Are You Prepared for a HIPAA Dental Audit?

Why – or Why Not?

By D. Kellus Pruitt; DDS

If you are a dentist and pay ADA dues year after year to be kept better informed about protecting your patients as well as your practice, your ignorance of HIPAA is not entirely your fault. The ADA clearly dropped the ball. Nevertheless, you could still suffer fines as high as $1.5 million for what our leaders failed to emphasize.

It’s time members accept the shameful truth about the ADA Department of Dental Informatics, headed by Ms. Jean Narcisi. Narcisi, working under the direction of ADA Sr. Vice President Dr. John Luther, has been abysmally negligent in preparing members for HITECH HIPAA, and now the compliance deadline is only days away. It’s been months since any information about HIPAA has been published in any ADA publications. Why?

HIPAA Avoidance 

Why do ADA leaders avoid discussing HIPAA? They are ashamed, not unlike embarrassed scam victims. About six years ago, Newt Gingrich visited ADA Headquarters and “lied” to ADA Delegates about the future of eHRs in the US. Then he bribed the ambitious career bureaucrats in the crowd with millions of dollars in federal grants to play along with the scam. I can only imagine that the Delegates must have been star-struck by the former Speaker of the House, because nobody dared asked the tough questions.

Newt’s Slick

So here I am, Ms. Jean Narcisi. I’m again doing your job because your mistakes I pointed out years ago now have you frozen in shame. If you disagree, and consider self-respect as something worth defending, let’s discuss your innocence in front of everyone – including the ADA members who pay your salary. Or, you can continue to hide from your responsibilities. This crap will catch up with you soon enough, Ms. Narcisi, and Dr. Luther no longer has the courage to stick his neck out to protect you. He’s also scared of me. You are alone.


Dom Nicastro, senior managing editor at HCPro, edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. He posted an informative article on today titled “HIPAA Compliance Questions to Ask as HITECH Date Nears.”

The article features Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, Oregon. Mr. Apgar notes that “many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule.” Apgar adds, “I find this over and over when conducting compliance audits.”

The lack of compliance described by Apgar is consistent with the results from my study in 2008, “HIPAA Rules and Dentistry.”

Study Abstract

A survey of 18 dentists was performed using the Internet as a platform. The volunteer dentists’ anonymity was guaranteed. The dentists were presented with ten HIPAA compliancy requirements followed by a series of questions concerning their compliancy as well as the importance of the requirements in dental practices.

The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample.

Frustrated at Mandates

Frustration with the tenets of the mandate, as well as open defiance is evident by the written responses. In addition, it appears that a dentist’s likelihood of satisfying a requirement is related to the dentist’s perceived importance of the requirement. Even though this is a limited pilot study, there is convincing evidence that more thorough investigation concerning the cost and benefits of the requirements need to be performed before enforcement of the HIPAA mandate is considered for the nation’s dental practices. 


Questions to Consider

Apgar says that the security rule requires covered entities to consider these questions:

  • Has a risk analysis been conducted lately? Was it properly documented? Were damages mitigated and were the risks acceptable?
  • Is privacy/security training current? Have new workforce members who will have access to personal health information (PHI) been adequately trained? Has refresher training for all staff been accomplished? Have security reminders been provided?
  • Are the office policies and procedures complete, current and enforceable? Are workforce members trained on the policies and procedures they are required to respect?
  • Has a comprehensive audit program been implemented? (The security rule requires three periodic audits and an “evaluation” or compliance audit). Are evaluations current? Have audit findings been addressed and documented?
  • Have up to date disaster recovery and emergency mode operations plans been communicated and recently tested?
  • Are CMS’ remote access guidelines being followed? (These are not part of the rule, but CMS earlier indicated remote access management would be included as audit criteria).
  • Are data in transit and data at rest encrypted? Are non-electronic PHI being protected?

Office of Civil Rights

Mr. Apgar adds that even though the Office of Civil Rights isn’t saying when audits will start, if a complaint is filed with OCR alleging ”willful neglect,” OCR is mandated by statute to investigate. The fines for “willful neglect” are much more devastating than fines for simple carelessness. And “willful neglect” is a subjective judgment call made by inspectors … who work on commission.


Unfortunately for the nation’s dentists, the statute invites disgruntled patients and employees to celebrate revenge via federal inspectors. And, the more dentists are fined, the more the inspectors make. That can’t end well. Where are you hiding, Jean Narcisi? You’ve been silent far too long. Let’s talk. Don’t make me come get you.

