DENTAL & MEDICAL COUNSEL: How Data Breaches Affect Dental Practices
Ali Oromchian Esq of the Dental and Medical Counsel wrote the following piece:
As technology evolves so do the risks to a dental practice especially when it comes to HIPAA and other related security breaches of sensitive data. When you own a dental practice, a data breach occurs when there has been unauthorized access to data that is confidential which includes information such as patients’ social security numbers, names, addresses, birth dates and more. Most data breaches are sourced from several types of events: criminal attacks, system vulnerabilities or human error.
One study even shows that the average cost per compromised healthcare record is about $380. By multiplying this average number with the number of patients in a dental practice, the final result could be devastating. The costs typically consist of notifications to federal regulators, forensic investigations, credit monitoring services, and lawsuits.
The best way to avoid these potential costs is by preparing your dental practice ahead of time. A combination of data loss prevention methods and proper employee training are the key to protecting your practice from any potential data breaches. Methods such as firewall security, virus protection, server monitoring, and data encryption are several ways you can protect your confidential information. You can also practice security risk assessments on an annual basis in order to understand where you might be vulnerable.
Even though the preparation process may feel overwhelming, there are several ways that you can take extra steps to protect your dental practice. First, consider working with your information technology (IT) provider to address potential issues. You may be able to have them assist you with localizing your patient information on computers that do not have internet access. This would make it significantly more difficult for a hacker to gain access to your patients’ information. Next, you should similarly educate your staff on the way patient information should be protected. This means that you should exhibit best practices for how to keep information secure. One of the most basic ways of doing this is by creating strong passwords which are changed regularly. Remember, the education of your staff on these points and others could be the difference between the survival or failure of your dental practice.
Another way to be preemptive about your dental practice’s data is by choosing not to store credit card data. By not storing that information at your practice, you are much less likely to have a data breach of that information. However, if you do choose to use credit cards in general, be certain that you comply with the Payment Card Industry Data Security Standard rules. You will also need to be in compliance with the HIPAA Breach Notification Rule. Lastly, you should seek to obtain asset protections in order to avoid risk. While there are options to get coverage for this type of protection, it generally does not fall under traditional liability policies.
If a data breach does happen to occur, however, there are certain requirements you will need to follow to prevent fines or penalties from the Department of Health and Human Services. Firstly, a forensic investigation should be carried out in order to determine the cause of the breach and what information might be affected. Next, you must be certain to document the incident for your records. Following that, it would be prudent to sort through your patient records and categorize them by location or state, age, and whether or not they are deceased. These categories can assist in varying notification requirements.
Once you begin the notification process, you will want to be certain that you are prepared for any reactions by your patients. First, be ready to inform every single patient that may have been affected by the breach. Next, prepare your staff and/or a call center for questions that they may encounter from patients. As an added benefit for your clients, you may also wish to organize some sort of credit monitoring service as a courtesy. After embarking on the notification process for clients, you will need to draft a press release for the media; this is a requirement of HIPAA. Other things that should be done include reporting to Health and Human Services and the Office for Civil Rights.
One important consideration in light of all of the above is hiring legal counsel to assist your dental practice with a data breach. Because data breaches are a particularly narrow type of problem to resolve, finding a team that has significant experience in that area is crucial. Such a legal team will have the tools necessary to comply with all aspects of HIPAA. They will also have experience in dealing with the Department of Health and Human Services and/or the Office for Civil Rights. A legal team can assist with any notifications that will need to be made to patients, as well as developing any reports that will need to be documented or publicized. If worst came to worst, legal counsel would also be absolutely necessary for navigating any lawsuit entanglements as a result of a data breach.
As the owner or manager of a dental practice, it is clear that there are a number of actions you can take in order to protect your firm in the best and most efficient ways. By understanding where risks can be mitigated in advance, you are doing yourself and your practice a great favor. When preparing ahead of time, properly managing any breaches that may occur, and obtaining legal counsel, you can be certain that you have been the most diligent as possible regarding data breaches and your dental practice.
If you have any questions regarding a potential data breach or how you can work towards protecting sensitive data, please contact us.