Be Cybersecure: Protect Patient Records, Avoid Fines and Safeguard Your Reputation

By David McHale, Senior Vice President and Chief Legal Officer, The Doctors Company

Cybercrime costs the U.S. economy billions of dollars each year and causes organizations to devote substantial time and resources to keeping their information secure. This is even more important for health care organizations, the most frequently attacked form of business.1 Cybercriminals target health care for two main reasons: health care organizations fail to upgrade their cybersecurity as quickly as other businesses, and criminals find personal patient information particularly valuable to exploit.

Recent cyberattacks on large health insurance companies further demonstrate cybersecurity risks. On Jan. 29, 2015, Anthem, the second largest health insurer in the United States, announced it was the victim of a sophisticated cyberattack that it believed happened over several weeks starting in December 2014.2 Reported as one of the largest attacks to date, the Anthem breach exposed the information of up to 80 million current and former members, including names, birth dates, Social Security numbers, health care IDs and addresses.3 That same day, Premera Blue Cross discovered it also was a victim of a cyberattack, with an initial attack taking place in May 2014. Cybercriminals gained unauthorized access to the information of up to 11 million Premera customers dating back to 2002, ranging from birth dates and Social Security numbers to addresses and bank account information — the second largest breach, after Anthem, in the health care industry.4

The repercussions of security breaches can be daunting. A business that suffers a breach of more than 500 records of unencrypted personal health information (PHI) must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. To date, the OCR has levied more than $25 million in fines, with the largest single fine totaling $4.8 million.5 In 2014, U.S. health care data breaches cost companies an average of $314 per record — the highest of any industry.6

A health care organization’s brand and reputation also are at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.7

To help safeguard your systems, know the most common ways a breach occurs. The theft of unencrypted electronic devices or physical records is the most common method, accounting for 29 percent of breaches across all industries in the United States.2 Also common are hacking (23 percent) and public distribution of personal records (20 percent). A breach in the latter category led to the largest OCR fine to date when two affiliated hospitals accidentally made patient records public on the Internet.5

If you think you may not be fully compliant with HIPAA privacy and security rules, consider taking the following steps:

  • Identify all areas of potential vulnerability. Develop secure office processes, such as:
    • sign-in sheets that ask for only minimal information.
    • procedures for the handling and destruction of paper records.
    • policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
  • Encrypt all devices that contain PHI (laptops, desktops, thumb drives and centralized storage devices). Make sure that thumb drives are encrypted and that the encryption code is not inscribed on or included with the thumb drive. Encryption is the best way to prevent a breach.
  • Train your staff on how to protect PHI. This includes not only making sure policies and procedures are HIPAA-compliant, but also instructing staff not to openly discuss patient PHI.
  • Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach. The OCR audits entities that have had a breach, as well as those that have not. The OCR will check if you have procedures in place in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine.
  • Insure. Make sure that your practice has insurance to assist with certain costs in case of a breach.

 

References

1Visser S, Osinoff G, Hardin B, et al. Information security & data breach report—March 2014 update. Navigant. March 31, 2014. http://www.navigant.com/~/media/WWW/Site/Insights/Disputes%20Investigations/Data%20Breach%20Annual%202013_Final%20Version_March%202014%20issue%202.ashx. Accessed June 17, 2014.

2How to Access & Sign Up for Identity Theft Repair & Credit Monitoring Services. Anthem, Inc. February 13, 2015. https://www.anthemfacts.com. Accessed March 19, 2015.

3McCann E. Hackers swipe Anthem data in massive cyberattack. Healthcare IT News. February 5, 2015. http://www.healthcareitnews.com/news/hackers-swipe-anthem-data-huge-breach-attack. Accessed March 19, 2015.

4Miliard M. Premera Blue Cross hack exposes 11M. Healthcare IT News. March 18, 2015. http://www.healthcareitnews.com/news/premera-blue-cross-hack-exposes-data-11m. Accessed March 19, 2015.

