As well as applying to medical professionals, HIPAA legislation applies to those who work in dentistry. However, it wasn’t until 2015 that a dental office was issued with a fine for HIPAA violations.
Fines for HIPAA violations are usually issued by the Office for Civil Rights (OCR), part of the Department of Health and Human Services. However, in this case, it was Indiana’s Office for the Attorney General. The $12,000 fine was levied against Dr Joseph Beck for the inappropriate care of protected health information (PHI) of over 56,000 patients.
In the years since, no other dental practices have been fined for violating HIPAA legislation. This may yet change: the OCR or some state attorney generals still retain the right to issue fines for HIPAA non-compliance, including against dental practices. In fact, there is an ever-increasing number of such fines being issued: both 2016 and 2017 were record-breaking years for HIPAA settlements.
This probably has something to do with OCR’s new HIPAA compliance audit program, which is entering its second phase this year. As the audits require assessing a covered entity’s risk management program and PHI protection program, among other things, it makes it much more likely that any HIPAA breaches will be discovered. Dental practices will also be investigated during these audits.
The initial audits were conducted in 2011/2012, though in that first phase only one dental practice was audited. Generally, though, those audits uncovered a staggering level of non-compliance. The OCR opted not to issue fines at that point: instead, they insisted on technical training for HIPAA employees. The second round of audits will reveal if these measures were effective.
In light of the new phase of audits, Dr Andrew Brown – Chair of the ADA Council on Dental Practice – warned the council’s members of the dangers and consequences of HIPAA non-compliance. In his statement, Dr Brown said that “there are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”
If any PHI breach involves over 500 records, the OCR must investigate. This includes any breaches that were the result of cyberattacks. In 2017, TheDarkOverlord, a group of cybercriminals, hacked into the patient records of Aesthetic Dentistry in New York City. Though this was not the fault of the covered entity, it still needed to be reported. Though steps can be taken to minimise the chance that a database will be hacked, the advancing prominence and capability of such groups makes it hard to completely avoid such attacks.
If a PHI breach occurs – whether it is because of a misplaced laptop or a cyberattack – the OCR will investigate. Thus, it is important for CEs and their business associates to carefully catalogue all of their safety measures to show that they were not at fault. Some would be mistaken in thinking that the OCR will not care about smaller practices; the office has made it clear that no-one is immune to their audits. Additionally, the fines reflect the size and nature of the breach, not the practice.