Having to declare a data breach can be devastating for a practice-so it’s critical to take the appropriate preventative measures in advance.
In our previous articles, we talked about Dr. L and her experience with hacking and identity theft. There’s no doubt that her experience was horrible… but it could have been much worse! Because, in my mind, there is nothing more devastating to a practice than having to declare a data breach.
Data breaches have become common; there are reports in the news almost weekly about breaches in large corporations such as Target and Neiman Marcus. While these breaches can be upsetting to consumers, they don’t fall into the HIPAA rules as they don’t involve protected health information. A breach at a dental practice, unfortunately, would definitely be a HIPAA violation and requires a set of steps that must be taken.
Breaches can take many different forms. One of the most famous was a dentist in California whose server was stolen; this is an obvious breach of data. Other breaches would include someone hacking into the network, a former employee copying patient records before leaving the practice, emailing patient records to the wrong patient, etc.
So, what are the steps that must be taken in the event of a data breach? There are currently three things you must do by law:
1. You must notify the local media, such as local newspapers and TV stations.
2. You must have your practice listed on the Health and Human Services website. This site is affectionately called the Wall of Shame. There are currently around 1,700 practices listed on this site.
3. Worst of all, you must notify all patients in writing, and not only inform them of the breach, but inform them which data was breached. This often includes social security numbers and credit card info. To me, this is the most devastating part of the law; our clients who have reported a breach have claimed a loss of 15-30 percent of their patients on average. It’s also considered proper protocol to offer credit monitoring for all affected patients to ensure no identity theft.
The thing I find most frustrating about the Breach Notification rule is that most dentists are unaware that they have a “get out of jail free card” when it comes to this rule, which we discussed in last month’s article. That card is encryption. If you have encrypted the data at rest, and encrypt your data in motion, then you are exempt from the rule. The most common breach is loss or theft of a mobile device, such as a laptop or backup external hard drive, and encrypting these devices is relatively easy. There are free programs like Bitlocker and Veracrypt that can encrypt data. You’ll want to work with an IT professional to set it up properly, but you just need to pay for the labor. Compared to the fines you face (up to $50k for the lowest level and $1.5 million for the highest level), encrypting your data makes sense for every dental practice.
While the Breach Notification rule can be devastating for a dental practice, properly planning to protect your critical data can ensure that you never have to go through this process. This is one of those situations where an ounce of prevention is definitely worth more than a pound of the cure.