5McCann E. Hospitals fined $4.8M for HIPAA violation. Government Health IT. May 9, 2014. http://www.govhealthit.com/news/hospitals-fined-48m-hipaa-violation. Accessed June 24, 2014.

6Ponemon Institute LLC. 2014 cost of data breach study: United States. May 2014. Study sponsored by IBM. http://www.accudatasystems.com/assets/2014-cost-of-a-data-breach-study.pdf. Accessed March 20, 2015.

7
Breaches affecting 500 or more individuals. U.S. Department of Health & Human Services. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. Accessed June 23, 2014.


David McHale is The Doctors Company’s Chief Legal Officer. He holds a law degree from the University of the Pacific’s McGeorge School of Law and an MBA from the University of Illinois. He is a Certified HIPAA Compliance Officer (AIHC) and a regular presenter before insurance trade organizations and the National Association of Insurance Commissioners (NAIC).

Contributed by The Doctors Company. For more patient safety articles and practice tips, visit www.thedoctors.com/patientsafety.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each health care provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

 

An Early Bite with Dr. John Paul: “I’m Gonna Pierce My Tongue!”

By Dr. John Paul, FDA Editor

Having had more than my share of stitches and staples, I really can’t imagine electively poking holes in my person. You can imagine my dismay and confusion when someone comes in with a new piece of tongue jewelry or a glitter booger (that thing stuck through their nose, cheek, lip).

I’d love to get my two cents worth in before the assault takes place.

“Now, Ms. Gruntbuns, let me get this straight — you want to get your tongue pierced?

“Aren’t you the one who cringes while sitting in my chair and nearly faints when you get an injection? You do realize they are going to use a much bigger needle and you will not be numb? They will hold your tongue still with a big pair of pliers — remember your delicate gag reflex? — and then jam the needle right through. Then, they’ll put in the barbell, pat you on your head and send you home. Remember all those cavities we keep filling, and the bugs that cause them? They are gonna make a beeline for this new hole in your tongue and unless you are very lucky, you will have a swollen tongue from the injury and the infection that follows.

“If you are still set on adorning yourself with tongue jewelry, there is one more thing you must know. I have never seen a patient with tongue jewelry who doesn’t play with it. You flick it in and out against your teeth and bite on it, and eventually you break teeth, or fillings or crowns. There’s no warranty on restorations if you have tongue jewelry. There’s also no warranty if you have a glitter booger that wears out tooth surface or gum. Now would be a great time to let this fad pass you by.”

Have a question you have a tough time answering? Send it to Dr. Paul at jpaul@bot.floridadental.org.

Are You Renewal Ready?

By Brooke Martin, FDC Meeting Coordinator

As an FDA member, you have access to exclusive benefits to help you through the license renewal process for the upcoming 2014-2016 biennium. Membership has its perks, and we want to make your renewal process as seamless as possible! Below are some of the benefits the Florida Dental Association (FDA) offers to assist you in the renewal process.

CE Broker
The Florida Department of Health (DOH) now automatically reviews your continuing education (CE) records in the DOH’s electronic tracking system — powered by CE Broker — at the time of license renewal. It is mandatory for all Florida-licensed dentists to renew their license through CE Broker for the 2014-2016 biennium by midnight on Feb. 28, 2016. The FDA provides an exclusive members-only discount for CE Broker accounts.

  • Basic Account: FREE
  • Professional Account: $24 (non-members $29)
  • Concierge Account: $90 (non-members $99)

Click here to learn more about your account options. Contact Brooke Martin at bmartin@floridadental.org or 850.350.7103 for the discount code. Did you know you can update your CE credits on the go? Click here to download the FREE iPhone CE Broker app today.

Renewal by Mail
Your license should be renewed online through CE Broker. However, certain situations require you to renew by mail:

  • You need to change the status of your license.
  • You do NOT have a credit card or debit card to complete the transaction online and need to pay using a cashier’s check or money order.
  • Your license is in an Active Military status.
  • Your license is in a Volunteer status.
  • You need to request a name change.

