Tag: HIPAA

From Becker’s:

The lawsuit, dismissed July 16, alleged that the more than 391,000 patients whose data was affected are facing distress and financial losses due to their personal data being in insecure hands. However, U.S. District Judge Austin Huffaker dropped the case because the plaintiffs could not prove their data had been misused.

Source: Data breach lawsuit against pediatric dental center dropped, judge cites lack of evidence

A bit of sanity. If patients are not actually damaged in any way by a data breach they have no right to compensation. No harm no foul.

HIPAA rules assume the opposite. If data is breached, even though no patients are harmed the dentist is at fault and subject to punitive fines and other administrative penalties.

Hmmm. Most significant data breaches in medicine and dentistry are not individual dentists but medical and dental plans.

From Health IT Security:

Delta Dental of Arizona is notifying an undisclosed number of individuals that their personal and medical data was potentially breached by a phishing attack in July.On July 8, the dental insurer discovered suspicious activity on an employee email account and launched an investigation with help from third-party forensic investigators. They determined an employee fell victim to a phishing scam giving a hacker access to the email account…

…The notification did not explain the delay in reporting the incident. Under HIPAA, covered entities and business associates are required to provide breach notifications within 60 days of discovery.

Source: Delta Dental of Arizona Reports July 2019 Phishing Attack-Related Breach

From ADA News:

Modern Healthcare reported HHS said last week that it “collected a record $28.7 million from healthcare providers and insurers in 2018 for inadequate responses to data breaches.” This figure exceeds the total of $23.5 million for 2017. Office for Civil Rights Director Roger Severino said, “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action.”

HHS has aggressively moved from warning violators to punishing them. Punishing them severely. A typical fine is $200 per exposed record. If you have 3000 patient records on your server and it is compromised you could face a fine of $600,000. None of which will be paid by insurance.

The largest area of reported data breaches is theft. Not theft of data theft of hardware. The number one safeguard you need to implement is encryption of all your patient data.

From Reuters:

But the top cause of data breaches, accounting for 42 percent of cases and 472 incidents, was theft of equipment or information by unknown outsiders or by current or former employees, the study found.

Source: Hackers are not main cause of health data breaches | Reuters

This confirms my research. We worry about mysterious hackers lurking in cyberspace just waiting to pounce on our data. However most reported data breaches are NOT hackers. The largest category, by far, is stolen hardware. Which – by the way – hardly ever results in actual patients data being exploited.

From ADA News:

Anthem has agreed to pay the Office of Civil Rights $16 million dollars to settle potential HIPAA violations after cyberattacks on the company allegedly exposed the electronic protected health information of 79 million people. This is the largest HIPAA settlement in U.S. history, according to a press release from the Department of Health and Human Services.

Source: Anthem to pay $16 million to OCR in HIPAA settlement

Interesting. Largest fine ever for the largest breach ever. Still the fine amounts to just 20 cents per exposed record. That is VERY low. Most of the reported fines from other cases are for at least $100 per record. At that rate Anthem should have paid 7.9 Billion dollars.

A nice resource:

 Health Insurance Portability and Accountability Act Collaborative of Wisconsin (HIPAA COW)Established in 2001, HIPAA COW is a non-profit organization open to entities considered to be Covered Entities, Business Associates, and/or Trading Partners under HIPAA, as well as any other organization impacted by HIPAA regulations.Learn more about our upcoming conferences and events HIPAA COW offers

Source: HIPAA COW – Hipaa of Wisconsin

Manhattan District Attorney Cyrus R. Vance, Jr., today announced the sentencing of ANNIE VUONG, 31, to 2-to-6 years in state prison for stealing personal identifying information from more than 650 patients at the dentist’s office where she worked. Three previously convicted co-defendants then used that information to fraudulently purchase more than $700,000 in Apple products.

Source: NYC: Former Receptionist Who Stole Identities of More Than 650 Dental Patients Sentenced to 2-to-6 Years in Prison

No mention of the dental practice or if the practice faces HIPAA violations. Having the data of 650 patients stolen is clearly a HIPAA violation and the practice is libel under current rules even when the practice was the victim of theft.

From NJ.com:

Virtua Medical Group, a South Jersey firm with dozens of medical and surgical practices, has agreed to pay $417,816 to settle a complaint that it exposed medical records of more than 1,650 patients on the internet

Source: N.J. medical firm to pay $418K after patient records were exposed online | NJ.com

Another HIPAA fine. This one involves 1,650 patients. That is about the same as a small dental practice. Could you withstand a $417,816 fine to your practice? Remember this will not be covered by insurance you will pay out of pocket. Do the math and the fine amounts to $253 per patient. Most dental offices easily have 3000 patients records, that is every patient in your computer not every active patient. 3000 x $253 = $759,000.

The data was not exposed by the practice but by a service the practice had contracted with to transcribe records.

From HHS.gov

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 173,426 HIPAA complaints and has initiated over 871 compliance reviews. We have resolved ninety-seven percent of these cases (168,780).

…To date, OCR has settled or imposed a civil money penalty in 53 cases resulting in a total dollar amount of $75,229,182.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Source: Enforcement Highlights – Current | HHS.gov

Read that second bit; 53 cases resulting in over 75 million in fines. If you do the math the average fine is  $1,419,418. The fines are intended to be punitive – and they are.

The chances of being investigated and fined are low, however if you are, your liability insurance will not cover you, the cost can be devastating. What would happen to you and your practice if you are fined $700,000, just 1/2 the average.

The article also states that 105,971 or 61% of the complaints were dismissed. Having a complaint dismissed with no fine is nice but the cost of compliance can still be considerable, about $40,000 on average.

To protect yourself start with basic compliance. Encrypt all your practice data or PHI. Do not engage in small non compliance practices such as e-mailing x-rays that could trigger an investigation.

Mysterious Internet hackers from China or Russia are frightening but account for only a small percentage of reported data breaches. The office of Health and Human Services maintains an online listing of all reported medical dental data breaches in the US.  This web page often referred to as “The Wall of Shame” lists every reported breach affecting 500 or more individuals broken down to the following six types of breach:

Theft                                                     50%

Unauthorized Disclosure                  16%

Loss                                                       12%

Hacking                                                  8%

Improper Disposal                              4%

Unknown                                              2%

(The percentages are approximate and some incidences have multiple breach types listed.)

Of course this means that 92% of reported data breaches are not hacks. In fact almost two thirds 62% are either lost or stolen computers. For the most part the data in these stolen computers is never used nevertheless OCR considers it a breach.