I’m not going to lie, implementing a HIPAA compliance program can be time consuming and expensive. But, if you accurately weigh the costs and benefits, I am confident you will discover that it simply makes good business sense to make the investment and take HIPAA seriously.
We’re all familiar with the idea of using “carrot and stick” techniques when you’re looking to nudge people toward a desired outcome. The analogy comes from trying to get a stubborn donkey to go where you want. You start by rewarding good behavior (feeding them carrots), and if that doesn't give the desired result, you start dishing out some punishment (hitting them with sticks). HIPAA compliance has its own share of rewards and punishments intended to guide practices towards beneficial privacy and security standards. Personally, I am not a big fan of using the fear of punishment as a primary motivator. Especially when there are so many positive things that happen when your practice is HIPAA compliant. When you commit to implementing a continual improvement process for HIPAA, it can’t help but spill over into the other areas of your practice. Better trained staff, protected patient data, improved business procedures, and peace of mind are all natural rewards - or carrots - your practice will see in exchange for this effort.
I also don’t want to trivialize the real threats to your practice, the sticks, if you will. There are very real consequences when HIPAA is violated. The practice could face civil lawsuits, sanctions by professional boards, and even criminal penalties for willful HIPAA violations. There are also stiff potential government fines (both state and federal). Additionally, not following HIPAA security practices puts you at greater risk of ransomware attacks which, in my opinion, are the largest risk dental practices face.
Breaches are more common than most people think, but the vast majority are ignored. How many practices do you think have never had patient data viewed by the wrong person, or never sent an email or bill to the wrong person, or never had an employee discuss a patient with somebody they shouldn’t have, or never gave a business associate access to more data than they needed, or never had a virus or ransomware attack? Zero! But just because they are common occurrences, or only affected one patient’s data, doesn’t mean they aren’t violations and potential breaches. All it takes is one disgruntled patient to report your practice to HHS and you suddenly have a bureaucratic nightmare on your hands, if you aren’t prepared. While any one of these “minor” violations may not have large consequences on their own, if HHS discovers you have not been taking HIPAA seriously, the hammer can really come down.
Now, all this talk about HHS, ransomware, and breaches may have created some anxiety. It doesn’t need to be that way. If you implement a comprehensive privacy and security program that is designed to address the real risks you face, you can have peace of mind knowing you are doing the right things. And while implementing a HIPAA compliance program is an investment, it doesn’t need to be overwhelming.
If you haven’t made HIPAA a priority yet, start today. Join our online HIPAA community for dentists at bitesizehipaa.com. Explore and learn for 60 days on us! Please, watch every training course (we call them bites) and explore the tools we’ve created to help ease HIPAA implementation and compliance. There is no risk. Give us a little bit of your time and we'll teach you about the HIPAA law, why it exists, and how - if done right - you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.