Data breaches have emerged as a more significant threat and also a more likely threat than on-site break-ins. They are especially troublesome for dental and medical practices, as the theft of patient information has the potential to ruin a practice.
Making matters worse is the fact that the COVID-19 pandemic and the contracting economy are ramping up the frequency of digital attacks. It is awfully concerning to learn that nearly 3,000 data breaches occurred in the first three financial quarters of 2020.
Every dentist and doctor should be aware of the fact that more data breaches were reported in the healthcare sector than in any other sector. All in all, nearly 12% of the forementioned breaches occurred at healthcare businesses. In fact, cyberattacks against healthcare providers have spiked by a whopping 150% in the months since the pandemic first started.
Though your dental practice might not suffer a data breach during the pandemic, it is only a matter of time until your practice is targeted by cyber criminals. Seize the opportunity to be proactive by preparing in advance, and you will sleep soundly.
You have the power to prevent a potentially devastating data breach, safeguard sensitive patient information, and ultimately keep your practice fully operational. Here’s how to do it.
Preparation Is Essential
Even though there is no guarantee your dental practice will be in the crosshairs of a hacker or another digital miscreant, it is in your interest to prepare as though your practice will be targeted.
Broach this uncomfortable yet important subject with your IT services provider as soon as possible. Ask this managed services provider about the optimal lines of defense against digital attacks. Inquire as to what you and your team can do to prevent such a breach. Educate your team members about the threat of data breaches today, and you might prevent a data breach as soon as tomorrow.
The entirety of your team should understand that data breaches have the potential to wreak havoc on your business. Team members should be educated and trained so they can identify cybersecurity threats and immediately bring them to the attention of your IT services providers.
Every single person in your office should use the internet and in-office computers carefully, choosing to err on the side of caution by reaching out to your IT personnel before opening strange emails, clicking hyperlinks, providing sensitive information to anyone outside of your organization, or downloading attachments from unfamiliar parties.
Communicate your preferred methods for safeguarding patient information to your staff members. As an example, each member of your team should have a strong password that is at least eight characters in length and includes special characters along with numbers so it is that much more difficult for hackers to log into your system by guessing employee credentials.
Keep in mind, it merely takes one employee using a simple password to open a door for hackers to access your valuable data, steal it, and sell it on the black market, ultimately ruining your practice’s reputation in the process.
Lean on your IT team throughout the pandemic and beyond this difficult period for ongoing support, and they will fortify your digital defenses in a variety of ways. As an example, your IT team can help implement the following defenses to safeguard your practice’s valuable information:
- Virus protection
- Firewall security
- Data encryption
- Server monitoring
The tech experts will also help you conduct security risk assessments each year to provide a better understanding of your practice’s potential vulnerabilities.
Mind the Manner in Which Data Is Stored
The IT specialists can also help you localize patient data on computers that are not connected to the web. Storing such sensitive data offline makes it that much more challenging for hackers to access sensitive patient information.
Though it is certainly convenient to store credit card information in-house on your own computers and servers, doing so might be a mistake. It is also risky to store patient credit card data in other forms.
The best approach to accepting customer payment through credit card might be requesting that they provide such information each time they make a payment. The alternative is to store patient data on your internal system and ultimately subject it to a potential hack.
The bottom line is that hackers are likely to target dental practices, medical practices, and other businesses that store credit card information in-house. Make it abundantly clear that your practice refuses to store patient credit card information by stating so on your website.
Such a statement communicates to current and potential clients that their financial information will not be made available to potential hackers. Furthermore, this statement lets hackers know your network and computers do not have the valuable financial information they are looking for.
If you determine it is better to store credit card information in-house, it is in your interest to fully comply with the rules detailed by the Payment Card Industry Data Security Standard and the HIPAA Breach Notification Rule.
Remember, though, a traditional liability insurance policy will not provide coverage in the event that your system is hacked and cyber thieves steal your financial information. This is precisely why every dental practice should secure asset protection to mitigate risk.
If you are hesitant to implement the precautions necessary to prevent a data breach, consider the fact that more than 90% of healthcare businesses suffered a digital security breach in the past half-decade. In short, the moral of this story is that it’s better to be safe than sorry.
How to Proceed If a Data Breach Occurs
Even if you implement these suggestions, there is still a chance a data breach will occur. If your practice suffers such a breach, it is imperative you adhere to specific requirements to avoid penalties and fines levied by the Department of Health and Human Services.
A forensic investigation must be conducted to identify the cause of the breach including the information that the hacker or hackers had access to. Document every last detail of the data breach for your practice’s records.
The next step is to organize patient records based on information such as age, location, and status in regard to living or deceased. Such categorization will make the challenge of notification that much easier in the days and weeks that follow.
