Making Patient Data More Secure
Strategies for navigating compliance with the Health Insurance Portability and Accountability Act of 1996 and mitigating breach risks.
This course was published in the April/May 2024 issue and expires May 2027. The authors have no commercial conflicts of interest to disclose. This 2 credit hour self-study activity is electronically mediated.
AGD Subject Code: 566
EDUCATIONAL OBJECTIVES
After reading this course, the participant should be able to:
- Identify Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations, including recent updates, enforcement mechanisms, and penalties for noncompliance.
- Recognize internal and external threats to patient data security in dental practices and implement effective risk mitigation strategies.
- Discuss how to report suspected HIPAA violations, the investigative process, and appropriate response measures within dental settings.
Organizations with limited resources, such as dental offices, are likely targets of data breaches and ransomware attacks. Recently, one breach in dentistry compromised approximately 9 million individuals’ protected health information (PHI).3,4 Sources used by cybercriminals to access patient data include but are not limited to laptops, desktop computers, email, network servers, and portable electronic devices.
Additionally, the manner in which breaches occur has changed. The loss/theft of healthcare records and PHI were the main causes of data breaches between 2009 and 2015.1,2 Today, hacking/information technology (IT) thefts and unauthorized access/disclosure incidents are the main culprits behind patient data breaches.1,2 Two of the largest reported healthcare data breaches between 2009-2021 were dental practices.5,6
Oral health professionals must identify risks and employ methods to mitigate susceptibility. In addition, dental organizations should invest in annual security awareness training for team members to learn how to prevent information security breaches in the future.
Regulatory Oversight
The Office of Civil Rights (OCR), within the United States Department of Health and Human Services (HHS), is the regulatory body for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It issues guidance and interpretations on HIPAA privacy and security rules, including how these rules apply to electronic health records, personal health records, and health IT.
The OCR also ensures compliance with the HIPAA privacy and security rules through investigation and the ability to impose civil monetary penalties. The Health Information Technology for Economic and Clinical Health Act of 2009 enhanced many of the HIPAA privacy rule provisions, including extending certain requirements to business associates; limiting the uses and disclosure of PHI for marketing; prohibiting the sale of PHI without patient authorization; expanding individuals’ rights to access their information; restricting certain PHI disclosures to health plans; and providing greater enforcement authority to the OCR.7
The Office of the National Coordinator for Health Information Technology (ONC) develops nationwide health information technology infrastructure that allows for the electronic use and exchange of health information. This includes examining and recommending policies, technology, and practices that protect privacy and promote security. In addition, the ONC develops regulations for the certification of electronic medical records, engages public input, and implements grant programs.7
The OCR defines a breach as an “impermissible use or disclosure under the privacy rule that compromises the security or privacy of protected health information.”8 Data breaches are typically classified into two categories: internal and external. Internal data breaches comprise incidents that occur inside of an organization and may include privilege abuse, unauthentic access/disclosure, improper disposal of unnecessary but sensitive data, loss or theft, or the unintentional sharing of confidential data to an unauthorized party. External data breaches include hacking/IT incidents such as malware attacks, ransomware attacks, phishing, spyware, or fraud.9 Table 1 defines different types of malicious activity.10
Breaches of dental patient information are reported to the ONC along with all healthcare services. A 15-year analysis (2005-2019) showed that the healthcare sector faced the highest number of data breaches out of all sectors.9 Moreover, between 2015 and 2019, the healthcare industry comprised 76.59% of reported data breaches.1,9
Covered Entities
Covered entities are defined in the HIPAA rules as health plans, healthcare clearinghouses (companies that securely process electronic claims between providers and insurers), and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.11 Dental practices are considered covered entities. Dentists and dental hygienists may be considered covered if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
While dental practices are considered covered entities, business associates have outpaced health plans in terms of the number of HIPAA breaches reported to the OCR. If a covered entity engages a business associate to help carry out any healthcare activity or function, a written business associate contract must be employed. The contract must establish specifically what the business associate has been engaged to do and requires the business associate to comply with HIPAA. Visit cms.gov to determine who is a covered entity.
