Dental Strategies For Success library
Cyber Risk: The New Frontier
HIPAA, HITECH and EHR are now common acronyms in healthcare. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly updated the HIPAA Privacy and Security regulations. In light of the growing use of electronic health records (EHR), regulations are stiffening when it comes to protecting electronically-stored patient information.
Are your privacy and security policies up to date or will you fall victim to the threats technology brings? Prudent risk management not only applies to patient care, but also requires us to take precautions against cyber risk.
The Invisible Risk
Cyber risk refers to the potential liability associated with the electronic processes and business interactions conducted through computer networks. Cyber risk occurs as a result of human error; employee theft or fraud; or other willful destruction such as sabotage, hacking, or viruses. With the right resources, protecting your electronic data won’t be overwhelming.
Breach of Security
Understanding what constitutes a security breach is the first step to preventing it. A security breach occurs when an unauthorized person gains access to confidential business, personal or patient-related data through hacking as well as outright theft of laptops or storage media. Frequently, this data is used for identity theft. Costs associated with cyber risk can be very high. In 2008, the Federal Trade Commission reported that businesses lost $56.6 billion to identity theft.
The new HITECH Breach Notification Rule requires that patients be notified when unsecured protected health information is breached. In 2009, 4,500 dental patients were affected by security breaches, according to reports filed with the Department of Human Services. In 2010, the number of affected dental patients escalated over 1000% to almost 50,000.
Imagine that an employee steals patients’ identities for her own personal gain. This action not only impacts your existing patients, but tarnishes your reputation and diminishes new patient acquisition. Although she may have been authorized to use the data in the scope of her job duties, use of such data for personal gain is unauthorized and illegal. Under the new HITECH Act, this team member will face criminal sanctions. In order to prevent privacy or security breaches, all team members must understand how HIPAA/HITECH applies to their job duties.
Safeguarding Your Practice
Just as you develop a treatment plan for your patients, consider developing a data protection plan for your office. Four risk reduction strategies to help you create a plan include:
1) Develop privacy and security policies and procedures. This author conducted an informal survey to determine whether dental practices have both privacy and security policies and procedures in place. The poll revealed 50% of the respondents have both privacy and security policies while the remaining 50% admitted they either didn’t have privacy and security policies or didn’t know there was a difference. When was the last time you looked at your HIPAA manual?
2) Rely on sound employee selection and training. Experts tell us 70% of identity theft occurs in the workplace. It pays to ensure your patient data is shared only with trusted individuals. Background screening and reference checks are a must. Skipping these important steps may cost you more in the long run. In addition, the federal government expects new employees to receive HIPAA training upon hire, then annually thereafter.
3) Consider purchasing cyber risk insurance. Talk to your broker about coverage and exclusions. The Ponemon Institute, an independent privacy and information security research firm, estimates it will cost you $345 per patient record if you have a security breach to handle what’s known as “after breach care”. After breach care includes such things as patient notification, assistance from a breach consultant and fraud resolution service for affected individuals, but most likely will not cover fines and penalties. Without adequate insurance coverage, this could easily become a significant out-of-pocket expense.
4) Back up your data regularly, and be sure all backup media and laptops are encrypted. Most data lost in security breaches is stolen from unencrypted laptops, hard drives, servers and external backups. Regular backups provide you with a starting place if your security system is breached — and encryption will keep that data secure.
Additional HITECH Requirements
The new provisions under the HITECH Act are far-reaching. Briefly, they impact business associates, authorize State Attorneys General to file suit on behalf of their residents, grant patients greater rights in the accounting of disclosures of protected health information and include stiffer fines and penalties. Some of these provisions have been finalized and others have not. This does not take into account state privacy laws.
In the end, your best defense is a strong offense. By following these four steps, you protect your biggest asset—your practice.
|Linda Harvey, RDH, MS, LHRM is a healthcare risk manager and compliance expert. She teaches doctors and teams how to protect their patients, their practices and themselves by closing regulatory gaps in their policies, procedures and workflow. Linda provides remote and on-site services and works one-on-one with team members and doctors to streamline processes, reduce "busyness" and improve compliance. For additional information call 904-573-2232 or email: RiskTeam@LindaHarvey.net.|
All practice financing is subject to credit approval. Business Refinance Program is for business term debt only. Revolving credit and existing Wells Fargo Practice Finance debt are not eligible for consolidation.
The articles and materials on the Wells Fargo Practice Finance Web site are provided for general information only and do not constitute, nor are they intended as, a substitute for consultation with accounting, tax, legal or other professional advisors. Wells Fargo makes no representation regarding the articles available in the Strategies for Success Library or the completeness or accuracy of the information contained therein. The articles and the information contained therein may be incomplete, may contain errors or may have become out of date. Wells Fargo makes no commitment, and disclaims any duty, to update any of the articles or materials in the Strategies for Success Library. The views expressed in the articles are those of the authors alone. They may or may not reflect the views or opinions of Wells Fargo.
Subscribe By Email
Sign up to be notified when new articles are posted to the Strategies for Success library.
Call 1-888-937-2321 and speak to a practice financing specialist or your Business Development Manager.
Already a Client?
Call Client Services at 1-800-628-7816 between 7 am and 4 pm Pacific Time or send us an email.