Dental practice management software company Henry Schein Practice Solutions, which offers products such as Dentrix and Easy Dental, is about to be handed a $250,000 fine by the Federal Trade Commission (FTC).
They falsely advertised the level of encryption associated with the transmission and storage of dental patients’ protected health information (PHI).1
While the FTC charges have little to do with Henry Schein customers who were duped by the false claims, the collateral damage could be a slew of HIPAA violation fines directed towards these practitioners.
Those unaware of the thousands of HIPAA regulations may be hard-pressed to make the connection between this sanction and possible HIPAA violations resulting in fines for those using the software who seemingly innocently transmitted their patient information. However, the potential liability is real.
Schein knew the standards that its dentists were required to meet under HIPAA security standards, it advertised and promised that it would meet those standards, and then knowingly violated them. As a chiropractor, you could just as easily be affected if you are relying on similar claims made by your software company.
Because most practitioners’ efforts to stay up-to-date with HIPAA requirements are lagging or nonexistent, or they have not put the required protections in place within their practices (in this case, the requirement to have business associate contracts with all individuals or entities that store or transmit electronic data; assuring that those contracts do not create an agency relationship between the vendor and physician, and thereby protecting the physician from liability for the business associate’s actions), they may have become liable for their vendor’s improper encryption under HIPAA.
To the logical mind, this may be the opposite of what common sense would dictate, but unfortunately there are no requirements that laws follow the rules of logic.
Assuming that most—if not all—of the practitioners involved in the Schein case failed to read their service agreements and did not have business associate agreements in place to properly disclaim any control over Schein’s operations, then the doctors could face a ruling that their software provider is their “agent” for HIPAA liability purposes.
This could result in dire consequences for the providers. In retrospect, it’s safe to say that they could have taken steps to mitigate their potential liability, reducing any fines for which they may now be liable.
Since chiropractors use similar software programs and are held to the same HIPAA standards as the aforementioned dentists, practices should heed this as a warning to get their HIPAA procedures up to snuff and be thankful that it didn’t happen to them (this time).
In assessing fines, HIPAA states that the Secretary of Health and Human Services issues a fine of $10,000 to $50,000 per violation in instances where the doctor made a conscious, intentional failure or exhibited reckless indifference to the obligation to comply with a HIPAA requirement.2
As recently as five years ago, such fines were few and far between, but HIPAA’s enforcement has been greatly amplified, and it’s time to start paying attention to the consequences of ignoring compliance. The days of sticking your head in the sand and hoping to dodge the bullet are absolutely over.
Staying HIPAA compliant in modern times
As the value of healthcare information rises, it is increasingly being stolen and sold. In an industry report on cybersecurity challenges in healthcare, Raytheon found that healthcare records contain information that is up to 10 times more valuable on the black market than more conventionally stolen financial information.3
Because of this increase in value, the healthcare sector is now more than 200 percent more likely to encounter data theft and approximately 340 percent more likely to have a security incident than the average industry. These hackers’ target both large and small operations, because regardless of where the information originates, there is money to be made by stealing it.
Increased medical data theft, coupled with several large healthcare information breaches, has pushed the public to demand better government protection. And the Department of Health and Human Services (HHS) delivered.
The HHS Inspector General, speaking for the Office for Civil Rights (OCR), has stated that, “without fully implementing [a permanent] audit program, OCR cannot identify covered entities that are non-compliant.”4 The OCR director responded by asserting that random audits will begin early in 2016.
To back up the bark with a significantly big bite, OCR’s budget was increased by nearly $4 million to fund these audits. As if that wasn’t reason enough to jump on the HIPAA compliance bandwagon, all revenue generated from non- compliance fines must be used for additional enforcement. HHS explains, “OCR retains and expends these collections to support overall HIPAA enforcement activities.”5
What can you do?
With increased breaches and impending random audits, how can practitioners stay out of hot water?
You do have options on implementing a HIPAA comply- ance program in your practice. CEs are available to give you a good starting point and these cover most of the basics.
You can also employ a reputable company offering a do- it-yourself product that will keep you from having to read the thousands of pages of law, but it will still require some heavy lifting on your part. For the busier doctor and the more sophisticated offices, professionals are available to help you get a HIPAA compliance system in place.
Lindsey Olson, Esq., is an on-staff attorney with HIPAA Compliance Services, which provides comprehensive HIPAA training, compliance materials, and onsite HIPAA program installation services. She is a Certified HIPAA Onsite Consultant.
Ty Talcott, DC, is the president of HIPAA Compliance Services. He is a Certified HIPAA Privacy and Security expert (CHPSE). Each year he presents dozens of webinars and live presentations across the country to assist doctors in protecting their practices.
1 Dental Practice Provider Settles FTC Charges It Misled Customers About Encryption of Patient Data. Federal Trade Commission. www.ftc.gov/ news-events/press-releases/2016/01/dental-practice-software-provider- settles-ftc-charges-it-misled. Published Jan. 5, 2016.
2 Legal Information Institute. “Amount of a civil money penalty” – 45 C.F.R.160.404. https://www.law.cornell.edu/cfr/text/45/160.404. Published Feb 2016. Accessed March 2016.
3 Websense. 2015 Industry Drill-Down Report. Raytheon. www.websense.com/assets/reports/ report-2015-industry-drill-down- healthcare-en.pdf. Published Sept. 2015.
4 Murrin, Suzanne. OCR should strengthen its oversight of covered entities’ compliance with the HIPAA privacy standards. U.S. Department of Health and Human Services. www.oig.hhs.gov/oei/reports/oei-09-10-00510.pdf. Published Sept. 2015.
5 HHS FY2016 Budget in Brief. U.S. Department of Health and Human Services. www.hhs.gov/ about/budget/budget-in-brief/ocr/index.html. Published Feb. 2, 2015.