3 things you must do if a data breach occurs in your dental practice

August 3, 2015

Data breaches have become common. There are reports in the news almost weekly about breaches in large corporations such as Target and Neiman Marcus. While these breaches can be upsetting to consumers, they don’t fall into the HIPAA rules as they don’t involve protected health information.

 

There are numerous HIPAA rules and regulations that must be followed. Noncompliance can often lead to fines and penalties that can be quite substantial. However, in my mind, there is nothing more devastating to a practice than declaring a breach.

Data breaches have become common. There are reports in the news almost weekly about breaches in large corporations such as Target and Neiman Marcus. While these breaches can be upsetting to consumers, they don’t fall into the HIPAA rules as they don’t involve protected health information. A breach at a dental practice, unfortunately, would definitely be a HIPAA violation and requires a set of steps that must be taken.

Breaches can take many different forms. One of the most famous was a dentist in California whose server was stolen.This is an obvious breach of data. Other breaches would include someone hacking into the network, a former employee copying patient records before leaving the practice, emailing patient records to the wrong patient, etc.

Related reading: Is your dental practice completely HIPAA compliant?

So, what are the steps that must be taken? There are currently three things you must do by law:

1. You must notify all patients in writing and not only inform them of the breach but also what data was breached. This often includes Social Security numbers and credit card info. To me, this is the most devastating part of the law; our clients who have reported a breach have claimed a loss of 25 to 40 percent of their patients on average. It’s also considered proper protocol to offer credit checks for all affected patients to ensure no identity theft.

2. You must notify the local media, such as local newspapers and TV stations.

3. You must have your practice listed on the Health and Human Services website. This site is affectionately called the Wall of Shame. There are currently about 1,300 practices listed on this site.

The thing I find most frustrating about the breach notification is that most dentists are unaware that they have a “get-out-of-jail-free card” when it comes to this rule. That card is encryption. If you have encrypted the data, both at rest and in motion, then you are exempt from the rule. The most common breach is loss or theft of a mobile device, such as a laptop or backup external hard drive, and encrypting these devices is relatively easy. There are free programs like Bitlocker and Veracrypt that can encrypt data. You’ll want to work with an IT professional to set it up properly, but you just need to pay for the labor. Compared to the fines you face (up to $50k for the lowest level and $1.5 million for the highest level), encrypting your data makes sense for evert dental practice.

While the breach notification rule can be devastating for a dental practice, properly planning to protect your critical data can ensure that you never have to go through this process. This is one of those situations where an ounce of prevention is definitely worth more than a pound of the cure!

More from Dr. Lavine: The 5 crucial components of a HIPAA contingency plan