• Best Practices New Normal
  • Digital Dentistry
  • Data Security
  • Implants
  • Catapult Education
  • COVID-19
  • Digital Imaging
  • Laser Dentistry
  • Restorative Dentistry
  • Cosmetic Dentistry
  • Periodontics
  • Oral Care
  • Evaluating Dental Materials
  • Cement and Adhesives
  • Equipment & Supplies
  • Ergonomics
  • Products
  • Dentures
  • Infection Control
  • Orthodontics
  • Technology
  • Techniques
  • Materials
  • Emerging Research
  • Pediatric Dentistry
  • Endodontics
  • Oral-Systemic Health

4 steps to take after suffering a data breach

Article

What to do if someone gets hold of valuable patient information.

A data breach in the dental industry isn’t just nerve racking -it’s also expensive and it can potentially shut a practice down. The bad news is that nearly every practice will experience a data breach of some magnitude during the life of the practice. This guide helps you to identify the type and severity of a data breach.

There’s a lot of confusion on what constitutes a breach in the healthcare industry. Under HIPAA, it’s presumed that an impermissible use or disclosure of protected health information (PHI) is a breach unless the covered entity or business associate demonstrates that there’s a low probability that the PHI was compromised.

Related article: Is your website a HIPAA violation?

To make that determination, HIPAA mandates that those organizations perform a risk assessment on at least the following four factors.

1. Assess the nature and extent of involved PHI and likelihood of re-identification

When determining the risk of harm to an individual, it’s important to determine what information was exposed and the likelihood of re-identification. Take a closer look at the PHI that was inappropriately disclosed or used. Is it more sensitive in nature? Do they include financial records? What was the level of detail in the record? Assessing this information will help to mandate the urgency with which you deal with the issue.

For example, you’ll feel far more pressed to deal with a breach in financial records than you will to deal with a breach in outdated information. Also, as we’ve discussed in previous articles, if you’ve encrypted the data and have evidence of this, then you can reasonably determine that there’s a very low risk of re-identification. On the flip side, HHS made a determination back in 2016 that suffering a ransomware attack is, by definition, a breach.

This information is one step that will assist an office in determining if there’s a low risk that the PHI was compromised. However, all four factors must be considered before a determination is made.

2. Determine the unauthorized person who used the PHI or to whom the disclosure was made

The next step involves tracing the breach back to the source and identifying the perpetrator and/or the person to whom the information was disclosed. This often occurs as a mistake on the part of the employee.

For example, an employee who meant to send an encrypted email file to a referring office may have mistakenly sent it to a different party or included unauthorized personnel in the email correspondence. If this is the case, then it’s fairly simple to trace it back to the source. From there, steps can be taken to reinforce policies to rectify the situation.

Other times the impermissible use or disclosure involves a third party. Determining who received the PHI is an important factor, as it may weigh heavily toward a decision that the data had a low probability of being compromised. An email sent to another dentist is far better than one sent to the wrong patient!

Related article: How to ensure your email is HIPAA compliant

3. Establish whether the PHI was actually acquired or viewed

The best-case scenario is that breached data is never viewed or acquired. This may happen, for example, if a laptop that was stolen or lost is returned but an unauthorized person never opened it. This is going to be a factor in determining if the PHI was compromised.

Continue to page 2 to read more...

 

At times, a forensic data analysis can determine whether or not the information was accessed, viewed, acquired, altered, transferred or otherwise compromised. This step, combined with the other three, can help you determine whether a breach actually occurred.

4. Evaluate the extent to which the risk to the PHI has been mitigated

All risks to the PHI should be mitigated in order to reduce legal implications and protect the information. In the previous example of the “incorrect email” to another covered entity, the responsible covered entity could request a letter of attestation that the PHI was destroyed.

Related article: The terrifying threat ransomware poses to your dental practice

This step depends a lot on the third party’s actions following the data breach and their willingness to cooperate with efforts to mend the situation.

After all four steps have been considered and documented, the covered entity or business associate must, in good faith, make the determination whether there was a low probability that the PHI was compromised. If the covered entity or third party can’t make that determination, then breach notification is required. 

Related Videos
Mastermind Episode 33 – Charting the Course for the Future of Dentistry
CDS 2024: What's New at TAG University? with Andrew De la Rosa, DMD
CDS 2024: Breaking Down Barriers to Care with Eric Kukucka, DD
Greater New York Dental Meeting 2023 – Interview with Len Tau, DMD
Greater New York Dental Meeting 2023 – Interview with Hope Slowik
Greater New York Dental Meeting 2023 – Interview with Branden Neish, MBA
Greater New York Dental Meeting 2023 — Interview with Shannon Carroll, RDH
Greater New York Dental Meeting 2023 – Interview with Edward Goldin, DDS
Related Content
RevenueWell Launches Insurance Verification Tool. Image credit: © RevenueWell

RevenueWell Launches Insurance Verification Tool

April 11th 2024
Article

This new tool from RevenueWell pulls accurate data to streamline dental insurance verification processes.

Product Bites – December 8, 2023

Product Bites – December 8, 2023

December 8th 2023
Podcast

Product Bites makes sure you don't miss the next innovation for your practice. This week's Product Bites podcast features new launches from Paperplane Therapeutics, Zolar Technology, and Carestream Dental.

Figure 1. Labial vestibular injections just under the nostrils are often the most painful injections. With nearly 100% consistency, the Calaject computerized anesthetic technique resulted in zero pain for this otherwise stressful and uncomfortable procedure.

Innovative Technology Takes the Guesswork Out of Injections

April 1st 2024
Article

Ronvig’s Calaject, brought to you by Directa USA: Catapult’s Vote of Confidence is awarded for everyday use in computer-assisted local anesthesia delivery.

Product Bites – October 13, 2023

Product Bites — October 13, 2023

October 13th 2023
Podcast

This week's Product Bites podcast features the latest from Dentsply Sirona, Yapi, DEXIS, DentXcel.ai, Tops, Burst Oral Care, and NSK America. [6 Minutes]

Taking Chances and How Those Chances Shape Our Future. Image credit: © rh2010 - stock.adobe.com

Taking Chances and How Those Chances Shape Our Future

April 1st 2024
Article

Sometimes improving your dental practice is all about stepping outside your comfort zone. Here are a few techniques and products that may enable that.

Kazunari Matoba Former General Manager of Research and Development, J MORITA MFG CORP – Pictured with (from left to right) Root ZX II, Root ZX, Root ZX3, Root ZX mini | Image Credit: © J MORITA MFG CORP

Living Up to the Name of an Endodontic Technology Icon

April 1st 2024
Article

Built on the same reliable, accurate technology as the original Root ZX apex locator, the new Root ZX3 from J MORITA aims to be equally innovative with the integration of high-frequency conduction therapy.

© 2024 MJH Life Sciences

All rights reserved.