HIPAA: Is It Still Significant?

Image Credit: © suthisak / stock.adobe.com

As any dental office owner knows, there’s a lot more to running a practice than just honing your clinical skills. Keeping up with the latest procedures and getting your continuing education credits is important, but there are so many other facets to a practice. Offices must deal with daily staffing issues, insurance, billing, scheduling, supplies—the list goes on and on. One area that is specifically very important to me is making sure you do everything you can to secure and protect your most valuable asset: your patient data.

With all the focus in recent years on cybersecurity, such as dealing with ransomware attacks, many practices may have forgotten that there is still a set of rules and laws, called the Health Insurance Portability and Accountability Act (HIPAA), that offices must follow to avoid significant fines and penalties. While it doesn’t seem to get talked about as much, there are still a number of reasons why I feel that dental practices can and should be current on staying HIPAA compliant.

1 The biggest reason I advocate for HIPAA compliance is that there’s a huge crossover between HIPAA regulations and cybersecurity best practices. The entire reason that the Health Information Technology for Economic and Clinical Health Act of 2009 was enacted was to provide guidelines for following the Security Rule of HIPAA, which deals exclusively with electronic data. It became obvious as we entered the 2000s that as more and more practices were moving toward a chartless or paperless environment, and by definition more and more patient information became electronic, it was critical that health care providers develop systems to meet the expectations of patients, that their critical and private data was being protected and secured as best as possible. Many of the best ways to accomplish this, such as encryption, firewalls, data backup, patching, and managing access, have been part of the HIPAA regulations for close to 15 years now. In other words, you’re killing 2 birds with 1 stone when you implement systems to secure the data: You’re protecting the information and meeting HIPAA guidelines at the same time.

2 HIPAA still has a lot of teeth when it comes to enforcement. There are currently 4 levels of violations, and the 1 you really want to avoid, willful neglect, can destroy a practice. Willful neglect occurs when there is evidence that the practice knew it was in violation of HIPAA laws but still elected not to rectify those violations. How would they know? Easy. If you are following HIPAA rules, then you know that you must do a risk assessment on a regular basis and develop a plan, called a HIPAA Management Plan, to address those issues. If you do your risk assessment (which I highly recommend doing annually) and don’t ever lift a finger to remedy those concerns, then by definition, that’s willful neglect. The fines start at $50,000 per violation and can go up to $1.5 million in a year…ouch!

3 Finally, of all the HIPAA violations out there, suffering a breach would, in my opinion, be the most damaging to an office. Forget the fines and penalties: If you suffer any type of data breach, the Breach Notification Rule says you must not only notify the local media but, worse, notify every single patient in writing about the breach. The question at that point wouldn’t be whether you are going to lose patients, it’s how many you will lose.

While HIPAA doesn’t get as much press as the latest ransomware news that seems to flood in daily, it is indeed something to worry about still, and I suggest that every practice do a reevaluation of its HIPAA preparedness.