Editor’s Note: The applicability of this post to all medical specialties is obvious.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:


FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Product Details 

14 Responses

  1. Hey – ADA
    HHS announced five more breaches

    “Much of our work will be seamless and below the radar screen for our members.” – ADA President-elect Dr. Ron Tankersley, in Judy Jakush’s September 2009 interview for ADA News.

    Do you yet understand why I get so frustrated with President Dr. Tankersley’s less than transparent leadership? As a common ADA member who pays dues to the non-profit professional organization, the ADA’s perpetually elected committee-approved leaders, as well as ADA employees, hide stuff from me as a matter of stated policy.

    I wonder how Dr. Tankersley’s seamless, hidden strategy is working out for the ADA Department of Dental Informatics. Jean Narcisi, who heads the department, has evaded at least one member’s questions about data breaches since February 2006. How much longer do you think she will be able to keep hidden the practice-ending liability of notifying patients of a breach? Yesterday, HHS posted information about 5 more that occurred in February.

    “As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.” – Department of Health and Human Services.

    Montefiore Medical Center

    State: New York

    Approx. # of Individuals Affected: 625

    Date of Breach: 2/20/10

    Type of Breach: Theft

    Location of Breached Information: Laptop

    Private Practice

    City and State: San Antonio, Texas

    Approx. # of Individuals Affected: 21,000

    Date of Breach: 2/20/10

    Type of Breach: Theft

    Location of Breached Information: Portable Electronic Device

    North Carolina Baptist Hospital

    State: North Carolina

    Approx. # of Individuals Affected: 554

    Date of Breach: 2/15/10

    Type of Breach: Theft

    Location of Breached Information: Paper Records

    University of New Mexico Health Sciences Center

    State: New Mexico

    Approx. # of Individuals Affected: 1,900

    Date of Breach: 2/08/10

    Type of Breach: Other

    Location of Breached Information: Desktop Computer

    PMC Medicare Choice

    State: New York

    Business Associate Involved: MSO of Puerto Rico

    Approx. # of Individuals Affected: 605

    Date of Breach: 2/04/10

    Type of Breach: Other

    Location of Breached Information: Paper Records


    Just this week, a point was raised that the names of those responsible for breaches are being intentionally left off of HHS lists. It has been argued by privacy advocates that without personal accountability for the breaches, the entire purpose of public notification is defeated, and more Americans will needlessly suffer identity thefts because they will not be adequately warned that they are at risk.

    Do you know what’s big, hairy and is holding HHS back from posting names of providers and Business Associates? (If you haven’t heard the punch line, you are sure to find this catch-22 darkly clever in a traditional bureaucratic way). HHS evidently only recently discovered that in compliance with the federal Privacy Act, it is not permitted to publish the names of those responsible for the loss of data without their permission. No kidding! And get this: So far, not a single business owner has granted HHS permission to use them and their families as an example to prove to voters that Secretary Sebelius is effective at enforcing HITECH/HIPAA. Is that not the smoothest piece of screwed-up, rushed, stakeholder-designed ARRA legislation you have yet to see? Hey, it’s still early, friends. You haven’t missed anything. We are bound to see a lot more evidence of politically-correct-stupid soon enough.

    For example, I hear HHS is at this moment working furiously to permit the naming of providers and BAs even without their permission. Now consider this piece of common sense: If HHS could have named names, they would have already done so. At worse, gaining permission from thinking citizens in a democratic country promises to be only as tough as taking away one or more of their Constitutional rights.

    My bet is that Secretary Sebelius will carry out her duty to protect society and November incumbents by circumventing providing the actual names of providers and BAs. I think she will resort to the original bi-partisan HIPAA plan to use voluntary NPI numbers for publishing “quality” information on an NPPES Website – which is already planned to conveniently include state and federal infractions. That should work out swell.

    Here’s something I found intriguing: HHS reported that over 1100 paper records were stolen from a hospital and a BA. I do hope someone in HHS will share those stories with us. Just how does one slip quietly past the front desk carrying a file cabinet?

    Please don’t tell me employees are still tossing unshredded documents into the dumpster. How can Washington possibly protect us from ubiquitous idiots? They’re everywhere! They’re everywhere!

    D. Kellus Pruitt; DDS


  2. HHS Disclosure Rules

    Did you know that today is the end of public comment period concerning the new HHS disclosure rule that will go into effect soon?

