Everything changes. This is astoundingly true when it comes to HIPAA protocols in the dental office! Technology leads and speeds our communication age but opens up a free-for-all for identity thieves & computer hackers. If you invest the next 5-minutes in reading this article, it will provide valuable insight that could prevent poor judgment & common HIPAA mistakes that may unknowingly be happening at your dental office.
HIPAA is the new “canker sore” of the dental industry. It’s problematic and many times (breaches) can originate without notice. Then they rage with fury when the HIPAA Auditor comes to inspect the Privacy & Security Practices within your office.
This is especially true with regards to Patient Protected Health Information (PHI). The coveted “matching social security number + date of birth” is the grand prize in the underworld of identity pirates. And dental offices can make the bootie even grander with patient data that is ripe & readily accessible. Even opening an innocent email can land you in scalding water.
Below are (2) real-life situations to remedy within your office. Whether you are already HIPAA Omnibus Rule Savvy (having updated all of your HIPAA protocols since 2013) or if you need to have a HIPAA update & overhaul to these new standards, the following incidents will help you understand how to properly prepare your dental team for current-day HIPAA success:
THE RANSOMWARE SCARE
One morning Rita the receptionist sat down at her desk to start her workday, as she always did by sorting through her email. Everyone else was settling into their operatories and beginning patient care. Her Outlook™ launcher started to open, but as she started to navigate, she couldn’t. Her computer locked up. She went to re-boot, but couldn’t. Things were locked up. A yell came from the hygienist, and then the doctor and then the assistant: “What’s going on with the computers?”, each clinician howled.
It was a ransomware attack. Ransomware is a type of computer trojan horse virus that is launched by either opening a file or clicking on a link. Ransomware thieves commonly present these viruses in unsuspecting emails that look normal, but lock you out of your own computers. They will paralyze and stop your dental practice, many times for days. The email will come in auspiciously from a company or individual that you recognize. The first Ransomware used email sent, supposedly, from either FedEx or UPS saying: “They tried to deliver a package and to please click on a link to reschedule”. The instant that the link is clicked on the Ransomware is launched and it is too late. Your computers lock down. More recently email that looks as if are from a patient asking you to ‘click-a-link’ again, the Ransomware is launched.
What’s the pay off? Ransomware thieves are looking for money, in the form of bit-coins, which are a form of untraceable internet currency. In 2015, there were an estimated 5M pieces of ransomware. The bandits are looking for $500-$1000 in bit-coin ransom per attack. This is big business in the felonious world of internet hacking malefactors. And it can happen to anyone or any business. For the unsuspecting dental office, most computer lockdowns will paralyze then destroy office functions, for days, weeks and many times cause irreparable damage.
What’s the prevention? There needs to be a technology break through that allows the defense against these viruses. In the meantime, Best Practices will have you using a Business Continuity System (BCS)(from DDS Rescue™) that acts as a unique safeguard. The BCS protects your office functions, as it can instantly perform as a virtualized office server. This is something no other providers can thus far offer. When your computers lock, DDS Rescue™ can be called and the virtualized office server is activated. Then your IT tech can “scrub” your server of all corruptions and repopulate your original server.
BACK UP DRIVES THAT BITE BACK
Dr. Detailed liked to keep his pulse on all of the “going-ons” within the practice. He needed to be “in-the-know” & “in control” of business at all times and kept important practice information within his reach deliberately.
Every day at the close of business, Dr. Detailed had the same routine. He would pick up the deposit envelope from his receptionist, reach under his desk, pop- the data back-up drive out of the server tower, carry both to his car and speed off to the bank’s night depository.
On Saturday morning, he took the back-up drive with him, laid it on the front seat and headed to the office. He worked in his lab all morning. Then realized he left the back up drive on his front seat. The car was locked but now glass was smashed everywhere and he searched and searched but the back-up drive was gone. He called the police.
“Why would this happen? he asked. The officer replied, “Could be kids, could be more. Recently there have been a string of attacks on Healthcare offices. Identity Thieves seeking patient information. Especially Social Security Numbers that match to Birth Dates. Why are you still using a take-along removable disk drive for your data?” Questioned the officer. Dr. Detailed nervously stammered, “Ah—I—was going to change…but –I –ah…. Couldn’t decide, didn’t want to change over— who would want my patient data? I’m—- I’m—-I’m just a dentist!” he growled.
“Well Dr. Detailed, How many patient records would you say were on that back-up drive?”
“2431 active patients and 107 inactive, Dr. Detailed — managed to mumble.
Have a seat Doctor— this report is going to take a while.
That weekend was a whirlwind of research for Dr. Detailed. He talked to Police Officers, HIPAA lawyers and realized that he would have to report this to all 2538 patients, to the Department of Health & Human Services in a formal on-line report and also announce this to the public via the media.
His legal retainer was $20,000. The HIPAA Audit he was warned, could last up to 18 months. Fines start at $10,000 and can run up into the $1M mark. He learned that 48 % of HIPAA Breaches come from theft of devices.
The next 12 months were life changing. Dr. Detailed’s practice started to dry up. There wasn’t much to micro manage. His HIPAA Fines were upwards of $300K and his legal fees just as much. He wished daily that he would have done his homework and listened to this dentist friends that were choosing more resourceful and secure Daily Data Back-Up options that measured up to the new HIPAA Omnibus Rule protocols that called for “offsite & encrypted” daily data back-up copies.
What’s the prevention? Getting educated about these new HIPAA Omnibus Rules is key. They impact most all of your day-to-day business functions and every employee has to be educated to understand these new laws. Then align in accordance with these laws. This requires employee training, updating paperwork / forms and revising all office protocols— which includes software, internet and email activities too. Begin by aligning your dental team with HIPAA experts. You will need HIPAA educators, form paperwork providers, IT, software data back up integration companies. These new HIPAA Omnibus Rules are nothing to take lightly. Enlightenment to the laws is the first step.
For more information or to get HIPAA Omnibus Rule answers, you can reach out to:
JILL OBROCHTA RDH, OSHA & HIPAA Dental Industry Educator,
Steve White 39 year industry veteran
firstname.lastname@example.org (800) 998-9048 ext. 107