Business associates are vendors (to a covered entity) that “create, receive, maintain, or transmit” PHI, while performing a service involving the PHI.17 Business associates include collection agencies, billing or coding companies, IT consultants and vendors, practice management services, medical transcriptionists, answering services, e-prescribing services, law offices or accounting firms, and subcontractors providing remote backup services of patient information for an IT contractor. An employee or member of the covered entity’s workforce is not a business associate; however, one covered entity can be a business associate of another covered entity. For example, a health insurance plan can be a business associate of a dental practice.12,13
The OCR and state attorney generals can issue penalties for HIPAA violations. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards required by HIPAA. The four categories used for the penalty structure violations are:
Tier 1. Covered entity was unaware of and could not have realistically avoided violation and a reasonable amount of care had been taken to abide by HIPAA rules. Fine of $100 to $50,000 per violation (maximum $25,000 per year).
Tier 2. Covered entity should have been aware of but could not have avoided violation even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules). Fine of $1,000 to $50,000 per violation (maximum $100,000 per year).
Tier 3. Violation due to a direct result of willful neglect of HIPAA rules in cases where an attempt has been made to correct the violation. Fine of $10,000 to $50,000 per violation (maximum $250,000 per year).
Tier 4. Violation of HIPAA rules constituting willful neglect where no attempt has been made to correct the violation. Fine of $50,000 per violation (maximum $1.5 million per year).
OCR reported that penalties for specific dental practices ranged from $5,000 to $62,500 between 2008 and 2022.14
Steps to Ensure a Safer Dental Practice
The American Dental Association (ADA) recommends the development of policies and procedures that outline the administrative, physical, and technical safeguards to ensure compliance and protect patients’ health information.15
Administrative safeguards establish standards and specifications for the health information security program. These may include risk management protocols, written policies and procedures, office training, a designated practice security and privacy officer, documentation of security incidents, and establishing business associate agreements.14
Physical safeguards control physical access to office and computer systems. Such safeguards restrict physical access to electronic PHI and limit facility access by ensuring the physical environment of the workstation sufficiently protects any data that might be visible on screens; establishing device and media controls, such as safeguards, to ensure the secure storage of data; and the secure transportation and disposal of data any devices used to store them.14
Technical safeguard technologies that limit access to electronic PHI protect data and control access. Employing practices, such as requiring access control and validation processes to restrict access to PHI, including removing terminated employees; using authentication methods that verify the person signing onto a computer is who he or she claims to be; encrypti/g/decrypting data during storage and transmittal of information; and implementing audit controls to examine activity in information systems, are key to preventing data breaches.14
Every state has laws regarding retaining patient records and all practitioners should understand which laws apply to their state. In addition, the ADA offers record retention and destruction guidelines for managing professional risk. Retention guidelines highlight the following: retention times may vary for adult vs pediatric records, additional recordkeeping requirements apply to HIPAA-covered entities, and record-retention policies are necessary.16 According to HIPAA, the destruction of paper, films, or other hard-copy records must either be shredded or destroyed where PHI cannot be identified or reconstructed.17 Employing the help of professional disposal contract agencies is useful but they should be vetted for reputability and compliance with privacy and security laws. Clinicians should refer to their state guidelines to identify the duration for record retention.18 Table 2 lists some additional dos and don’ts.
When a Data Breach Is Suspected
All employees in healthcare settings must understand what constitutes a HIPAA violation and how to report such a violation. This information, as well as the correct person to report it to, should be included in annual training. This individual is responsible for determining whether the HIPAA violation should be reported to the OCR.
Accidental HIPAA violations can happen even when employees are careful. If a patient’s PHI is accidentally viewed by an unauthorized person within your organization, it is best to report the violation immediately to your organization’s delegated practice security and privacy officer. This may be the office manager in a small practice.
The complaint should be investigated internally, and a decision made about whether it is a reportable breach under the HIPAA breach notification rule. Usually, minor incidents do not require notification, including negligible errors made in good faith or if PHI is disclosed with little chance of it being stored.19
Employees and patients do not have to wait on the covered entity to report a concern. Individuals can make a HIPAA complaint directly to the OCR if it is believed that a covered entity has violated the HIPAA privacy, security, or breach notification rules. HIPAA complaints can be submitted via the OCR’s online complaint portal: hhs.g/v/hipaa/filing-a-complaint/complaint-process. The OCR will also accept complaints via fax, mail, or email.