    The ADA didn’t mention it, but according to the new regulation that was hidden in 2000+ pages of healthcare reform, if a dentist files insurance electronically, each transmission of patient information will have to be reported to HHS – whether it is to BCBSTX etc, an oral surgeon or the patient.

    Editor’s Note: Transmission by US mail and faxes are unaffected.

    D. Kellus Pruitt; DDS


  3. Moving paper – a hard way to make a dishonest living

    For those who might be wondering, the paper value of 33,000 medical records is about $40 – or 0.12 cents each (less the gas it takes to haul them to the recycler).

    The more I hear about the following, mysterious California data breach, the more entertainiing it becomes. And I’m not alone. This morning, Dom Nicastro, writing for HealthLeadersMedia posted “Janitor Sells Patient Records for $40”. He quotes Frank Ruelas, a compliance and risk management expert and principal of HIPAA College in Casa Grande, AZ. who says, “This incident is a bit of a head scratcher…”

    The privacy breach was first noticed in late July when an official discovered files were missing from a Los Angeles County medical facility, according to a LA Times article that was posted on Friday in response to an official press release.

    To me, stealing paper medical records to sell to a recycler just doesn’t seem profitable enough for the amount of work compared to stripping A/C units for copper or even stealing hubcaps.

    Here’s my take on a story that still hasn’t been adequately revealed if you ask me: I think a janitor named Robert Sanders who was employed by Martin Luther King, Jr. Multi-Service Ambulatory Care Center in Willowbrook, California was told by his supervisor to clean a bunch of junk out of a cluttered storage closet and that’s exactly what the hard-working man did.

    But instead of moving the 14 boxes to the dumpster a few yards away, it sounds like the 55 year old county employee might have backed his pickup up to the delivery entrance and piled all 14 boxes in the back. Then, instead of chucking them to the dumpster where the paper wouldn’t have been recycled for hundreds of years, he unloaded all 14 boxes at the recycler and picked up some beer money for the same amount of effort. So far, so good, right? Nope. I bet the janitor didn’t know the difference between a HIPAA and a hippo until a few months ago.

    According to the LA Times story (no byline): “An investigation into the missing files led authorities to Sanders, who was among the custodians questioned about where the files had gone.” It’s not like someone could “sneak” 14 heavy boxes without being noticed. And according to the press release, “One such employee confessed that he had personally taken the files to a recycling company for its paper value.” That would be Robert Sanders.

    Now the janitor is facing felony charges. Think about it: 14 boxes, $40 and a felony.

    “So what are you in prison for, old man?”

    “I moved a lot of paper in my time, son.”

    Carol Meyer, head of operations for the Department of Health said “We take patient privacy in this department very seriously.”

    I know what you’re thinking, and nope – this isn’t out of the “Onion.” This is the LA Times… wait, I see your point. But nevertheless, even Dom Nicastro offers: “One HIPAA privacy and security expert said hospitals can avoid records falling in the wrong hands by having an officer account for [14 boxes in a closet] at all times.

    Thanks, HIPAA. I couldn’t make this stuff up.

    Darrell K. Pruitt DDS


  4. Dentrix is all over HIPAA 5010 ‏Dentrix, the nation’s largest dental software vendor, posted the following warning for its clients today. HIPAA 5010 update makes me oh so happy I’m not a covered entity.


    It’s Not Too Early to Think About 5010

    By now you may have heard about the upcoming change in HIPAA transaction standards. As part of the HIPAA EDI rules, healthcare providers must be fully compliant with the new requirements by January 1, 2012. While that deadline may seem far away, it’s not too early to start preparing.

    The HIPAA 5010 update, which replaces the 4010/4010A requirements, involves many changes in how data is transmitted and will be unnoticeable to Dentrix users. The most obvious impact of the 5010 requirements will be in how you submit electronic claims, which will now require information that was not included previously. The 5010 update also accommodates the introduction of the ICD-10 code set, the new mandatory standard for medical diagnosis and in-patient procedures beginning October 1, 2013.

    It’s important for Dentrix users to know that the 5010 changes that impact Dentrix and its related services will be thoroughly tested and implemented by the required deadlines. As the developer of your practice management software and a large aggregator of dental claims in the industry, we are well-equipped to implement the changes.

    Keeping your Dentrix software up to date is one of the best ways to prepare for the HIPAA 5010 and ICD-10 updates. If you’re on a Dentrix Customer Service Plan, you will receive regular updates to ensure your Dentrix software is ready for the new regulations.

