Ask any practice that has received a call about a HIPAA investigation if the time and money they spent on compliance with the law was enough. HIPAA privacy expert Amy Wood discussed the topic of HIPAA compliance at CDA Presents 2016, focusing on why dental offices spend so little on security and information technology.
Amy Wood is the president and HIPAA privacy officer of ACS Technologies.Wood is the president and HIPAA privacy officer of ACS Technologies, a HIPAA-compliance company from Northern California that provides security and technology for dental and medical practices. She'll be speaking on Thursday, May 12, at CDA Presents in Anaheim, CA, on the topic of HIPAA compliance in the dental practice.
Wood noted that HIPAA is confusing, and compliance is daunting for many practices, especially smaller ones that may think they do not have the financial resources to invest in IT and security. She told DrBicuspid.com about how lack of insurance and security can be a practice killer should something terrible happen, such as a security breach or loss of patient data.
"People aren't sure how to do HIPAA correctly, and there are a lot of ways to get it wrong," Wood said.
She referred to a case in which a client, who did not have insurance, had to pay almost $300,000 out of pocket because a server was stolen.
"It is catastrophic in most cases," she said. "That client is still in practice, largely because of the aggressive approach to reporting and drastic changes in how the office embraced privacy, security, and technology."
Wood said that, unfortunately, she sees cases such as that one all too frequently.
"Cases like that are now trends with cybersecurity at the forefront," she said. "A practice needs to have someone watching all the time, not only for compliance, but also to stay ahead of problems before they cost time and money."
Resistance from practice owners
Dental practices often resist spending money on IT and security, Wood noted.
"General business spends anywhere from 11% to 18% per year of their budget on security and IT," she said. "In dental practices, it's between 1% and 3%."
As shocking as that figure is to dental practice owners, it has also drawn attention from law enforcement agencies.
"This disparity is getting noticed by enforcement agencies, and they don't understand why general business has better security than a dentist, because every piece of information on a patient could compromise that patient's identity," she said. "Patients are becoming aware as well and silently leaving practices because they don't feel their information is safe. Patients should feel safe giving their information to their dentist."
What Wood often experiences as she is presenting at conferences and talking with potential clients is doctors balking at the time and the expense involved in securing their practice and patient information.
She sees a lot of resistance to more expensive programs, she noted. "I see practice owners desperate to find an easy solution," she said. "They want a checklist, a yes or no program. But from the breaches we have seen, those programs, while inexpensive, don't hold up."
For the last 10 to 15 years, she said, practitioners seem to often view IT as a sort of "cleanup crew," called in only after all other possible solutions have been explored and then paid a fee for their services.
Ransomware
Wood noted that the topic of ransomware comes up often when she speaks to dentists and other practice personnel. She noted at a recent conference that this is an issue her firm ACS takes very seriously.
"I asked the group I was speaking to how many had to deal with ransomware at the office. Everyone said yes," she said.
Wood's training and years of experience have led her to understand how complicated this can be for everyone at a practice.
"Front-desk staff ask me all the time, 'Can you please take this off my desk. I'm not trained to do this,' " Wood said. "Most first responses in a breach may seem like the right thing to do, but in almost every case those choices don't give a good outcome and aren't the best way to address a data breach."