All complaints are assessed and further investigated if violation of HIPAA rules is suspected and the complaint is submitted within 180 days. Most often, reported issues are resolved through voluntary compliance, technical guidance, or corrective action.20 Table 3 lists the key information that needs to be reported.8
Conclusion
With the growing trend of healthcare data breaches and ransomware attacks, dental professionals need to be acquainted with the necessary safeguards to keep patient dental records secure. In addition, the dental industry should rely on the ONC for support to ensure a secure infrastructure is in place to mitigate attacks. Dental practices need to implement annual security awareness trainings for all team members and remain up-to-date on how to prevent future breaches and security attacks. Dental team members do not need to decide if a situation is a security breach, they just have to report a concern to the appropriate person in the practice (designated security privacy officer). The OCR will provide the next steps.
A policy should be in place regarding who has the authority to release patient records. All staff members should be aware that patient information should never be disseminated without the dentist’s knowledge and approval. Moreover, an attorney should be consulted to ensure the practice is legally compliant, so potential risks are minimized.
References
- Healthcare Data Breach Statistics. The HIPAA Journal. Available at: hipaajournal.c/m/healthcare-data-breach-statistics. Accessed March 24, 2024.
- IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million. The HIPAA Journal. Available at: hipaajournal.com/떗-cost-healthcare-data-breach. Accessed March 24, 2024.
- Managed Care of North America Hacking Incident Impacts 8.9 Million Individuals. The HIPAA Journal. Available at: hipaajournal.com/managed-care-of-north-america-hacking-incident-impacts-8-9-million-individuals. Accessed March 24, 2024.
- Data Breach Notifications. Office of the Maine Attorney General. Available at: apps.web.maine.gov/online/aeviewer/ME/葴/b95c8-abc8-41f1-8c3f-b0415575de56.shtml. Accessed March 24, 2024.
- Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit. The HIPAA Journal. Available at: .hipaajournal.com/dominion-national-proposes-2-million-settlement-to-resolve-class-action-data-breach-lawsuit. Accessed March 24, 2024.
- Dental Care Alliance Data Breach Impacts More Than 1 Million Patients. The HIPAA Journal. Available at: hipaajournal.com/dental-care-alliance-data-breach-impacts-more-than-1-million-patients. Accessed March 24, 2024.
- The Office of the National Coordinator for Health Information Technology. Frequently Asked Questions. Available at: healthit.gov/faq/what-are-respective-roles-onc-and-ocr-regarding-privacy-and-security. Accessed March 24, 2024.
- United States Department of Health and Human Services. Breach Notification. Available at: hhs.gov/hipaa/for-professionals/breach-notification/index.html. Accessed March 24, 2024.
- Seh AH, Zarour M, Alenezi M, et al. Healthcare data breaches: Insights and implications. Healthcare (Basel). 2020;8:133.
- National Institute of Standards and Technology. Computer Security Resource Center Glossary. Available at: csrc.nist.gov/glossary. Accessed March 24, 2024.
- Centers for Medicare and Medicaid Services. Are You a Covered Entity? Available at: cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity. Accessed March 24, 2024.
- United States Department of Health and Human Services. Business Associates. Available at: hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html. Accessed March 24, 2024.
- Hales M. The HIPAA-e tool business associates 101. Available at: thehipaaetool.com/business-associates-101. Accessed March 24, 2024.
- United States Department of Health and Human Services. Summary of the HIPAA Security Rule. Available at: hhs.gov/hipaa/for-professionals/security/index.html. Accessed March 24, 2024.
- American Dental Association. Managing the Regulatory Environment— ADA’s Guidelines for Practice Success. Available at: ada.org/-/media/project/ada-organization/ada/ada-org/files/publications/guidelines-for-practice-success/gps-regulatory/hipaa-breach-notification-rule-tip-sheet.pdf. Accessed March 24, 2024.
- American Dental Association. Record Retention. Available at: ada.org/resources/practice/practice-management/record-retention. Accessed March 24, 2024.
- American Dental Association.Record Destruction. Available at: ada.org/resources/practice/practice-management/record-destruction. Accessed March 24, 2024.
- The Office of the National Coordinator for Health Information Technology. State Medical Record Laws: Minimum Medical Record Retention Periods for Records Held by Medical Doctors and Hospitals. Available at: healthit.gov/sites/default/files/appa7-1.pdf. Accessed March 24, 2024.
- How Should You Respond to an Accidental HIPAA Violation. The HIPAA Journal. Available at: hipaajournal.com/accidental-hipaa-violation. Accessed March 24, 2024.
- United States Department of Health and Human Services. How to File a Health Information Privacy or Security Complaint. Available at: hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html. Accessed March 24, 2024.
From Dimensions of Dental Hygiene. April/May 2024; 22(3):28-31