The first dentist that was issued a fine for a HIPAA violation was Dr. Joseph Beck in 2015. His case served as a warning to dental agencies regarding HIPAA compliance. Until then, dental offices had thus far avoided fines for HIPAA noncompliance.
The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients.
After that, covered entities have reached a lot of settlements with regulators for HIPAA violations but dental offices have not received any further penalties. That doesn’t mean OCR or state attorneys general will not issue fines to dental offices that fail to comply with HIPAA Regulations in the future. HIPAA penalties have increases considerably since 2015 and any covered entity can be fined for violating HIPAA Rules.
The probability of HIPAA violations being discovered has increased. OCR has conducted the second phase of its HIPAA compliance audit program. Some dental offices are likely to have been selected for an audit. If OCR did not choose your dental office to show compliance with HIPAA Rules yet, that doesn’t mean you will not be investigated.
In the first round of compliance audits conducted in 2011/2012, there was one dental office audited. That round of audits showed several areas of noncompliance with HIPAA Rules. OCR decided not to give any covered entity a financial penalty, but issued a technical guidance to address noncompliance. Covered entities already now had a lot of time to execute their compliance plans. If OCR auditors discover HIPAA violations now, financial penalties are more likely to be issued.
A year ago, because of the pressure of HIPAA compliance audits on dental offices, Dr. Andrew Brown, the ADA Council on Dental Practice chairperson, issued a stringent warning to dental offices on HIPAA compliance. According to Brown, dentists will suffer serious consequences for not complying with the law. ADA doesn’t want to see dentists getting penalized for tens of thousands of dollars or more for noncompliance.
Healthcare organizations are also being targeted by cybercriminals who expose unaddressed vulnerabilities and OCR investigates all breaches of more than 500 records. TheDarkOverlord hacking group took advantage of a vulnerability and accessed the files of Aesthetic Dentistry of New York City. Data was stolen, which is a reportable breach as per HIPAA Rules, if the investigation reveals there were compliance violations, a fine could be issued.
It is a serious mistake to believe that small practices won’t be investigated by OCR. OCR is taking steps to enforce compliance for all covered entities, no matter what their size. Large healthcare companies are not the only ones that are being investigating and being penalized for noncompliance with HIPAA Rules so dental offices need to take HIPAA compliance seriously and always follow HIPAA Rules.