To be or not to be: HIPAA compliant
By: Melissa Moore Sanchez, Manager, Sales and Marketing
Northwest Dentists Insurance Company
Last summer Jocelyn Samuels assumed the role of Director when Leon Rodriquez resigned his position with the Health and Human Services, Office for Civil Rights. Ms. Samuels wasted no time putting her own stamp on the office’s already tough stance to enforce HIPAA compliance, stating “We continue to see a lack of comprehensive and enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems. That is why enforcement is a critical part of our arsenal of tools to ensure compliance.” Samuels goes on to say “Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”
So, how seriously are you taking your HIPAA compliance obligations? Cyber attacks continue to increase, particularly in the medical and dental industries - up over 40 percent in 2013, significantly higher than the business sector. The words “cyber risk” immediately conjures up images of a practice’s computer system being hacked into, and this can often be the case. But cyber risk also includes an employee mistake where patient data is unintentionally shared with an unauthorized party. It can mean the theft or loss of a mobile device (laptops, smart phones, memory sticks) that contain patient Protected Health Information (PHI). It can be improperly destroying (or not destroying) patient records, including information stored on equipment with memories like photocopiers.
Cyber risk can also be malicious intent from an employee to either sell or fraudulently use patient information. Don Jackson, Director of Threat Intelligence at PhishLabs, a cybercrime protection company, says stolen health information can go for $10 each, about 10 or 20 times the value of a U.S. credit card number. The data was obtained by monitoring underground exchanges where the information was being sold by hackers.
To add insult to injury, HIPAA requires that you self-report, on an annual basis to the Office for Civil Rights (OCR), breaches involving fewer than 500 people. Breaches of 500 or more must be reported to the OCR within 60 days of the event.
Penalties can range from $100 to $50,000 per violation, capped at $1.5 million. Expect that the OCR will want copies of your policies and procedures including but not limited to: your Notice of Privacy Practices, your policies and procedures for protecting PHI, employee training, copies of your complete risk analysis before and after a breach, a detailed description of the breach, disciplinary measures (if it involved an employee), and remedial measures taken following the breach.
You should be conducting staff training at least annually, documenting when the training took place, what was discussed and who attended. Any changes to the policy, whether implemented by you or the government, or new staff hiring, will require additional training.
HIPAA breaches are not only time consuming, but expensive. Costs associated with a breach, not including fines, can easily balloon into six figures. The Experian Data Breach Industry Forecast for 2015 predicts the health care industry will be “plagued” with data breaches, stating that “the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually.”
Some of the expenses include: letters (printing) and postage for patient notification, establishing a Call Center to handle patient’s phone inquiries, ID theft or credit monitoring services, forensics investigation, and legal costs including defense and judgements.
To be HIPAA compliant, you are required to assess your practice’s vulnerabilities concerning the safekeeping of PHI. Identify where PHI is received, maintained, stored or transmitted; identify and assess the risks for each of those areas; rank and prioritize the risks; and then create and implement policies and procedures to safeguard the PHI. Document each step. Create policies and procedures for responding to a breach and document. Regularly review and when necessary, update your policies and procedures, and document. Make sure computers are encrypted and security patches are current. Every step should be thoroughly documented for referencing, or in the event you need to produce it to the OCR. Did I say document?!
To be HIPAA compliant is without a doubt, a time-consuming undertaking. But not to be could eventually create larger headaches and expenses farther down the road.
NORDIC is pleased to offer our insureds, at no charge, a HIPAA Compliance Packet complete with HIPAA forms and step-by-step tools to complete a practice assessment. We also offer cyber insurance designed specifically for dentists; and you don’t have to have your malpractice policy with NORDIC to be eligible. For more information, please contact us at (800) 662-4075.