The Value of Your Dental Records and What Happens with Stolen PHI

HIPAA Compliance can save you millions in fines.

There’s a storm brewing, and you need to listen to this one….It’s gonna cost you.

In 2017 healthcare providers are paying through the nose for HIPAA violations. The biggest liability? Humans. Yes, people are the biggest threat to privacy and information security. See all it takes is one of your untrained staff to open an e-mail, click on a link, or open an attachment they shouldn’t open and you have a reportable major breach secondary to a cyber security hack.

Bad guys are getting good at phishing healthcare providers (specifically physician practices and dental offices). Think like a criminal with me for a minute as we discuss why.

Dental offices and physician practices do not invest in I.T. security to the degree larger healthcare organizations do. Hackers know this! Your records are worth cash money on the black market. Thieves steal medical and dental records to sell. Why? Identity theft!

Patient records fetch between $300 plus. Identity thieves pay hackers their cut because the identity thieves will turn around and obtain fraudulent lines of credit and run of thousands, tens of thousands, even hundreds of thousands in debt – effectively cashing out and moving on to the next stolen identity.

You have to admit, if you could predictably (consistently) trade a few hundred dollars for thousands you would do it all day long. Heck, we all would except in this situation it is illegal. It is innocent victims (patients) who pay the price. It can take years for victims of identity theft to clear their name and repair their credit. Much of the time the thieves are never caught; no one pays for the crime.

The U.S. Health and Human Services – Office for Civil Rights (OCR) is the agency responsible for investigating HIPAA violations. OCR assesses Civil Monetary Penalties (CMPs) to settle HIPAA violations. CMPs have increased from an average of $100,000 in 2008 to $1.2 million in 2017. A portion of CMPs goes to patients and others affected by breaches of their information to help mitigate identity theft issues. Someone has to pay that bill and it’s not the patients’ fault when a healthcare provider fails to adequately safeguard their patients’ information.

Are you sure the safeguards you have in place are just adequate? I would hope not. Crooks continually craft new schemes to trick healthcare providers into giving them the keys to their patients’ PHI. As sure as that is you should continually be on the lookout for protective measures for the latest threats, as it is not the old tricks that will get you, but the newer, more clever tactics. Such tricks can be very compelling. Click the wrong link, email, or email attachment and can experience a cyber-attack.

The latest craze is called Ransomware. The latest version “Philadelphia” comes as a normal looking e-mail that appears to be from someone you know (and probably trust). The attachment in the e-mail is a Word document (not an obviously strange document format). The sender and body of the e-mail actually looks legit so you or your staff will open it. When you open the Word document or click on a link in the body of the e-mail it contains the name and signature of the provider (again, looks legit). Days later you are notified that your computer, and components attached (goodbye cell phone), is infected (encrypted). Want the decryption key? Bet you do. That will be 2.5 bitcoins (about $500 US dollars), an untraceable currency.

The problem with a cyber-attack is that is requires you to complete a Breach Risk Assessment (BRA). A breach is any unauthorized acquisition, access, use or disclosure of PHI in a non-permitted manner that compromises the security or privacy of the PHI. Every breach (or suspected breach) is a reportable breach until you complete a BRA and then can demonstrate there is a …“low probability that the [PHI] has been compromised”.

When it comes to cyber-attacks is can be very difficult, even with a forensic computer analysis whether PHI has been compromised, so most likely a cyber-attack would be a reportable breach.

Breaches involved PHI of 500 or more individuals requires notification to OCR within 60 days of the DISCOVERY of a breach, notification of affected individuals (patients), and notification of television and print news publications.

Stay tuned.

Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore! Call 817-755-0035 for help with compliance.