By Matt DiBlasi
From the Winter 2021 Journal of the Colorado Dental Association
After a record-breaking year of HIPAA enforcement, the following is a recap of what happened in 2020 and how you can best protect your practice in the year to come.
In addition to the historic toilet paper shortages and the skyrocketing prices of Purell and Lysol, 2020 will be remembered for setting an all-time high in HIPAA enforcement by the Office for Civil Rights (OCR). In 2020, the OCR had settled 18 violations before December 2020 even began, surpassing 2019’s total by almost double, and raking in more than $13 million in fines from covered entities and business associates alike.
While we’re sure no one wants to relive 2020, there are some key takeaways when it comes to HIPAA compliance that can help your practice avoid ending up on the OCR’s enforcement list.
Patient Right of Access
Featured heavily in 2020 enforcement efforts was the patient right of access initiative. This hot topic accounted for over 50% of the total fines levied, ranging from $3,500 (the smallest HIPAA fine to date) to $160,000. Each practice affected failed to provide patients or their authorized personal representatives with access to requested medical records within the HIPAA-mandated time frame. In fact, two instances were only resolved after the individuals involved complained a second time to the OCR, and one covered entity didn’t provide the requested records until almost three years after the initial request was submitted. To put that in perspective, Colorado and federal regulations require records to be provided within 30 days of the patient request. This enforcement trend will only continue, especially as the Department of Health and Human Services looks to update the HIPAA Privacy Rule provisions with great emphasis on patient access in 2021.
The takeaways? Make sure you have proper patient data request policies, staff are trained on how to process requests, and you document any requests to best track and meet required timeframes for access.
Cyberattacks
In addition to pandemic worries, cyberthreats rose significantly in 2020, and will only continue to grow. Healthcare data is 10 times more valuable on the black market than credit card information, and that makes your practice a prime target for hackers. Many of 2020’s fines were the result of data breaches, most of which revealed a “systemic lack of [HIPAA] compliance” (as the OCR put it), and one of which results in the second largest HIPAA fine to date of $6.85 million. While a cyberattack may be impossible to prevent as threats continue to evolve, having a complete HIPAA program and reasonable safeguard in place is still expected. In short, if your practice doesn’t have basic HIPAA requirements like a Security Risk Analysis (SRA) in place, the OCR will show no mercy in using a breach incident to slap your practice with a HIPAA fine.
In addition, many business associates (vendors who work with, create, or transmit protected health information on behalf of your practice) were hit heavily with cyberattacks, ransomware and breaches in 2020. Having proper Business Associate Agreements, a HIPAA requirement, is essential to protect your practice from liability if a cyberthreat impacts one of your vendors. A missing agreement could leave your practice with a fine, even if the breach was completely beyond your control.
The takeaways? Review or complete business associate agreements with any vendor that may fall in this category as soon as possible, and make sure your HIPAA program basics (including training, your SRA, and proper documentation) are all up to speed.
2021 and Beyond
With increased enforcement, the likelihood of a HIPAA investigation has become a matter of “when” instead of “if.” If your practice is a smaller one, the OCR has emphasized that you’re not immune. In fact, OCR Director Roger Severino recently urged the importance of compliance for “doctor’s offices, large and small” as part of the OCR’s patient right of access initiatives.
The most important thing you can do for your practice is to get a complete HIPAA program in place now, before an incident occurs, to prove your compliance and avoid any costly HIPAA fines.
Matt DiBlasi is the president of Abyde, a new CDA-endorsed company that provides HIPAA compliance software and tools for dental practices.
Worried you might be missing something in your HIPAA lineup? Don’t stress! Start the new year off on the right foot and register for an exclusive CDA webinar at abyde.com/webinar/cda to learn what your practice must have in place when it comes to HIPAA compliance.