    Henry Schein Practice Solutions is committed to helping you meet the latest industry regulations. We will continue to provide you with information and software updates for the HIPAA 5010 changes. Please visit for more information. We’ll update this page as new information becomes available.

    Author: Damon Graves and Erin Brisk


  5. Sorry. Using Henry Schein’s own press release to illustrate why Dentrix is a bad idea was a bit of Schadenfreude as well as a cheap shot at a defenseless EDR vendor.

    Seriously, if American dentists don’t start educating themselves about the absurd, tedious requirements for safely maintaining PHI – and start complaining loudly about HITECH as well as HIPAA – EDRs will never be a good business decision for dentists because justifiably, NOBODY WILL TRUST THEM. That’s a fact.

    D. Kellus Pruitt DDS


  6. Shopping for a Dentist?

    You feeling as ornery as I am on this otherwise boring Monday evening?

    From what I understand, over 90% of US dentists are HIPAA-covered entities. Please sit back and watch me aggravate 9 out of 10 modern dentists just for grins.

    As patients’ data breaches from dental offices become increasingly well known, I’m counting on my honest, if blunt sales pitches to become increasingly more effective at attracting new patients – especially identity theft victims who avoid electronic dental records for natural reasons. I’m expecting the growing niche market to be funneled my way by the worst bi-partisan blunder in dental history and justified consumer fear.

    “Are you searching for a safe dental office to park your family’s Protected Health Information (PHI) while you get your teeth cleaned? You’ve found him.”

    – Darrell K. Pruitt DDS
    Fort Worth, Texas

    Here’s another: “Do you want to safeguard your family’s identities by visiting a dentist with traditional paper records? Or would you prefer to take your chances on internet benevolence with the digital records of a HIPAA-covered dentist?”

    Then I’d add, just for orneriness, “One can identify HIPAA-covered dentists because they have permanent National Provider Identification (NPI) numbers they were forced to volunteer for.”

    As if the challenge of protecting patients’ identities wasn’t already stressful enough for dentists who increasing live under the threat of data breaches and HIPAA inspections – now from state attorneys general – I learned today from an article written by John Commins, editor with HealthLeaders, that just about anyone can hack dentists’ computers – and they will. Count on it.

    “Spying Technology Creates a HIPAA Nightmare” describes a losing battle against hackers in the healthcare industry.

    “Abrowser plug-in named ‘Firesheep’ allows snoops to monitor anyone using the wireless networks in their immediate area. The plug-in will display the name and show pictures of other surfers nearby – perhaps someone using Facebook — and allow the snoop to log-in as that person. According to Marketplace, a hacker could post photos, send messages, pretty much do whatever he wants, all in someone else’s name. Firesheep has been downloaded more than 1.3 million times, and its creator told NPR he did it to show how vulnerable we all are.” Do you have a wireless router in your office? Will you have one tomorrow?

    “Whatever patient identity protections your healthcare organization has installed, it’s hard not to have a sneaking suspicion that the snoops will always be one step ahead in the game.” Commins adds, “It’s easy to see that many of these new snooping technologies could be used to monitor the conversations and other data of healthcare professionals, or tap into patient healthcare files. Now, with the advent of electronic medical records, that prospect is even more frightening.”

    So once again: For those who are concerned about identity theft from your dentist’s computer, and want to eliminate unnecessary risks, my paper records that are stored in large, heavy and loud metal filing cabinets are millions of times safer than the most secure electronic dental records on the market – guaranteed.

    Wait! There’s more! Because of the tremendous HIPAA costs incurred by dentists who store and transmit digital PHI, paper records are cheaper as well. And Darrell K. Pruitt DDS in Fort Worth passes on these savings to his patients without sacrificing his own modest profit. Besides, EDRs offer nothing to dental care that cannot be accomplished safely and cheaply via fax, telephone or the US Mail – none of which require dentists to have NPI numbers to operate.

    So for all those out there with dental needs who fear increasingly common data breaches from dental offices, Darrell K. Pruitt DDS in Fort Worth Texas, NEVER stores patients’ information on slippery, dangerous digital records.

    “Give us a call today and let us help prevent you from grinding your teeth over an avoidable identity theft.”

    D. Kellus Pruitt DDS


  7. Skin in the Game

    If you have skin in the game, raise your hand … Not so fast, David Harlow.

    Today I dropped another incendiary comment on fellow LinkedIn HIT group members – most of whom wish this dentist would just leave them alone to enjoy each other’s happy press releases.

