What Happens If My Dental Practice Is Not HIPAA Compliant?

What you don’t know can cost you money, put patient data at risk, and damage your reputation.

By CK Newman
Digital Technology Partners

One of the questions I’m asked most frequently by dentists and dental practice managers is, “Why do I need your service?”

In addition to keeping your technology up to date and your office running smoothly, at Digital Technology Partners we:

• Design, install, and maintain your dental office technology
• Protect your business and patient data
• Provide your practice with consistently reliable IT service and support
• Ensure your office is secured properly and compliant with HHS, HIPAA, and HiTech Rules for healthcare providers

The last bullet point is especially important because the number of practices that don’t know what it takes to properly protect their dental office(s) in today’s digital world is alarming. In fact, almost 99% of the offices we evaluate, prior to our service and set up, are not set up properly to protect the practice and adhere to current healthcare provider laws and guidelines.

In this article, I’ll provide some general guidance and information to help you understand compliance requirements for dental practices and the potential consequences of non-compliance.

What are the laws/guidelines required for my dental practice?

I am also frequently asked what specific laws/rules are required and how to follow them. Well, over the years I developed a sort of cheat sheet that I reference to help explain to dental offices why we implement all the compliance and security protocols that we do. And for the first time ever, in this blog, I am going to share this with our readers.

There are several rules in the HiTech security requirements. We have analyzed each of these and their impact on dental practices. Here are my top five compliance and security rules along with a simplified breakdown of each rule and what they mean to your dental practice:

My Top 5 Compliance and Security Rules

1)     Rule: HIPAA Security Rule 45 C.F.R. § 164.308 (a)(5)(ii)(B) specifically requires updated patches on all systems.

Breakdown: All hardware/software must be up to date with security patches in place. This is the rule that states Server 08 and Windows 7 operating systems in a healthcare environment are not compliant because they no longer receive updates for security from Microsoft. This is also the one that states your Dentrix, Eaglesoft, Open Dental, etc. should be running on the latest stable version.

2)     Rule: HIPAA Security Rule 45 C.F.R. § 164.308(a)(7)(ii)(A) Data Backup Plan, 164.308(a)(7)(ii)(B) Disaster Recovery Plan, 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan.

Breakdown: You must have backups of your data that are secure and protected, and you must have a disaster recovery plan. Therefore, if there is an office catastrophe/disaster, your recovery plan can be enacted, and emergency operations can be set up.

3)     Rule: HIPAA Security Rule 45 C.F.R. § 164.312(b) (also known as HIPAA logging requirements) requires Covered Entities and Business Associates to have audit controls in place.

Breakdown: Access controls and audit trails need to be in place to keep Protected Health Information (PHI) secure.

• NOTE: This can only be accomplished by managed firewalls, managed antivirus, activity logs, and a domain controller.

4)     Rule: HIPAA Security Rule 45 C.F.R. § 164.312(c) Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. 

Breakdown: Data must be always protected by best efforts.

5)     Rule: HIPAA Security Rule 45 C.F.R. § 164.312(c)(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.  

Breakdown: Old equipment that has PHI on it must be disposed of properly and documented.

• Our Work4Eli Electronic Waste Disposal Program provides environmentally friendly, NIST- and HIPAA-compliant PHI e-waste destruction.

What are the specific violations and penalties?

Several times, someone whose practice was non-compliant has said, “Well, I just didn’t know.” Unfortunately, this is similar to when a police officer pulls someone over for holding their cell phone while driving in Georgia; “I didn’t know” is not an acceptable response, and the driver is in violation of the law.

When it comes to HIPAA requirements for healthcare providers, a lack of understanding is not an acceptable rationale, and the consequences for non-compliance can result in potentially large financial penalties and damage to a practice’s reputation.

Here are the four tiers of HIPAA violations and penalties as follows:

Note that “per violation” could mean each record, in the event of a records breach; additionally, a breach doesn’t have to occur for the Office of Civil Rights (OCR) to fine an office negligent.

The High Penalty of Non-compliance

In addition to the monetary penalties, there are a number of additional consequences that can result from non-compliance. A breach and/or non-compliance violation can be damaging to the dental office’s reputation. It can be hard to distance negative blemishes on the practice once these have incurred, and it can have a long-lasting negative impact to the business – in fact, for large breaches, the Office of Civil Rights maintains a publicly-available list, including the practice name and the nature of the violation.

For example, I know of a local practice that was the victim of a cyberattack in 2016 in which a hacker obtained the PHI of over 200,000 patients. The Office of Civil Rights conducted an investigation and determined negligence, resulting in a $1.5 million fine to the practice. Although the practice did not intentionally violate security protocols, their lack of understanding and compliance cost them severely.

Dental practices cannot afford to risk their financial stability and their reputation due to a lack of knowledge and compliance. To see if your dental practice is following HIPAA best practices and security standards, check out our free 20-point HIPAA compliance checklist.

How do I protect my dental practice?

As a healthcare provider, dental offices are legally required to follow specific security rules and guidelines. While it can seem overwhelming to understand and comply with all of these requirements, it doesn’t have to be. We can manage this for you. Digital Technology Partners has been specializing in dental office security and technology for more than 15 years, and we are dedicated to ensuring your office is safe, secure, protected, and running smoothly.

The purpose of this article is to provide you with some guidance and additional knowledge to make informed decisions regarding your practice, because what you don’t know can hurt you when it comes to security and HIPAA compliance. I hope you found this information beneficial. As always, feel free to reach out to us with any questions. We’ll also be happy to provide you with a complimentary office evaluation to find out if your office is in compliance and running as efficiently and profitable as possible.

To your success!!

CK Newman

Additional Resources:

• HIPAA Security Rule
• Why Should Your Practice Encrypt Patient Data?
• Protecting Your Practice with Cybersecurity Insurance
• HIPAA and Cybersecurity Consulting