To renew by mail, you must properly log into www.FLHealthsource.gov and print your renewal notice by selecting the Renew License link, then click on the Renew by Mail option.

Online CE
The FDA offers a variety of FREE 1-, 2- and 3-hour online CE courses to help you get the CE hours you need to renew your license. Course topics include: aesthetics, communication, treatment planning, sleep apnea, restorative dentistry, practice management and much more. Along with these courses, the FDA offers two legal CE guides and bimonthly “Diagnostic Discussion” articles in Today’s FDA.

Click here to learn more about the FREE FDA online CE courses.

FDA CE Courses
All CE-eligible courses taken at the 2014 or 2015 Florida Dental Conventions have been automatically reported to CE Broker on your behalf. FDA online CE credits are reported to CE broker the first Friday of each month. Courses taken by a national CE provider must be self-reported to CE Broker.

CE@RENEWAL
The Florida DOH is a great source for renewal information! Click here to access a helpful 30-minute webinar to learn more about how to report your CE credits through CE Broker as well as other useful information. Don’t have time to join the webinar? Click here to learn more about the renewal process, how to report CE credits, the benefits CE Broker has to offer and much more!

Questions?
For the FDA CE Broker discount code, information on the biennium, the renewal process, CE Broker or your FDA-earned CE credits, contact Brooke Martin at bmartin@floridadental.org or 850.350.7103.

It’s Not OK to Call Someone a Deadbeat and 18 Other Things Dentists Need to Know About Debt Collection

By Graham Nicol, Esq., Health Care Risk Manager, Florida Bar Board Certified Specialist (Health Law)

Q: In Florida, what is the definition of debt collection? If I have a patient who owes me $100 can we call that patient and ask for payment?

A: Chapter 559 regulates consumer debt collection. There is a difference between a “consumer collection agency” and a “creditor.” Consumer collection agencies must register with the state, but the registration requirement does not apply to “an original creditor.”

As a dentist extending credit for dental care either yourself or through your practice (i.e., not through a bank, credit card or financial services company like CareCredit), you are an original creditor, not a consumer collection agency. So, if a patient owes you a debt of $100 for services rendered or as a deductible, then you can, in general, call and ask for the money as a creditor.

However, no person — it doesn’t matter whether you are the original creditor or not — may do any of the following 19 prohibited acts when collecting consumer debt:

  1. Pretend to be law enforcement.
  2. Threaten force or violence.
  3. Disclose the existence of a disputed debt to another so as to affect credit worthiness.
  4. Threaten to tell the debtor’s employer that you are owed money by one of their employees.
  5. Provide information that you know is false.
  6. Disclose information about the debt without also disclosing that the debtor disputes owing it if you know that they do.
  7. Communicate with the debtor or his family with such frequency as to harass them.
  8. Use profane, obscene, vulgar or willfully abusive language.
  9. Attempt to collect a debt that you know is not legitimate or assert that you have legal rights that you know you don’t have (a lien on their property).
  10. Simulate the judicial process.
  11. Simulate that you are an attorney at law by using law firm stationery or instruments that only attorneys are authorized to prepare.
  12. Orally communicate with a debtor that you are an attorney or work for one.
  13. Advertise, or threaten to advertise, for sale a debt as a means to enforce payment unless you have legal authority to do so.
  14. Refuse to identify yourself when asked to by the debtor.
  15. Mail a bill in an envelope or postcard with words on the outside calculated to embarrass the debtor.
  16. Communicate with the debtor between the hours of 9 p.m. and 8 a.m. in the debtor’s time zone without the prior consent of the debtor.
  17. Communicate with a debtor if you know they are represented by an attorney.
  18. Cause a debtor to be charged for communications by collect telephone calls or telegram fees.
  19. Publish, or threaten to publish, individual names or any list of names of debtors, commonly known as a “deadbeat list,” to the public.

This blog is for informational purposes only and is not intended to be a substitute for professional legal advice. If you have a specific concern or need legal advice regarding your dental practice, you should contact a qualified attorney.