Skip to Main Content

Top Seven Data Breach Considerations

From electronic theft to email security, data breaches are common and dentists must be familiar with notification requirements.

Data breach news is ongoing and 2015 closed with no shortage of information about medical and dental record breaches.

The U.S. Department of Health and Human Services’ (HHS) online listing of protected health information breaches, known as the “wall of shame,” includes nearly 1,400 incidents of major data breaches (affecting 500 or more people) since 2009 when the HIPAA Breach Notification Rule began. One incident alone last year exposed the dental records of more than 151,000 patients to unauthorized users when an internal database was hacked at an Oregon-based dental services provider.

The Dentists Insurance Company receives numerous calls to its Risk Management Advice Line regarding data security, and analysts say dentists may not be aware of data security risks and the extent of notification required if a data breach occurs.

“Dentists can be unaware of their obligation to protect patient data and are astonished at how easily patient information can fall into the hands of unauthorized parties,” said Sheila Davis, TDIC assistant vice president of claims and risk management.

A data beach is generally defined as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of patients’ protected health information (PHI).

“The term data breach is often associated with someone hacking into your computers or website, but a data breach is when protected health information is in the possession of an unauthorized person or entity,” Davis said.

The HIPAA Privacy Rule defines PHI as individually identifiable health information that is transmitted or maintained in electronic, oral or paper form. State laws address PHI and may vary from state to state. Examples of protected information include medical and dental records, defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”

Also protected is personal information such as a person’s first name or first initial and last name in combination with identifiers such as a Social Security number, driver’s license number, account number, credit or debit card number, in combination with any required security code, access code or password that would allow access to the person’s financial account. A username or email address, in combination with a password or security question and answer that would permit access to an online account, is also protected.

In the constantly changing digital environment, TDIC reminds dentists of the following data security considerations:

Electronic theft: Theft of computers, hard drives, portable devices and back-up drives is the leading cause of data breach. The HHS Office for Civil Rights data breach portal indicates the type of breach and location of compromised information, and theft is by far the most common type of breach listed. Back-up drives and portable devices are especially vulnerable to theft.

“Data breach occurs when there is a theft of unencrypted patient data, either in the office or of portable equipment stolen in transit,” Davis said. “There can be several thousand records involved.”

TDIC can assist with breach claims for policyholders who purchase data compromise coverage as an addition to their commercial property policy. In one recently closed case, TDIC covered the five-figure cost of determining the extent of patient data on a stolen mobile device, as well as the required patient notification and credit monitoring services.

Notification: Both federal and state laws require patient notification in the event of a data security breach. Regulations vary from state to state regarding data security breaches, but most states require notification of affected individuals. State attorneys general offices have state-specific information. For instance, in California, businesses are required to send consumers a letter if an unauthorized user has acquired their data. If letters are sent to more than 500 individuals, businesses must notify the attorney general’s office.

“Dentists can be caught off guard regarding the extent of patient notification required when they become aware of a data breach,” Davis said. “They may also believe that unless someone has attempted to access or use the information, they do not need to notify their patients.”

“The problem is that once someone has attempted to access the information, then it’s too late to try and take preventative measures,” Davis added. “What could be viewed as careless security of patients’ data compounded by a failure to notify the affected parties may have longstanding reputational damage for the practice.”

Notification expenses: The cost of data breach notification is estimated at $200 per individual, according to the Ponemon Institute, a research center focusing on data protection. This expense includes the cost of fines, mailings, published notification and credit monitoring services.

Increasing regulation: At least 32 states in 2015 introduced or considered security breach notification bills or resolutions, according to the National Conference of State Legislatures. This is in addition to laws that impose monetary penalties upon individuals and institutions that fail to protect the privacy of patient medical records. With varying degrees of success, many of the newer bills sought to amend existing security breach laws to require entities to report breaches to attorneys general or another central state agency or expand the definition of “personal information” to include medical, insurance or biometric data in the event of a security breach.

California’s data breach notification law was amended to require changes, effective this month, to breach notification notices. New requirements include formatting, such as specified headers and text no smaller than 10-point type, of the notice to call attention to the significance of the content.

Also in California, additional legislation defined “encryption” as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”
Hawaii looked to expand the definition of “personal information,” establish a timeline in which a business must notify individuals affected by a security breach and prohibit use of email as a means of security breach notification if login credentials for email were compromised.

In Illinois, proposed legislation aimed to amend the Personal Protection Act, expand the scope of protected information to include medical, health insurance, biometric, consumer marketing and geolocation information and require notice of security breaches to be provided to the attorney general.

Staff training: Malware infection of office computers can cause data breach, and the entire dental team must use caution in accessing unfamiliar email, using the Internet and handling protected health information.

Email security: Given that many breaches occur when data travels outside the walls of your practice, it’s important to ensure that data can’t be compromised when travelling from point A to point B. HIPAA/HITECH regulations mandate that medical patient data being sent over the network must be encrypted.

If you send unsecured email with patient information, make sure to have the patient’s signed consent on file. TDIC has a patient release form on its website at thedentists.com for this purpose.

Encryption: Analysts say encryption is the most effective way to minimize the damage that can occur from a breach of protected health information. Password protection of computers alone is not secure. If you are not sure if your office computers, back-up drives and portable devices are encrypted, chances are they are not. An experienced IT professional can help protect your data. Encrypting protected health information provides safe harbor under HIPAA’s data breach notification rule.

Rate this article:
No rating