HIPAA-compliance Solution Provides Much-needed Peace of Mind

By

How Abyde’s simplified solution gave Comprehensive Dental Care “one less thing to worry about” and much-needed “peace of mind” in their complete HIPAA-compliance program.

“Solved a Problem We Didn’t Even Know We Had”

For many practice owners and managers, it’s common for HIPAA compliance to become a “secondary thought” when added to the quite extensive list of other roles and responsibilities.While many independent providers find it often infeasible to dedicate a full-time position solely focused on HIPAA privacy and security, the recent rise in data breaches and government enforcement has made prioritizing compliance a must. So when it came to finding much needed “peace of mind” for practice owner and manager of Comprehensive Dental Care, Florida Dental Association (FDA) member Dr. Oscar Menendez and Denise Mendendez, Abyde “solved the problem they didn’t even know they had” with a simplified approach to achieving HIPAA compliance.

As a successful practice in the dental industry for more than 35 years, Comprehensive Dental had always assumed that completing their annual HIPAA-training courses and maintaining a culture of compliance within their organization was enough to avoid the so-called “HIPAA police.” They maintained a strong focus on patient care and protecting sensitive health data, but just lacked the documentation to prove their efforts in meeting these important HIPAA standards. However, with the many legislative changes, HIPAA violations and cyber attacks that have seemed to take the health care industry by storm over the past year, they saw the increasing importance of filling in some of those small gaps that might have previously been missing.

Easy-to-Manage Compliance, Easy-to-Use Software

As most practice managers could probably attest to, Denise simply “didn’t want to manage another thing” and was looking for a solution that not only made HIPAA easy but was easy to use itself. As a member of the FDA, she was familiar with the FDA’s preferred HIPAA-compliance vendor, Abyde, and “after seeing the presentation and learning a few statistics on HIPAA laws/lawsuits,” she became “very interested in the product.” Immediately after signing up, Denise was “pleasantly surprised that Abyde did everything that they said they would do in the initial contact with the sales representative” and she was “extremely impressed with the program itself and its ease of use” and happy to find that the “setup process wasn’t very hard or time consuming” to work into her already busy schedule.

Beyond the onboarding process, Denise has found that the maintenance involved with using Abyde was a no-brainer. As new laws and patient needs continue to evolve, “practice managers get busy and don’t necessarily have the time to manage the complexities of HIPAA.” And while years ago having a lock on the cabinet that held patient records might’ve seemed like enough to keep data protected, technology and social media have “blurred the lines” between patient confidentiality and HIPAA best practices. So for Denise, “receiving emails and notifications has made keeping up with any necessary updates simple and provides assurance that nothing is being missed.”  

“One Less Thing to Worry About”

In addition to taking some of the HIPAA weight off of Denise’s shoulders, Abyde also gave practice owner, Dr. Oscar Menendez, “one less thing to worry about.” With industry-leading features including automated and engaging HIPAA training videos, he was provided confidence that each of his staff members were given the necessary education to handle patient information properly. As there is no telling when your organization may come face-to-face with a HIPAA incident, whether due to the rising risk of health care data breaches or increase in patient complaint numbers, Dr. Menendez notes that “if you do experience some type of incident, having documented proof of compliance and knowing how to address it is essential.”

While Denise emphasizes that the Abyde software solution itself is one of the “easiest I’ve ever seen or worked with,” there’s even more value beyond the uniquely better interface, including a support team of HIPAA experts that Dr. Menendez is thankful are always available ”to guide us through” any questions. Between the automated notifications, comprehensive Security Risk Analysis, HIPAA training videos and other industry leading features, Abyde provides endless benefits for health care organizations all across the country.

When looking at the time and resources that’s required to manage a complete HIPAA program in-house, having a solution that “for a small fee, keeps us up to date, compliant and more aware” has been a huge help for Comprehensive Dental Care. And the peace of mind that comes with knowing that your practice is not only compliant, but also has the documentation to prove compliance efforts is truly priceless. So, no matter if you’re a small independent dental provider or a large multi-location organization, in Dr. Menendez’s words himself, “Every provider should have Abyde — they’re crazy not to!”


Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. For more information, visit fdaservices.com/abyde or call 800.594.0883.

Be Cybersecure: Protect Patient Records, Avoid Fines and Safeguard Your Reputation

By David McHale, Senior Vice President and Chief Legal Officer, The Doctors Company

Cybercrime costs the U.S. economy billions of dollars each year and causes organizations to devote substantial time and resources to keeping their information secure. This is even more important for health care organizations, the most frequently attacked form of business.1 Cybercriminals target health care for two main reasons: health care organizations fail to upgrade their cybersecurity as quickly as other businesses, and criminals find personal patient information particularly valuable to exploit.

