June 24, 2019
NJDA members have reported their systems were infected with malicious software. This software takes over your hard drive when you click on an infected advertisement, email, attachment or website. It encrypts the contents of a device and any other connected electronic devices. The hacker then demands “bitcoin or cryptocurrency” payments to unlock. With any luck, you will have adequate data from your backups to recover from the ransomware nightmare but then you will have an entirely different mess to deal with – HIPAA Compliance.
Health and Human Services Office of Civil Rights (OCR) is the federal agency that is responsible for enforcing HIPAA Regulations, which includes information security requirements for dental offices. Recently the OCR reported that Covered Entities who fall victim to ransomware are to treat the security incident as a HIPAA breach. For more information on that click here.
These types of breach issues usually involve more than 500 people and therefore require a breach notification to notify effected patients, the OCR, local television and newspaper media within 60 days of the discovery of the breach. FYI: failure to make this timely notification has cost in one Covered Entity over $475,000.
Currently, the Office of Civil Rights investigates every breach that effects 500 or more persons. These types of investigations don’t stop short at why it happened, how it happened and if you did the right thing after it happened. They typically are very comprehensive and evaluate your entire in-office HIPAA Compliance Program including your HIPAA Compliance Employee Manual. So I have to ask, do you have a HIPAA Compliance Employee Manual? Even if you are on the ball and have a tip top compliance manual full of employee signatures showing they completed their training, I wouldn’t recommend an encounter with this agency who is likely ruthless in their enforcement efforts. It is my understanding that investigations can last anywhere from 1-6 years to resolve. To date, I have no information supporting that a dentist has paid a large sum to OCR in fines or settlements, but I’m sure it is on the horizon. Be pro-active and prepare your office and staff to prevent or minimize the risks. Here are some small things you can do to prepare and/or prevent a breach in your office:
- Contact your Risk Management Advisor to ensure you have enough cyber security coverage. What’s reasonable coverage you may ask? Well, I’m no expert – but I would imagine one or two million in coverage per incident seems fair. I have no idea what that costs, but a HIPAA Breach could potentially bankrupt your practice; at the very least, talk to an expert and get some quotes.
- Evaluate your anti-virus/anti-malware system is reputable and adequate. There are a lot of companies out there that use their anti-virus software as a gateway to your information. I would also double-check your firewall.
You can also use a Virtual Private Network or a VPN for all data transmissions which include internet searches, electronic claim submissions and any data that’s been copied or moved from one computer to another.
- Isolate your WIFI for staff and business use and offer a different WIFI network for patients. For example, I would also not use the same WIFI for streaming music that staff uses for electronic claim submissions.
- Heighten the awareness of your staff, train and educate them regarding cyber security issues. Keep up with new reports about healthcare cybersecurity attacks. There is a lot of information available to educate and protect you, some free – others quite expensive; screen carefully and spend wisely.
- Ensure your office has adequate written policies and procedures related to HIPAA Privacy, HIPAA Breach Notifications and Security Rules. Most audits will want to see at least 6 years’ worth of paperwork. There is no hard fast rule to getting it right, but due diligence and a faithful effort goes a long way. You may ultimately decide to enlist the assistance of a HIPAA Compliance Specialist which is a business decision but be sure to educate yourself first so you know what to ask for, what to expect and have a ballpark of what it should cost you.
Ensure your office’s Notice of Privacy Practices (NPP) is up to date. You can get an updated free version from OCR: click here.
How about your Business Associates Agreements (BAA)? They should be signed by you and your Business Associates. Who are your Business Associates? Anyone that has access to your patients PHI. Do you need a BAA template? Need a BAA? OCR has a template you can implement.
HIPAA Security Rule requires dental practices to complete a periodic RISK ANALYSIS (RA). This should be done (in my opinion, annually or whenever you make any changes to your I.T. environment. So first you need to list all your vulnerabilities (areas where a breach is possible), then you need a written policy to manage and protect them RISK MANAGEMENT (RM)
Here is where you can find some additional information on RA and RM. Risk Analysis process information can be found as well click here.
The world and cyber world changes constantly and there is a lot more to HIPAA Compliance than just what I have suggested, but if you can check some of these things off your list, you will be off to a good start.
)