In the past, dental offices may have felt less concerned by the Health Insurance Portability and Accountability Act, more often known as HIPAA, but this changed in 2015 when Dr Joseph Beck, a dentist, received a fine due to an alleged HIPAA violation, the first dentist to receive such a sanction.
Who can issue HIPAA penalties to Dentists?
This fine did not come from the Department of Health and Human Services’ Office for Civil Rights, the federal authority charged with enforcing HIPAA, but instead was issued by the Office of the Attorney General of Indiana. State Attorneys General can pursue HIPAA violations and in this instance Dr Beck was fined $12,000 as a result of the alleged mishandling of protected health information (PHI) relating to 5,600 people.
While HIPAA violations continue to occur and the ensuing sanctions continue to be handed down, dentists and dental offices have been rather unscathed. However, this may change with the increased focus and attention that state attorneys general and the OCR have put on dentists. Dental offices are liable to be audited for HIPAA compliance just like any other HIPAA-covered entity if they use electronic dental claims.
In the past, the OCR restricted itself mainly to issuing technical guidance in lieu of financial sanctions. As time goes on, however, dentist offices have been given ample opportunity to implement any necessary changes and procedures, so it may be that the OCR has somewhat lost its patience.
Advice from the ADA
In 2016, the American Dental Association urged dentists to take their obligations under HIPAA seriously. Dr. Andrew Brown, chair of the ADA Council on Dental Practice at the time, said, “there are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”
Dentists must ensure they are in compliance with all relevant aspects of HIPAA. Even dental offices that have not already been contacted by the OCR and asked to demonstrate HIPAA compliance will likely be contacted in the future. Auditors can conduct on-site visits and may request many different types of documents, for example documents relating to procedures, standard practices, and manuals which will all need to be in order.
An aspect which many may initially overlook is the threat posed to PHI by cyber attackers and other malicious online actors. Internet and cyber security may not seem like priorities and may not be fully understood by staff in your dental practice but it is essential that they be sufficient to comply with HIPAA rules. As it is so easy for a cyber attacker to instantly gain access to hundreds, thousands or even millions of patient records electronically, and as the OCR opens investigations into data breaches that affect the PHI of over 500 people, it is easy to see how a single successful attack can lead to a large amount of trouble and put many people at risk.
Given the simplicity with which a HIPAA violation can occur via electronic means, either by phishing scams, fake email attachments, stolen laptops or smart phones and many other ways, HIPAA-covered entities must protect their patients and themselves. Smaller practices may be easier targets for attackers and are therefore a prime target for the OCR to audit. It is therefore essential for dental offices to check their requirements under HIPAA and work to bring themselves in line with these necessities as quickly as possible.