Recent cyberattacks on large health insurance companies further demonstrate cybersecurity risks. On Jan. 29, 2015, Anthem, the second largest health insurer in the United States, announced it was the victim of a sophisticated cyberattack that it believed happened over several weeks starting in December 2014.2 Reported as one of the largest attacks to date, the Anthem breach exposed the information of up to 80 million current and former members, including names, birth dates, Social Security numbers, health care IDs and addresses.3 That same day, Premera Blue Cross discovered it also was a victim of a cyberattack, with an initial attack taking place in May 2014. Cybercriminals gained unauthorized access to the information of up to 11 million Premera customers dating back to 2002, ranging from birth dates and Social Security numbers to addresses and bank account information — the second largest breach, after Anthem, in the health care industry.4

The repercussions of security breaches can be daunting. A business that suffers a breach of more than 500 records of unencrypted personal health information (PHI) must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. To date, the OCR has levied more than $25 million in fines, with the largest single fine totaling $4.8 million.5 In 2014, U.S. health care data breaches cost companies an average of $314 per record — the highest of any industry.6

A health care organization’s brand and reputation also are at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.7

To help safeguard your systems, know the most common ways a breach occurs. The theft of unencrypted electronic devices or physical records is the most common method, accounting for 29 percent of breaches across all industries in the United States.2 Also common are hacking (23 percent) and public distribution of personal records (20 percent). A breach in the latter category led to the largest OCR fine to date when two affiliated hospitals accidentally made patient records public on the Internet.5

If you think you may not be fully compliant with HIPAA privacy and security rules, consider taking the following steps:

  • Identify all areas of potential vulnerability. Develop secure office processes, such as:
    • sign-in sheets that ask for only minimal information.
    • procedures for the handling and destruction of paper records.
    • policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
  • Encrypt all devices that contain PHI (laptops, desktops, thumb drives and centralized storage devices). Make sure that thumb drives are encrypted and that the encryption code is not inscribed on or included with the thumb drive. Encryption is the best way to prevent a breach.
  • Train your staff on how to protect PHI. This includes not only making sure policies and procedures are HIPAA-compliant, but also instructing staff not to openly discuss patient PHI.
  • Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach. The OCR audits entities that have had a breach, as well as those that have not. The OCR will check if you have procedures in place in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine.
  • Insure. Make sure that your practice has insurance to assist with certain costs in case of a breach.

 

References

1Visser S, Osinoff G, Hardin B, et al. Information security & data breach report—March 2014 update. Navigant. March 31, 2014. http://www.navigant.com/~/media/WWW/Site/Insights/Disputes%20Investigations/Data%20Breach%20Annual%202013_Final%20Version_March%202014%20issue%202.ashx. Accessed June 17, 2014.

2How to Access & Sign Up for Identity Theft Repair & Credit Monitoring Services. Anthem, Inc. February 13, 2015. https://www.anthemfacts.com. Accessed March 19, 2015.

3McCann E. Hackers swipe Anthem data in massive cyberattack. Healthcare IT News. February 5, 2015. http://www.healthcareitnews.com/news/hackers-swipe-anthem-data-huge-breach-attack. Accessed March 19, 2015.

4Miliard M. Premera Blue Cross hack exposes 11M. Healthcare IT News. March 18, 2015. http://www.healthcareitnews.com/news/premera-blue-cross-hack-exposes-data-11m. Accessed March 19, 2015.

5McCann E. Hospitals fined $4.8M for HIPAA violation. Government Health IT. May 9, 2014. http://www.govhealthit.com/news/hospitals-fined-48m-hipaa-violation. Accessed June 24, 2014.

6Ponemon Institute LLC. 2014 cost of data breach study: United States. May 2014. Study sponsored by IBM. http://www.accudatasystems.com/assets/2014-cost-of-a-data-breach-study.pdf. Accessed March 20, 2015.

7
Breaches affecting 500 or more individuals. U.S. Department of Health & Human Services. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. Accessed June 23, 2014.


David McHale is The Doctors Company’s Chief Legal Officer. He holds a law degree from the University of the Pacific’s McGeorge School of Law and an MBA from the University of Illinois. He is a Certified HIPAA Compliance Officer (AIHC) and a regular presenter before insurance trade organizations and the National Association of Insurance Commissioners (NAIC).

Contributed by The Doctors Company. For more patient safety articles and practice tips, visit www.thedoctors.com/patientsafety.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each health care provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

 

Case Studies: Health Care Data Breach Risks (video)

By The Doctors Company

The health care industry suffers more data breaches than any other business segment — a total of 51 percent of all breaches. This video presents an overview of the cybersecurity threats facing health care organizations and what they can do to mitigate their risk.