An Expert's View of HIPAA

Dental Products Report, Dental Products Report July 2021, Volume 55, Issue 7

Learning the importance of understanding what HIPAA is and why practices should be knowledgeable about compliance.

HIPAA: Those 5 little letters can cause sweaty palms for almost anyone in the health care sector. That probably stems from the fact that, although we all know about the Health Insurance Portability and Accountability Act, most of us do not understand it.

As many of you know, I am a big fan of DDS Rescue. The company has an amazing solution for backup and recovery as well as providing a full HIPAA compliance program including proper risk assessment and staff training. They also act as the office’s IT advocate. As part of the effort to help client offices better understand HIPAA, DDS Rescue has retained an expert. Kezia Josenberger, JD, was working for the federal government when the law was created and was part of the team that wrote the law. This gives her an incredible amount of insight that can help offices make informed decisions on ensuring compliance. I had a chance to speak with Ms Josenberger recently and get her thoughts on some of the current questions the profession has. Here’s what she had to say:

Q: Many doctors do not understand just how financially serious a HIPAA violation can be. Can you explain the structure of the law regarding fines?

In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. The US Department of Health & Human Services (HHS) may assess civil penalties when it discovers a HIPAA violation. Each year, HHS increases the penalty due to inflation. Here are the civil monetary penalty amounts for 2020. The penalty amount enforced by the Office for Civil Rights (OCR) depends on the facts involved. The 4 categories for the penalty structure are:

Tier 1: A violation that the covered entity was unaware of and could not realistically have avoided, had a reasonable amount of care been taken to abide by HIPAA rules—the penalty amount is between $119 and $59,522 for each violation;

Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules)—the penalty amount is between $11,912 and $59,522 for each violation;

Tier 3: A violation suffered as a direct result of willful neglect of HIPAA rules, for example, sharing protected health information (PHI) through office gossip, in cases where an attempt has been made to correct the violation—the penalty amount is between $11,904 and $59,522 for each violation; and

Tier 4: A violation of HIPAA rules constituting willful neglect, for example, an unauthorized release of information, where no attempt has been made to correct the violation—the amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

Q: Should we expect the number of dental offices audited this year to increase?

When looking at recent enforcement trends by HHS and OCR, smaller practices and solo practitioners are coming under enforcement scrutiny by OCR.

One potential reason is that OCR focused on larger organizations that suffered breaches, because larger fines could be imposed. This would prompt attention by other organizations to prioritize HIPAA compliance as an enterprise risk, meaning that was a financial and reputational risk for the organizations. However, applying hefty fines to larger organizations has not had the punitive effect that OCR thought it would have to encourage all entities, including smaller organizations, to prioritize HIPAA compliance.

HIPAA has been around for over 20 years, and the health care industry is still perplexed on what it takes to achieve compliance. This may be the result of not uniformly enforcing HIPAA across organizations. However, recent enforcement action by OCR shows that OCR is enforcing HIPAA requirements across all covered entity types, and not just focusing on larger organizations. This could be to trigger enforcement awareness across all types of organizations to protect the security of patients’ data. Dental practices are covered entities, and considering recent OCR enforcement action against smaller organizations, they should be vigilant about complying with HIPAA.

Q: Has there been a lessening of HIPAA rules because of COVID-19?

No. At the onset of the pandemic, OCR issued notifications of enforcement discretion, because the United States declared the pandemic a public health emergency. The notifications of enforcement discretion should be narrowly applied, because their issuances are to enable covered entities and their business associates to continue their treatment and health care operation efforts during this public health emergency.

Q: What are the top items that dental offices are not addressing as far as HIPAA regulations?

The top issues that dental offices are not addressing under HIPAA are:

  • Not implementing a security management process, including performing a comprehensive and/or enterprise-wide HIPAA risk analysis and having a risk management plan;
  • Not having access or identity management access controls to ensure that only those employees who need access to PHI for their responsibilities have access, especially for their electronic health or medical records systems;
  • Not having processes for ongoing monitoring and auditing of these electronic health records/electronic medical record systems;
  • Not having technical controls for their desktops, laptops, and mobile devices, including encryption and password management processes;
  • Not having policies and processes for individuals to exercise their rights to their data, and especially the right of access; and
  • Vendor management (ie, not ensuring that they have subcontractor business associate agreements [BAAs] with their vendors or ensuring that vendors are reporting their privacy and security incidents).

Q: Do you believe a dental office can do a risk assessment on their own (without a third party with tech experience) that will meet the standards of HHS?

A dental office could perform a risk analysis/risk assessment on its own, but I would advise against it for several reasons:

OCR requests evidence of a thorough, comprehensive, and enterprise-wide risk analysis/assessment that inventories all e-PHI created, received, maintained, or transmitted by the organization as a measure to assess compliance with HIPAA and specifically, the security rule. This can be a time-consuming task for most organizations that are operating under lean resources. Because the HIPAA risk analysis/assessment is a foundational requirement for complying with HIPAA, it is important that organizations try to retain assistance from third parties that have the resources to help with at least the initial risk analysis or assessment.

The risk analysis/assessment requires entities to evaluate risks and vulnerabilities in their environments and to implement appropriate security measures to protect against reasonably anticipated threats to the security or integrity of e-PHI. Retaining a resource that has industry and organization-based experience—for example, a third party with tech experience in the dental industry—assures the organization that it is complying with the security rule requirements and that application of these requirements are specific to its environment. When OCR reviews an organization’s HIPAA risk analysis/assessment, it is looking to see that the risk analysis /assessment is not general but specifically evaluates vulnerabilities in the organization’s environment.

The HIPAA risk analysis/assessment helps the organization determine what controls, including policies and procedures, are necessary to meet all requirements of the security rule. The risk analysis /assessment evaluates whether an addressable implementation specification is reasonable. Retaining resources to ensure that the organization is applying the appropriate controls to address the requirements of the HIPAA security rule and documenting it are also important, especially if OCR initiates a complaint, compliance review, or an audit against the organization.

Q: What advice would you give for a dental office to be compliant with HIPAA?

HIPAA compliance is an ongoing activity that takes money, time, and resources, but the benefits of complying with HIPAA outweigh the risks. The initial steps in achieving HIPAA compliance are performing the risk analysis/risk assessment; conducting an inventory of third parties contracted to perform health care operations and the data and e-PHI they receive, create, maintain, or transmit; making sure that the dental office has BAAs with their vendors or third parties, as well as reviewing their third parties’ subcontractor agreements with subcontractor BAAs; and ensuring that the dental practice develops and implements appropriate policies and procedures relating to minimum necessary requests, uses, disclosures, and transfers of PHI, verification, permitted uses and disclosures, and individual rights.