A peer-reviewed journal that offers evidence-based clinical information and continuing education for dentists.

Safeguarding Your Patient Data

Tips for navigating compliance and mitigating breach risks.

0

Over the past decade, the number of security breaches across the healthcare industry has skyrocketed, with 2021 seeing more data breaches than any other year since records have been published.1,2 This trend is expected to continue.

Recently, one dental breach compromised approximately 9 million individuals’ protected health information (PHI).3,4 Sources used by cybercriminals to access patient data include but are not limited to laptops, desktop computers, email, network servers, and portable electronic devices.

Oral health professionals must identify risks and employ methods to mitigate susceptibility. In addition, dental organizations should invest in annual security awareness training for team members to learn how to prevent information security breaches in the future.

Regulatory Oversight

The Office of Civil Rights (OCR) is the regulatory body for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It issues guidance on HIPAA privacy and security rules, including how these rules apply to electronic health records, personal health records, and health IT. The OCR also ensures compliance with the HIPAA privacy and security rules through investigation and the ability to impose civil monetary penalties.5

The Office of the National Coordinator for Health Information Technology (ONC) develops nationwide health information technology infrastructure that allows for the electronic use and exchange of health information. This includes examining and recommending policies, technology, and practices that protect privacy and promote security.5

The OCR defines a breach as an “impermissible use or disclosure under the privacy rule that compromises the security or privacy of protected health information.”6 Data breaches are typically classified into two categories: internal and external. Internal data breaches comprise incidents that occur inside of an organization and may include privilege abuse, unauthentic access/​disclosure, improper disposal of unnecessary but sensitive data, loss or theft, or the unintentional sharing of confidential data to an unauthorized party. External data breaches include malware attacks, ransomware attacks, phishing, spyware, and fraud.7

Breaches of dental patient information are reported to the ONC along with all healthcare services. A 15-year analysis showed that the healthcare sector faced the highest number of data breaches out of all sectors.9 Moreover, between 2015 and 2019, the healthcare industry comprised 76.59% of reported data breaches.1,7

Covered entities are defined in the HIPAA rules as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services has adopted standards.8 Dental practices are considered covered entities. Dentists and dental hygienists may be considered covered if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

While dental practices are considered covered entities, business associates have outpaced health plans in terms of the number of HIPAA breaches reported to the OCR. If a covered entity engages a business associate to help carry out any healthcare activity or function, a written business associate contract must be employed. The contract must establish specifically what the business associate has been engaged to do and requires the business associate to comply with HIPAA.

Business associates are vendors (to a covered entity) that “create, receive, maintain, or transmit” PHI, while performing a service involving the PHI.17 Business associates include collection agencies, billing or coding companies, IT consultants and vendors, practice management services, medical transcriptionists, answering services, e-prescribing services, law offices or accounting firms, and subcontractors providing remote backup services of patient information for an IT contractor. A member of the covered entity’s workforce is not a business associate; however, one covered entity can be a business associate of another covered entity. For example, a health insurance plan can be a business associate of a dental practice.9,10

The OCR and state attorney generals can issue penalties for HIPAA violations. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards required by HIPAA. The four categories used for the penalty structure violations are:

Tier 1. Covered entity was unaware of and could not have realistically avoided violation and a reasonable amount of care had been taken to abide by HIPAA rules. Fine of $100 to $50,000 per violation (maximum $25,000 per year).

Tier 2. Covered entity should have been aware of but could not have avoided violation even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules). Fine of $1,000 to $50,000 per violation (maximum $100,000 per year).

Tier 3. Violation due to a direct result of willful neglect of HIPAA rules in cases where an attempt has been made to correct the violation. Fine of $10,000 to $50,000 per violation (maximum $250,000 per year).

Tier 4. Violation of HIPAA rules constituting willful neglect where no attempt has been made to correct the violation. Fine of $50,000 per violation (maximum $1.5 million per year).

Steps to Ensure a Safer Dental Practice

The American Dental Association (ADA) recommends the development of policies and procedures that outline the administrative, physical, and technical safeguards to ensure compliance and protect patients’ health information.11 Administrative safeguards establish standards for the health information security program. These may include risk management protocols, written policies and procedures, office training, a designated practice security and privacy officer, documentation of security incidents, and establishing business associate agreements.12

Physical safeguards control physical access to office and computer systems. Such safeguards restrict physical access to electronic PHI and limit facility access by ensuring the physical environment of the workstation sufficiently protects any data that might be visible on screens; establishing device and media controls, such as safeguards, to ensure the secure storage of data; and the secure transportation and disposal of data any devices used to store them.12

Technical safeguard technologies that limit access to electronic PHI protect data and control access. Employing practices, such as requiring access control and validation processes to restrict access to PHI, including removing terminated employees; using authentication methods that verify the person signing onto a computer is who he or she claims to be; encrypting/​decrypting data during storage and transmittal of information; and implementing audit controls to examine activity in information systems, are key.12

Every state has laws regarding retaining patient records and all practitioners should understand which laws apply to their state. In addition, the ADA offers record retention and destruction guidelines for managing professional risk. Retention guidelines highlight the following: retention times may vary for adult vs pediatric records, additional recordkeeping requirements apply to HIPAA-covered entities, and record-retention policies are necessary.13 According to HIPAA, the destruction of paper, films, or other hard-copy records must either be shredded or destroyed where PHI cannot be identified or reconstructed.14 Employing the help of professional disposal contract agencies is useful but they should be vetted for reputability and compliance with privacy and security laws.