The notification process has the potential to prove quite dramatic as patients react to the bad news. Be calm in response to these reactions. Patients must be notified that their information might have been affected by the data breach. Hold a meeting with your office personnel and possibly even enlist the assistance of a call center so you can field patient questions in an accurate and efficient manner.
Your patients will certainly appreciate free credit monitoring paid for by your practice for the next six months or year. In fact, extending such an offer has the potential to retain valuable patient business after this unfortunate event.
The final step in properly responding to a data breach is to write a press release that will be provided to the media. In fact, HIPAA requires such a press release . Furthermore, the data breach incident must be reported to the Department of Health and Human Services as well as the Office for Civil Rights.
Our Legal Team Is Here to Help
It is clear that the aftermath of a data breach is inherently complex. However, you do not have to bear this burden on your own. It is in your interest to hire legal counsel to help your practice respond to the data breach in a manner that fully complies with the nuances of applicable laws.
Lean on an experienced legal team to guide you through this difficult period, and you will rest easy knowing these practitioners of law can provide you with the guidance and tools necessary for full compliance with each component of HIPAA.
Your attorney will also help you interact with the Department of Health and Human Services and the Office for Civil Rights after the breach. Your legal team’s assistance in terms of notifying patients that the breach occurred and complying with other aspects of the law will prove invaluable.
In fact, your attorney will also develop reports as required by law to be publicized, documented, or presented in another manner. Add in the fact that your legal team will help you combat lawsuits, and you have even more reason to retain legal counsel.
How to Ensure Remote Employees Do Not Violate HIPAA
If some of your employees work remotely as opposed to in the office, it is important that they abide by all HIPAA rules. It is your responsibility to ensure your employees who work both on-site and remotely are aware of the nuances of these rules. This awareness will facilitate full HIPAA compliance even as dental office administrators, billers, clinical staff, schedulers, and other team members work from home rather than in the office.
After all, there are plenty of hurdles to overcome when sending and receiving private patient information through email, instant messages, phone conversations, video conferences, texts, live chat platforms, and additional tools for digital communication while working remotely.
It is a mistake to assume your staff will understand the detailed HIPAA rules and follow them down to the very last detail. Be proactive, provide your team with the information and tools they need to fully comply with HIPAA rules, and you will rest easy knowing your remote employees work in a manner that ensures your practice is fully HIPAA compliant.
Relaxed HIPAA Enforcement Amidst the Pandemic
The stringent requirements of HIPAA have been slightly relaxed during the coronavirus pandemic. This slight relaxation of HIPAA rules was announced by the Office of Civil Rights in mid-March of 2020. The logic in relaxing HIPAA rules to a certain extent during the pandemic is to make it easier for workers to communicate with one another and other parties through remote communication tech while practicing social distancing. The relaxed rules also make it easier for remote workers to use their own professional judgment when treating and assessing patients.
Furthermore, relaxing the rules is sensible as some remote communication tools characterized as “non-public facing” would not have been in full compliance with HIPAA rules. However, Twitch, Twitter, Tik Tok, and Facebook are prohibited public-facing platforms in spite of the relaxed rules.
Alternatively, non-public facing platforms such as Skype, Facebook Messenger, Apple FaceTime, and Google Hangouts are not completely compliant with HIPAA rules, yet they are temporarily permitted for use until the COVID-19 pandemic reaches an end.
However, dental practices are still required to follow all state laws pertaining to the transmission of patient information through telecom channels. When in doubt, do not hesitate to reach out to your local state agency for details about these rules.
HIPAA and PHI
HIPAA rules and regulations are designed to prevent the unauthorized disclosure of sensitive patient information. Patient protected health information is commonly referred to with the acronym of PHI. HIPAA also creates national security standards to protect PHI that is both transferred and stored electronically.
In short, PHI is information that is unique to a specific patient in the context of current, future, or prior care and also relating to mental and physical health. PHI information encompasses:
- Documentation of visits to the dental practice
- Notes made by office personnel
- Patient charts
- Payment information
- Claim status information
- Information pertaining to patient dental benefits
Such information falls under the PHI umbrella regardless of whether it is transmitted or stored electronically, on paper or verbally. Dental practices are legally required to ensure PHI remains secure and private, even when handled, transmitted, or stored in a remote work environment during the ongoing pandemic. Furthermore, dental practices are also required to properly prepare employees for working remotely in a manner that fully complies with the detailed HIPAA rules.
How to Protect PHI When Sharing Remotely
HIPAA is applicable to PHI in all electronic formats, even if such information is stored or transmitted on laptops, tablets, smartphones, and other mobile computing devices. These devices can certainly be used to transmit patient information, yet the proper safeguards must be adhered to as such transmission occurs.
