but that’s a lot of money to us.

SO, how can we protect ourselves if we’re uncomfortable handling it completely on our own?  One option is to hire a company to take over HIPAA compliance in your office.  They will train, document, test your computer system to ensure it’s as safe as possible from hackers, and, from what I understand, they have coverage to help indemnify you in the event of a breach or violation.  Personally, I wouldn’t pay for someone else to handle my OSHA compliance, but I’d consider paying for that for HIPAA.  There is too much out of our control, and too much risk of exposure.  Experts are now saying that dental and medical offices are the number one targets for identity theft hackers, so we know we have a decent risk of having an issue, and the penalties are potentially huge.

Another option is to get an extra cyber liability policy that helps you protect yourself in the event you suffer a data breach.  The one we have gives you $1,000,000 security and privacy liability, plus it covers notification and regulatory compliance services.  It costs us about $450 a year, which is a total bargain, I think.  There are plenty of policies out there, so do your research and see if that extra bit of coverage might give you a little peace of mind.

Bottom line, do the best you can, protect yourself as much as possible and move on.  Freaky stuff can always happen, and you can only do the best you can do.  I hope giving y’all some information might be helpful.  Happy Holidays, y’all!!!!

Laney Kay