Under HIPAA, healthcare providers include hospitals, clinics, physicians, pharmacies, psychotherapists, and alto dentists and dental offices that conduct healthcare transactions electronically. As a HIPAA covered entity, it is essential for dental offices and dentists to comply with all the requirements of the HIPAA Administrative Simplification, Privacy, Security, and Breach Notification Rules.
If a dental office or dentist is discovered to have violated HIPAA, they may be subject to fines and sanctions. The fist HIPAA violation penalty for a dental office was issued in 2015.
Fines for HIPAA violations are usually issued by the Office for Civil Rights (OCR), part of the Department of Health and Human Services. However, in this case, it was Indiana’s Office of the Attorney General that issued the penalty. Under the HITECH Act, attorneys general have the authority to file civil suits against HIPAA covered entities over HIPAA violations. In this case, the $12,000 financial penalty was levied against Dr. Joseph Beck for the improper disposal of patient records. 60 boxes of files were discarded in a dumpster after the dentist lost his license to practice. The files in those boxes contained the protected health information (PHI) of over 56,000 patients.
In the years since, no other dental practices have been fined for violating HIPAA legislation. This may yet change: OCR and state attorneys general have increased their enforcement of HIPAA Rules in recent years. The number of financial penalties issued by OCR and the penalty amounts have significantly increased, and more state attorneys general are exercising their rights and are pursuing legal action over HIPAA violations. 2016, 2017, and 2018 were all record-breaking years for HIPAA settlements and civil monetary penalties.
OCR has also launched the second phase of its HIPAA compliance audit program. The audits assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. If noncompliance is discovered during a ‘desk audit’, OCR may perform a full compliance review.
In light of the new phase of audits, Dr Andrew Brown – Chair of the ADA Council on Dental Practice – warned the council’s members of the dangers and consequences of HIPAA non-compliance. In his statement, Dr Brown said that “there are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”
If any PHI breach involves 500 or more records, OCR must investigate. This includes any breaches that were the result of cyberattacks as well as insider breaches. In 2017, TheDarkOverlord, a hacking group, hacked into the patient records of Aesthetic Dentistry in New York City. Though this was not the fault of the covered entity, it still needed to be reported and due to the number of records that were compromised, an OCR investigation took place.
Steps can be taken to minimize the probability that a database will be hacked or network access will be gained by unauthorized individuals; however, the healthcare industry is targeted by highly skilled and well-funded hackers and cybercriminal gangs. Even with robust cybersecurity defenses, it is not possible to totally eliminate the risk of a data breach. All it takes is a single response to a phishing email to expose patient data.
If a PHI breach occurs – whether it is because of a misplaced laptop or a cyberattack – OCR will investigate. Thus, it is important for CEs and their business associates to ensure they are compliant with HIPAA and document their compliance efforts to show that they were not at fault. It is a mistake to think that OCR will not investigate smaller practices. OCR has made it clear that no covered entity or business associate is exempt from its enforcement actions.