Patients have several expectations and assumptions when they choose your practice. They expect
and assume that you will provide quality care. They expect and assume that you will provide
services that they need and require. They expect and assume that you will safeguard the information
that they have given to provide that quality care and the services that they need.
Since 1996, all healthcare entities have been mandated to safeguard a patient’s “Protected Health
Information”. However, considering recent breaches like Equifax and Uber, forty-eight states and
three territories have enacted privacy laws. Alabama introduced a bill in March 2018 which if goes
into effect May 1, 2018 making them the forty-ninth state that has privacy laws for any entity that
does business within their state. These laws require businesses to protect consumers information –
“Protected Identifiable Information”. Senator Bill Nelson (D) Florida introduced a bill in
November 2017 to make it a federal law that will require any business to report immediately to the
federal government if they have any kind of breach that involves Protected Identifiable Information
So, what is PII? Any information that can identify or locate an individual. In most states it is either
the first name or initial with the last name in combination with an address, phone number, social
security number, account numbers, email address, date of birth, vehicle information, digital
signature, medical records, finger prints, an image, retina, iris, etc. See the cross over? Many of the
same identifiable points as PHI or Protected Health Information.
This exposes practices to a whole different level. In the event of a data breach or a theft involving
data, a practice must report to the Office of Civil Rights when the breach involves PHI. The fines
for failing to safeguard patient information can be up to $50k per record. But now, because much
of our data crosses over, it is also considered PII or Protected Identifiable Information. This means
that the state can also fine and, in some cases, impose jail time especially when an executive (doctor)
fails to safeguard or report the breach in a timely manner. And to complicate the issue, several
states strive to protect their residents whether the breach happens in state or out of state.
For example, if your primary residence is in New York but you visit a business in Florida that has a
breach with your information, you must notify the “resident” in accordance with both Florida and
New York Law. Practices that have patients that primarily reside within the European Union may
be subject to the newly enacted GDPR or General Data Protection Requirements. This requires
that any entity including healthcare providers insures that the practice has adequate security controls,
data encryption at rest and in transit, backups, redundancy, and intrusion detection mechanisms to
ensure that patient data is not compromised in any way.
Cyber-attacks are going to continue, and small healthcare practices are a prime target because many
do not take safeguarding their data seriously. In a recent study, 87% of practices felt that they were
HIPAA compliant, yet two-thirds of those same doctors had questions about HIPAA. Being
compliant does not make your practice secure.
Implementing a security management program (which is mandated within the HIPAA Rule) does
not have to break the bank but it does take effort. It is time to look at HIPAA as a guide to protect
your data, not just another regulation.
Debi Carr is the CEO of D. K. Carr and Associates, LLC a Security and HIPAA Consulting Firm. She
has over 22 plus years of dental practice management experience and over 30 years of
experience in technology and security. She assists dentist in obtaining and maintaining HIPAA
Compliance including performing annual risk analysis and team security awareness training.
Debi holds several certifications including HealthCare Information Security and Privacy
Practitioner, Certified Associate Healthcare Information and Management Systems
provider, HIPAA Certified Professional, Certified Ethical Associate-IT. She is a member of
AADOM, ADMC, HIMSS, and ISC2.