How to properly store physical HIPAA documents

From Medical Economics:

ME: If physical copies are converted to electronic records, can the physical copies then be destroyed?

Rangel: Yes, you can destroy the paper records after they’re scanned. Usually, after they’ve been reviewed for a certain amount of time, generally speaking, 30 to 60 days, once you can actually qualify that all of the material is properly scanned, that the quality is there and that it is the natural representative of what was scanned. Once you have that, you can destroy those records.

Source: How to properly store physical HIPAA documents

An interesting article worth the click.

The article brings up the old worry that exposing an open file in the office is a HIPAA violation. This is true and we should always strive to keep all patient information confidential. However what the HIPAA privacy rules are really concerned with digital data and the possibility of major data breaches. The occasional exposed chart is not what the law is all about.

Nevertheless there are important issues regarding paper files and we do need to be aware of them and practice good stewardship and respect our patients.

Health Care Politics Management Security

ADA comments on HIPAA Privacy Rule

From ADA News:

The ADA is asking the U.S. Department of Health and Human Services Office for Civil Rights to consider the burdens changes to the HIPAA privacy rule will impose on covered providers, including dentists.

Source: ADA comments on HIPAA Privacy Rule

Some of the changes OCR is proposing include:

These proposed changes include a 15-day timeframe for responding to requests for access; a proposal to permit patients to access, copy and photograph their protected health information at the time of their appointments; and a proposed requirement that covered providers develop fee schedules for providing copies of protected health information. Covered entities with websites would be required to post such schedules on their websites.


Management Security

Ohio Medical Center Pays OCR $65K for HIPAA Right of Access Failure

From Health IT Security:

OCR reached a $65,000 settlement with the University of Cincinnati Medical Center, after failing to respond to a patient’s request for access to her medical records, as required by HIPAA.

Source: Ohio Medical Center Pays OCR $65K for HIPAA Right of Access Failure

Many dentists and dental team members are not aware that HIPAA rules are not just about privacy and security, They also require us to provide records upon request. A dentist could face a HIPAA violation if he/she simply looses the records due to ransomware or a catastrophic computer failure.

Hat tip to Danielle Mckinley.

Health Care Politics Security

Explaining the HIPAA Safe Harbor Act

Thank you to Danielle McKinley of PCI HIPAA

The HIPAA Safe Harbor Act amends Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act act to require the Department of Health and Human Services (HHS) to consider whether organizations have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all basic technical safeguard requirements.

This means that if a health care provider is following the basic HIPAA Privacy Rule provisions and safeguards to mitigate threats, the fine for a data breach should be lower.

Source: Explaining the HIPAA Safe Harbor Act


Data breach lawsuit against pediatric dental center dropped, judge cites lack of evidence

From Becker’s:

The lawsuit, dismissed July 16, alleged that the more than 391,000 patients whose data was affected are facing distress and financial losses due to their personal data being in insecure hands. However, U.S. District Judge Austin Huffaker dropped the case because the plaintiffs could not prove their data had been misused.

Source: Data breach lawsuit against pediatric dental center dropped, judge cites lack of evidence

A bit of sanity. If patients are not actually damaged in any way by a data breach they have no right to compensation. No harm no foul.

HIPAA rules assume the opposite. If data is breached, even though no patients are harmed the dentist is at fault and subject to punitive fines and other administrative penalties.


Delta Dental of Arizona Reports July 2019 Phishing Attack-Related Breach

Hmmm. Most significant data breaches in medicine and dentistry are not individual dentists but medical and dental plans.

From Health IT Security:

Delta Dental of Arizona is notifying an undisclosed number of individuals that their personal and medical data was potentially breached by a phishing attack in July.On July 8, the dental insurer discovered suspicious activity on an employee email account and launched an investigation with help from third-party forensic investigators. They determined an employee fell victim to a phishing scam giving a hacker access to the email account…

…The notification did not explain the delay in reporting the incident. Under HIPAA, covered entities and business associates are required to provide breach notifications within 60 days of discovery.

Source: Delta Dental of Arizona Reports July 2019 Phishing Attack-Related Breach


HHS Collected Record $28M For HIPAA Violations Last Year.

From ADA News:

Modern Healthcare reported HHS said last week that it “collected a record $28.7 million from healthcare providers and insurers in 2018 for inadequate responses to data breaches.” This figure exceeds the total of $23.5 million for 2017. Office for Civil Rights Director Roger Severino said, “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action.”

HHS has aggressively moved from warning violators to punishing them. Punishing them severely. A typical fine is $200 per exposed record. If you have 3000 patient records on your server and it is compromised you could face a fine of $600,000. None of which will be paid by insurance.

The largest area of reported data breaches is theft. Not theft of data theft of hardware. The number one safeguard you need to implement is encryption of all your patient data.


Hackers are not main cause of health data breaches

From Reuters:

But the top cause of data breaches, accounting for 42 percent of cases and 472 incidents, was theft of equipment or information by unknown outsiders or by current or former employees, the study found.