When a Data Breach Is Suspected

All employees in healthcare settings must understand what constitutes a HIPAA violation and how to report such a violation. This information, as well as the correct person to report it to, should be included in annual training.

Accidental HIPAA violations can happen even when employees are careful. If a patient’s PHI is accidentally viewed by an unauthorized person within your organization, it is best to report the violation immediately to your organization’s delegated practice security and privacy officer. The complaint should be investigated internally, and a decision made about whether it is a reportable breach under the HIPAA breach notification rule. Usually, minor incidents do not require notification.15

Employees and patients do not have to wait on the covered entity to report a concern. Individuals can make a HIPAA complaint directly to the OCR. HIPAA complaints can be submitted via the OCR’s online complaint portal: hhs.g/​v/​hipaa/​filing-a-complaint/​complaint-process. All complaints are assessed and further investigated if violation of HIPAA rules is suspected and the complaint is submitted within 180 days. Most often, reported issues are resolved through voluntary compliance, technical guidance, or corrective action.16

Conclusion

With the growing trend of healthcare data breaches and ransomware attacks, dental professionals need to be acquainted with the necessary safeguards to keep patient dental records secure. A policy should be in place regarding who has the authority to release patient records. All staff members should be aware that patient information should never be disseminated without the dentist’s knowledge and approval. Moreover, an attorney should be consulted to ensure the practice is legally compliant, so potential risks are minimized.

References

  1. Healthcare Data Breach Statistics. The HIPAA Journal. Available at: hipaajournal.c/​m/​healthcare-data-breach-statistics. Accessed March 24, 2024.
  2. IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million. The HIPAA Journal. Available at: hipaajournal.com/떗-cost-healthcare-data-breach. Accessed March 24, 2024.
  3. Managed Care of North America Hacking Incident Impacts 8.9 Million Individuals. The HIPAA Journal. Available at: hipaajournal.com/​managed-care-of-north-america-hacking-incident-impacts-8-9-million-individuals. Accessed March 24, 2024.
  4. Data Breach Notifications. Office of the Maine Attorney General. Available at: apps.web.maine.gov/​online/​aeviewer/​ME/葴/⹷b95c8-abc8-41f1-8c3f-b0415575de56.shtml. Accessed March 24, 2024.
  5. The Office of the National Coordinator for Health Information Technology. Frequently Asked Questions. Available at: healthit.gov/​faq/​what-are-respective-roles-onc-and-ocr-regarding-privacy-and-security. Accessed March 24, 2024.
  6. United States Department of Health and Human Services. Breach Notification. Available at: hhs.gov/​hipaa/​for-professionals/​breach-notification/​index.html. Accessed March 24, 2024.
  7. Seh AH, Zarour M, Alenezi M, et al. Healthcare data breaches: Insights and implications. Healthcare (Basel). 2020;8:133.
  8. Centers for Medicare and Medicaid Services. Are You a Covered Entity? Available at: cms.gov/​Regulations-and-Guidance/​Administrative-Simplification/​HIPAA-ACA/​AreYouaCoveredEntity. Accessed March 24, 2024.
  9. United States Department of Health and Human Services. Business Associates. Available at: hhs.gov/​hipaa/​for-professionals/​privacy/​guidance/​business-associates/​index.html. Accessed March 24, 2024.
  10. Hales M. The HIPAA-e tool business associates 101. Available at: thehipaaetool.com/​business-associates-101. Accessed March 24, 2024.
  11. American Dental Association. Managing the Regulatory Environment— ADA’s Guidelines for Practice Success. Available at: ada.org/​-/​media/​project/​ada-organization/​ada/​ada-org/​files/​publications/​guidelines-for-practice-success/​gps-regulatory/​hipaa-breach-notification-rule-tip-sheet.pdf. Accessed March 24, 2024.
  12. United States Department of Health and Human Services. Summary of the HIPAA Security Rule. Available at: hhs.gov/​hipaa/​for-professionals/​security/​index.html. Accessed March 24, 2024.
  13. American Dental Association. Record Retention. Available at: ada.org/​resources/​practice/​practice-management/​record-retention. Accessed March 24, 2024.
  14. American Dental Association.Record Destruction. Available at: ada.org/​resources/​practice/​practice-management/​record-destruction. Accessed March 24, 2024.
  15. How Should You Respond to an Accidental HIPAA Violation. The HIPAA Journal. Available at: hipaajournal.com/​accidental-hipaa-violation. Accessed March 24, 2024.
  16. United States Department of Health and Human Services. How to File a Health Information Privacy or Security Complaint. Available at: hhs.gov/​hipaa/​filing-a-complaint/​complaint-process/​index.html. Accessed March 24, 2024.

From Decisions in Dentistry. June/July 2024; 10(4):24-25

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy

SAVE BIG ON CE BEFORE 2025!

Coupon has expired

Promotional Period: 12/14/24 – 12/31/24

Get Special CE Savings!