In plain English, electronic PHI can only be transmitted or otherwise shared through a platform that is properly encrypted. This means it is not permissible to transmit a text message including PHI through a basic texting platform as it lacks the proper encryption and does not comply with HIPAA rules.
Every dentist and dental practice employee should be aware that email platforms such as AOL, Yahoo Mail, Hotmail, and Gmail do not comply with HIPAA. Do not transmit PHI through email unless you’re using a paid service such as Google’s G Suite. Such a provider signs a business association agreement that states that the steps necessary to safeguard and maintain the privacy of PHI transmitted on the platform have been taken.
It is particularly interesting to note that transmitting PHI through fax is fully compliant with HIPAA rules. Just be sure to add a cover sheet when transmitting a fax. However, if you mistakenly transmit PHI to the wrong party via fax, you must contact that party and request that they destroy the transmission.
Steps to Take for Remote Employee HIPAA Compliance
Attention to detail, mindfulness, and hard work are all necessary to ensure your dental practice fully complies with HIPAA rules. This challenge is complicated by the fact that some dental practice employees are working from home.
The last thing you need is for a HIPAA transgression to lead to a punitive fine, possibly amounting to thousands of dollars, tens of thousands of dollars, or even more. This is precisely why it is so important that your employees who work remotely do not violate HIPAA rules that could lead to financial penalty.
Let’s take a look at some steps that will help safeguard patient PHI and help your remote workers adhere to HIPAA rules to maintain full compliance.
Brainstorm and Implement Work Policies and Procedures
Dental practices must formulate policies and procedures for employees who work remotely. Also, dental practices must clearly define expectations in terms of PHI printing, the destruction of PHI, and the manner in which documents with PHI are to be stored and safeguarded.
These policies must explain that the PHI used by employees will be encrypted in the proper manner prior to transmission. Such encryption is easier than most assume, thanks to the litany of low-cost encryption applications.
There is the potential for employees to bring mobile computing devices home, some of which are likely to have PHI. Such devices must be properly encrypted and protected with a complex password.
If you permit your remote employees to bring paper documents out of the office, doing so should only be permitted if there is a legitimate business reason for moving them out of the office. Make it crystal clear that such documents must be transported and stored as securely as possible.
Remote employees who use their personal computing devices to complete work at home are required to implement the latest antivirus software and run it at all times. Such employees are also required to have the optimal operating system on their personal computer used for work purposes, complete with the latest updates.
Furthermore, the device and PHI should only be accessible by the remote worker. Every remote worker also should understand that personal computing devices should not be used to access PHI through a public wireless network such as those made available to travelers in airports, customers in cafes, and so on.
Be Careful With Non-Public Facing Platforms
As noted above, dental practice employees are allowed to use certain non-public facing platforms during the pandemic in spite of the fact that they are not completely HIPAA compliant. But if the option is available, it is better for your team to use platforms that are 100% HIPAA compliant such as Zoom for Health Care and Skype for Business.
Additional Confidentiality Requirements
It is in your interest to remind your remote workers that they should hide their screen from others while working at home and elsewhere when outside of the office. Family members, friends, strangers, and others should not be permitted to see information on the screen that relates to work.
Communicate to your employees that they are not permitted to print documents unless those documents can be secured in a manner that prevents unauthorized individuals from viewing them. Make it perfectly clear to employees that they are not to conduct a business phone call or discuss information pertaining to clients in an area where others can hear the conversation.
Employees should also be made aware that they are not to dispose of sensitive information in a trash can. Rather, such sensitive information should be shredded. When connecting to the network, a VPN should be used to ensure a 100% secure connection.
Employees who work remotely also should be aware that they are not allowed to access patient medical records or other business systems on a computer used by family, roommates, or others who are not employed by the practice.
Finally, communicate to your remote workers that they are to log off from their computer as soon as they stop using it to ensure no one else in the home or other building accesses sensitive patient information.
A data breach can have a major impact on a dental practice. By putting strong policies in place, you can limit your exposure to potential fraud. If you believe a data breach occurred in your dental practice or you have some trepidation in regard to your current policies, consult with an attorney or IT professional.
Mr. Ali Oromchian, JD, LLM, is one of the nation’s leading dental lawyers on topics relevant to dentists. He is the founder of Dental and Medical Counsel PC, which is regarded as one of the preeminent dental law firms devoted to dental entrepreneurs. He is also recognized as an exceptional speaker and educator. Additionally, he is the author of The Strategic Dentist and founder of Dental B-School which serve as guides to dentists looking to purchase or start their own practice. He can be reached at firstname.lastname@example.org.