Source: Hackers are not main cause of health data breaches | Reuters

This confirms my research. We worry about mysterious hackers lurking in cyberspace just waiting to pounce on our data. However most reported data breaches are NOT hackers. The largest category, by far, is stolen hardware. Which – by the way – hardly ever results in actual patients data being exploited.


Anthem to pay $16 million to OCR in HIPAA settlement

From ADA News:

Anthem has agreed to pay the Office of Civil Rights $16 million dollars to settle potential HIPAA violations after cyberattacks on the company allegedly exposed the electronic protected health information of 79 million people. This is the largest HIPAA settlement in U.S. history, according to a press release from the Department of Health and Human Services.

Source: Anthem to pay $16 million to OCR in HIPAA settlement

Interesting. Largest fine ever for the largest breach ever. Still the fine amounts to just 20 cents per exposed record. That is VERY low. Most of the reported fines from other cases are for at least $100 per record. At that rate Anthem should have paid 7.9 Billion dollars.



A nice resource:

 Health Insurance Portability and Accountability Act Collaborative of Wisconsin (HIPAA COW)Established in 2001, HIPAA COW is a non-profit organization open to entities considered to be Covered Entities, Business Associates, and/or Trading Partners under HIPAA, as well as any other organization impacted by HIPAA regulations.Learn more about our upcoming conferences and events HIPAA COW offers

Source: HIPAA COW – Hipaa of Wisconsin

Dental Speaker Security

HIPAA Hackers and Hype Webinar July 12

Overview: HIPAA compliance consists largely of having the right forms and signatures. Learn what PHI, CE, NPP, BA and Exempt mean and why it matters.Understand the critical elements of risk assessment,the six basic steps to compliance and four critical important real world measures dentists should be taking beyond the paperwork that can make an actual difference in patient data security.

Source: HIPAA Hackers and Hype an Overview of Data Safety and HIPAA Compliance

Management Security

Computer Use Policy

PPP (Professional Protector Plan) the dental liability insurance plan offers a sample computer use policy for their liability policy holders. You can see it here: Computer Use Policy

Here is a short sample:

Misuse of Clinic computers, networks, and Internet access may result in disciplinary action, up to and including termination of employment.
Examples of Misuse
The following list contains examples of misuse. This list is not exhaustive.

• Logging onto computer by using someone else’s password.
• Revealing your password to others, or allowing use of your password by others, including other employees, family members, or other household members.
• Attempting to circumvent data protection, security restrictions, or usage/history logs.
• Engaging in private or personal business activities.
• Attempting to change computer date or time.
• Sending, receiving, or otherwise accessing personal email.
• Accessing social network sites.
• Participating in chat rooms, instant messaging, blogs, or forums for non-business use.
• Use of social media to post, discuss, or otherwise reveal any information related to patients in any manner.
• Making unauthorized copies of Clinic files or other Clinic data.

There is more including use of social media and expectations of privacy.

It is a sad fact the dentists need to consider having some sort of computer use policy in place. First it can help as an educational device. Staff members need to be aware that using the Internet and answering suspicious e-mails could put the practice in jeopardy. Second it is an indication to regulators that the office has made attempts to train the team. Training is a HIPAA requirement. Finally it protects the dentist from possible adverse employee actions in the case of termination for cause.


Former Receptionist Who Stole Identities of More Than 650 Dental Patients Sentenced to 2-to-6 Years in Prison

Manhattan District Attorney Cyrus R. Vance, Jr., today announced the sentencing of ANNIE VUONG, 31, to 2-to-6 years in state prison for stealing personal identifying information from more than 650 patients at the dentist’s office where she worked. Three previously convicted co-defendants then used that information to fraudulently purchase more than $700,000 in Apple products.

Source: NYC: Former Receptionist Who Stole Identities of More Than 650 Dental Patients Sentenced to 2-to-6 Years in Prison

No mention of the dental practice or if the practice faces HIPAA violations. Having the data of 650 patients stolen is clearly a HIPAA violation and the practice is libel under current rules even when the practice was the victim of theft.


N.J. medical firm to pay $418K after patient records were exposed online


Virtua Medical Group, a South Jersey firm with dozens of medical and surgical practices, has agreed to pay $417,816 to settle a complaint that it exposed medical records of more than 1,650 patients on the internet

Source: N.J. medical firm to pay $418K after patient records were exposed online |

Another HIPAA fine. This one involves 1,650 patients. That is about the same as a small dental practice. Could you withstand a $417,816 fine to your practice? Remember this will not be covered by insurance you will pay out of pocket. Do the math and the fine amounts to $253 per patient. Most dental offices easily have 3000 patients records, that is every patient in your computer not every active patient. 3000 x $253 = $759,000.

The data was not exposed by the practice but by a service the practice had contracted with to transcribe records.


