You know that feeling when you watch your Jenga tower start to wobble and lean, and you know it’s going down? Imagine your dental practice is like a tower of Jenga blocks. It’s rarely the top block that causes the tower to come crashing down, often it’s a block toward the bottom that causes a whole lot of HIPAA trouble.
Obviously, your practice is more than a game of Jenga, and a slip up with HIPAA compliance can be a lot more serious than losing a game. In 2018 alone, the Office of Civil Rights (OCR) doled out a record $28.7 million in HIPAA penalties over just 10 case settlements! More often than not, it’s a simple mistake, rather than malicious intent, that leaks electronic Protected Health Information (ePHI) and ends up costing a chunk of change in penalties.
HIPAA violations can involve something as commonplace as texting, social media, or record-keeping blunders.
Your medical data is some of the most coveted information around. Electronic Health Records (EHRs) are in place to keep your practice thorough, detailed and organized. They also contain the most personal of patient information like:
- Phone numbers
- Social Security Numbers
Each EHR can fetch thousands of dollars on the black market, to be used for making fake IDs and committing medical fraud. If you’re not careful, your data can end up in the wrong hands, possibly leading to the destruction of the practice you’ve worked so hard to build.
In 2017 a heart monitor salesman had his laptop stolen, containing hundreds of patient medical records. When it comes to HIPAA violations concerning third-parties and unsecured portable devices, the government is very strict. Accidental or not, this HIPAA violation was costly. Eventually, this case was settled for $2.5 million.
In 2015 an employee at Iowa University’s Student Health Center was overheard talking to herself about a pregnancy test of a well-known athlete on campus. Not only is talking to yourself a little weird socially, in this case, it was a big deal legally. While she claims she was only wishing the young couple happiness, other employees overheard her comments and recognized her HIPAA violation. She was reported and fired. Luckily the employee’s negligence didn’t cost the University some serious dough, but it did cost the employee her job.
A clear understanding of HIPAA guidelines is important for your practice because what might initially sound like a great idea can eventually land you in a world of hurt.
For example, in 2013 an ABC reality show called NY Med filmed two real hospital patients without their consent. When one of the patients actually died during filming, the OCR determined the film crew was wrongfully given complete access to the hospital, creating an environment where protecting personal health information was impossible. The hospital was forced to pay a $2.2 million settlement for not following HIPAA guidelines.
Just last year, The University of Texas MD Anderson Cancer Center faced a $4.3 million penalty for HIPAA violations. One employee had an unencrypted laptop stolen from their house, and two unencrypted USB thumb drives containing the ePHI of over 33,500 patients also went missing. Things get lost, but when it comes to medical data, it’s not as simple as just going out and buying a new device. If your ePHI isn’t encrypted and gets misplaced, you’re violating HIPAA. You’ll need to report the breach and may be held liable.
Something as innocent as replying to an email resulted in the biggest HIPAA penalty of all time. In 2018, Anthem Inc. discovered cyber-attackers had stolen the ePHI of almost 79 million people. The attackers gained access when at least one Anthem employee responded to a spear-phishing email. If you’re a healthcare provider, simply replying to an email from a computer containing patient information could unknowingly be inviting cyber-attackers into your practice.
Sometimes it’s personal.
While most violations that cause your business a whole lot of HIPAA trouble are accidental, there have been far too many instances where disgruntled employees knowingly violate privacy rules consequently devastating a business.
Often, what starts as a hasty decision out of jealousy or revenge, results in much larger and graver consequences that can topple a business.
In 2014 a Walgreens pharmacist shared prescription records of her husband’s ex (and mother of his child) with him. He then turned around and shared the information, including his ex’s social security number, with three other people. The Walgreens employee’s plan was to use the medical information as blackmail in a paternity lawsuit.
This case was special. It set the precedent that businesses can be held accountable for the HIPAA violations of their employees. Using private medical data as blackmail in a lawsuit is just a bad idea. Far too often employees use their access to private data in ways they shouldn’t.
In 2008 a nurse at a medium-sized clinic scrounged up a patient’s file that had been involved in a car wreck with her husband and was suing him. The plan was for the nurse to give her husband the patient’s medical data, for him to then use as blackmail to persuade the patient to drop the case. Instead, the patient called the authorities. The nurse was fired and faced a $250,000 fine and a 10-year jail sentence.
