Recently I attended a healthcare networking event and met a dental practice management consultant. After exchanging some opening pleasantries, we started an engaging conversation regarding HIPAA compliance for dental practices. With more offices turning to the use of electronic health records and mobile devices, I wanted to hear his thoughts on the state of HIPAA compliance efforts by smaller practices.
The consultant claimed to work with hundreds of practices and dentists, so I figured that qualified him as having his pulse on the industry. What I heard from this consultant regarding HIPAA was quite shocking. He indicated that most of his clients had no fear of the government conducting a compliance review, that the chance of a review happening was so remote that HIPAA compliance was just not on the radar. He said the government “is not coming after dentists.”
I did concur that the chances of a random audit were very low, but if a breach did occur, the chances of an investigation would rise substantially. I attempted to make the case that these practices and dentists had an obligation to their patients—more so than to the government—to protect electronic health records. He felt his clients knew this and made an effort to meet the requirements, but they did not need to be as aggressive in this area as a medical practice did. His rational was that little or no electronic patient information left a dental practice and that it is far more routine in a medical office.
I informed the consultant that, regardless of patient information leaving the practice, if it was maintained on an in-house server or computer or transmitted from a mobile device to a server, the practice must still meet all the HIPAA Security Rule compliance requirements. I made the point that a HIPAA Risk Management Plan must be in place as the foundation for compliance. He did not see the plan as a priority.
I went on to ask what would happen if a breach of patient records did occur—what would his clients do? He said something to the effect that they were not concerned about breaches occurring. When I told him there were a number of dental practices on the HHS Breach Notification list, our conversation abruptly ended, and he walked away seemingly in a huff. It was abundantly clear this consultant did not have a thorough understanding of the requirements for HIPAA compliance.
I know his motivation is profit-driven, and I can’t fault him or his clients. Maybe the fault lies with the U.S. Department of Health and Human Services for not providing enough clear-cut guidance on HIPAA compliance for small providers. With better education comes the possibility that this consultant will make HIPAA compliance one of the critical areas he covers with his clients and that he will put it on his and their radar in the future.
Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.
His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.
Sign up for my HELP with HIPAA Monthly Newsletter: Sign Me Up