HIPAA Enforcement Highlights


Since the compliance date of the Privacy Rule in April 2003, OCR has received over 173,426 HIPAA complaints and has initiated over 871 compliance reviews. We have resolved ninety-seven percent of these cases (168,780).

…To date, OCR has settled or imposed a civil money penalty in 53 cases resulting in a total dollar amount of $75,229,182.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Source: Enforcement Highlights – Current |

Read that second bit; 53 cases resulting in over 75 million in fines. If you do the math the average fine is  $1,419,418. The fines are intended to be punitive – and they are.

The chances of being investigated and fined are low, however if you are, your liability insurance will not cover you, the cost can be devastating. What would happen to you and your practice if you are fined $700,000, just 1/2 the average.

The article also states that 105,971 or 61% of the complaints were dismissed. Having a complaint dismissed with no fine is nice but the cost of compliance can still be considerable, about $40,000 on average.

To protect yourself start with basic compliance. Encrypt all your practice data or PHI. Do not engage in small non compliance practices such as e-mailing x-rays that could trigger an investigation.


Ransomware Defense Every Dental Practice Needs

From Dental Product Shopper:

…according to this report, healthcare is the single most targeted industry because victims are most likely to pay ransoms. This is a disturbing revelation for a couple of reasons. On one hand, it indicates that healthcare businesses, dental practices included, have outdated or compromised security protections. In addition, and perhaps more egregiously, the staff is so desperate to regain their patient data that they feel compelled to pay the ransom. At that point, it’s game over and these criminals have won.

Source: The 3-Part Ransomware Defense Every Dental Practice Needs | Practice Management, Practice Management Services | Dental Product Shopper Blog

As a reminder ransomware is an insidious cyber crime in which the criminal tricks the victim into opening malware that encrypts the victim’s data. In our case that includes all our patient charts and information. In order to get the key to unlock the data the dentist must pay a ransom within a few days or loose all their data forever.

Good offsite back up and state of the art malware protection are important however with ransomware the critical element is often staff training.

Team members need to be educated on the latest cyber threats and aware of the kinds of e-mails and such that may contain ransomware. For example an office attending one of my recent data security sessions told us they were tricked into a ransomware situation by a bogus e-mail, supposedly from UPS regarding some undelivered packages. Fortunately they recognized the problem quickly and were able to stop the process before any real damage was done.

Dentists have an additional ransomware concern. Losing our data is a HIPAA violation. The rules not only require us to protect the data from unauthorized use but to keep it available as needed for the patient and future practitioners.

For help contact your professional IT vendor or Tech Central from Henry Schein.

Security Social Media

Get Stellar Reviews and Not Violate HIPAA

From Frontier Marketing:

For most business owners, responding to negative reviews left online by irate customers is simply a matter of replying directly to the reviews themselves. For medical practitioners, this process is complicated by the Health Insurance Portability and Accountability Act (HIPAA).

Source: Get Stellar Medical Reviews & Not Violate HIPAA – Medical Reputation Management

A nice overview of online reviews and dentistry. Three important issues:

Be vary careful responding to a review. It is easy to violate HIPAA. Even acknowledging the reviewer is a patient may be a violation.

Encourage satisfied patients to write positive reviews. The best way to overcome a negative review is to overwhelm it with positive ones.

Be on the lookout for bad reviews especially on the big three, Google, Yelp and Healthgrades.

Management Security

A Breakdown of the Second Largest HIPAA Fine to Date – $5.5 Million

On February 16, 2017, the Office of Civil Rights announced that it had entered into a settlement agreement with Memorial Healthcare System (“MHS”) to settle potential violations of HIPAA. The settlement agreement included a robust corrective action plan and the second largest fine levied against a covered entity to date: $5.5 million. For those keeping track, the largest fine ever levied was $5.55 million in August of 2016.

Source: A Breakdown of the Second Largest HIPAA Fine to Date – $5.5 Million

105,646 patient records were exposed when employees failed to follow protocol. The fine amounts to “only” $52 per record. That is a lot less than some other fines which usually run closer to $300 per record. If this was your private practice and you have 3,000 records your fine would be $156,000.



Hacking is only 8%

Mysterious Internet hackers from China or Russia are frightening but account for only a small percentage of reported data breaches. The office of Health and Human Services maintains an online listing of all reported medical dental data breaches in the US.  This web page often referred to as “The Wall of Shame” lists every reported breach affecting 500 or more individuals broken down to the following six types of breach:

Theft                                                     50%

Unauthorized Disclosure                  16%

Loss                                                       12%

Hacking                                                  8%

Improper Disposal                              4%

Unknown                                              2%

(The percentages are approximate and some incidences have multiple breach types listed.)

Of course this means that 92% of reported data breaches are not hacks. In fact almost two thirds 62% are either lost or stolen computers. For the most part the data in these stolen computers is never used nevertheless OCR considers it a breach.