It’s not always a single employee purposely sabotaging their company’s HIPAA compliance, rather a whole group of employees using their access to ePHI for the wrong reasons.
We all get starstruck sometimes, and the opportunity to pour over an A-Lister’s medical records can be tempting. Imagine working at the hospital where Britney Spears received psychiatric treatment in 2008, where the medical records of one of the most talked-about people in the world were at your fingertips. The temptation was too much for six doctors and 13 employees, most of whom were non-medical support staff, with no real reason to be snooping through Spears’ records.
All six doctors were suspended, and the 13 employees were fired. While no charges were filed, the hospital paid the price with the initial lack of staff and loss of business that came with the negative press surrounding the case.
HIPAA is a violation war zone, where virtually any doctor or employee can sabotage their business’ life through everyday actions. While some encroachments are a result of curiosity, jealousy, or greed for personal benefit, there are many times when an employee can expose intimate information with a simple rash decision or momentary lack of concentration. These run-of-the-mill actions can lead to your practice (Jenga tower) crashing to the ground.
So what can you do about it?
There is no perfect solution for protecting your practice from HIPAA violations. Some employees are going to be unhappy, and some may use their access to ePHI to share something they shouldn’t. You can’t control it all, but you can protect yourself.
1. Educate your employees.
Invest in training. Employee carelessness is the main cause of medical data leaks. All HIPAA-happy practices should train their employees frequently on the latest data security topics because recovering from a cyber attack is likely more costly than the training!
The more aware the employee, the less likely they are to breach data security due to unsafe use of any device containing ePHI. Any organization employing the “Bring Your Own Device” strategy must ensure that their employees know the effects of a HIPAA violation and how to avoid them. Regular policy training and enforcement of organizational guidelines is key to running a HIPAA-happy practice.
2. Get Cyber Liability Insurance.
The Feds won’t come running if your practice doesn’t have Cyber Liability Insurance, but it’s critical that you’re protected in the event your patient’s sensitive information is stolen. Most general liability policies fail to cover all the risks of a data breach, including Protected Health Information (PHI) and Personally Identifiable Information (PII). HIPAA violations that don’t involve your network or computer (like accidentally losing a hard drive) are less likely to be covered.
Most HIPAA violations are an accident, like misplacing a laptop or hard drive, or absent-mindedly tossing out a confidential document. While regular staff-wide trainings aim to thwart internal data leaks, Cyber Liability Insurance is there to help cover the costs of cyber-criminal stealing ePHI.
Cyber Liability Insurance covers your practice in the event of a data breach, digital security problem, cybercrime, or hack. Cyber Liability Insurance helps mitigate external data threats, while regular training better informs employees internally.
No Cyber Liability Insurance means a higher chance of:
- Out-of-pocket costs of alerting federal and state regulatory agencies and local media of the breach
- Loss of employee time and production
- Loss of income
- Knock to your reputation
- Civil lawsuits by patients
- HIPAA and/or HITECH penalties and sentences
Ask your insurance agent if you’re covered in the event of a HIPAA violation. Use a Practice Management System (PMS) like Open Dental that is already covered by Cyber Liability Insurance.
3. Back up your data the right way.
A data disaster can happen any day, likely when you least expect it. From cyber-attackers itching to ransom your medical records to clunky hard drives that seem to love crashing, to freakish storms that flood your building, you need to have a plan in the event your data is gone. It’s more important than ever for healthcare providers to utilize cloud-based storage for backing-up their data.
That's why we offer a fully-supported and HIPAA compliant, encrypted cloud Backup + Recovery product. Our encryption (which exceed military standards) keeps your data safe during transport, from automatically backing-up off-site to recovering data back to your computer. We even help back up an unlimited number of medical devices that are connected to your server, such as x-ray machines.
With CDS, whether your practice uses Mac or Windows, you can safely and securely backup every file and ePHI you have. You’ll have peace-of-mind knowing your files will always be securely stored in a HIPAA-compliant way, and ready to be restored in the event of a data disaster.