    This time, my unpopular but sincere challenge follows Tom Gomez’s link to a HIPAA consultant David Harlow’s press release warning that the cost of data breaches can be as high as $1000 per patient.


    Healthcare stakeholders: Participants in the healthcare industry who cannot be held directly accountable to doctors’ patients.

    Attorney David Harlow’s article that you chose to highlight, “Data Breach: How Much Will One Cost You?” speaks directly to the concerns of doctors – HIT customers who are held accountable to class action lawsuits for data breaches, in addition to HIPAA fines. Thanks, Tom. It hardly makes one popular around here, but I too value transparency.

    Addressing the uncontrolled cost of data breaches can no longer be avoided just because such discussions make stakeholders increasingly uncomfortable. I recently read that Poneman’s latest estimate of the cost per fumbled health record had actually dropped to under $200. But that was before papers filed in the eleven class action lawsuits against Sutter Health revealed that attorneys are asking for $1000 per record, as described in Harlow’s article.

    If Sutter Health plaintiffs and their lawyers are awarded even half that amount, the precedent would mean if a dentist’s computer containing 5000 patients’ identities is breached, bankruptcy will be declared long before any multi-million dollar judgments are paid. It goes without saying that such a catastrophe will also destroy the dentist’s practice as well as reputation. Recovery from the cost of a single careless mistake, or even a dishonest employee, will be difficult if not impossible. It won’t take many publicized breaches before dentists will be seen returning to paper. As most know, HIPAA/HITECH demands that such breaches be publicized in local media.

    Stakeholders who cannot be held accountable seem to assume that by increasing providers’ liability beyond the already obscene levels, the increased fear of financial ruin will eliminate carelessness. Harlow writes: “The takeaway for other covered entities and business associates out there: If the OCR HIPAA audits aren’t enough of a motivation to get cracking with beefed-up data privacy and security protections, the potential exposure of Sutter Health in this class action suit should be reason enough to get started on this work as soon as possible, and to make it a high priority. Suits like these may be grounded both in state law and in indirect theories flowing from HIPAA/HITECH breaches (since there is no private right of action under HIPAA). The exposure is there, and a number’s been put out there to quantify it.”

    Mr. David Harlow, Principal of The Harlow Group, a healthcare law and HIPAA consulting firm, then unwittingly reveals the dysfunctional part of healthcare very few dare admit – stakeholders like the Harlow Group are far too insensitive to providers’ costs in maintaining HIPAA compliancy, and the increasing threat of audits isn’t helping anyone: “However expensive and inconvenient data encryption and other privacy and security measures may be, they are surely worth avoiding $1,000-a-head lawsuits and months of negative publicity.” “HOWEVER EXPENSIVE AND INCONVENIENT,” the consultant says.

    Perhaps it is because nobody has yet “quantified” the cost of HIPAA that makes David Harlow feel so comfortable using fear to persuade providers to spend even more healthcare dollars on compliance consultants. If nobody in the nation is tracking how much compliance adds to doctors’ bills, that means the non-negotiable cost to clueless patients is open-ended. Is it any wonder that healthcare costs in the US keep increasing?

    The audacity of “however expensive and inconvenient” reveals that there is nothing holding down the cost of HIPAA/HITECH compliancy even though EHRs in dentistry already cost more than they save – making them an expensive and dangerous hobby. As sure as gravity, without de-identification, unrestrained costs will eventually make EDRs increasingly less competitive than cheaper, safer paper dental records. Consumers will figure this out soon enough.

    D. Kellus Pruitt DDS

    NOTE: In fairness to David Harlow, I intended to post my opinion following his article until I read his rules: “Please note: Your first comment as a registered user will be held for moderation up to 24 hours (usually less). For more information about comments on our site, please read our FAQ and terms of use.”

    Even following such disrespect of customers, I still try to do the right thing, but I’m only human. Sorry, David Harlow. No heads-up.


  8. Are you sure you want electronic dental records, Doc?
    [HB 300 is even more costly for Texas dentists than HIPAA]

    “The new law (TEXAS HB 300) contains severe civil penalties for violations of the law. Penalties can range from $5,000 up to $1.5 million per year for unlawful disclosure of a patient’s PHI. In determining an appropriate penalty, the statute allows a court to consider five factors: the seriousness of the violation; the entity’s compliance history; the risk of financial, reputational, or other harm to the affected patient(s) caused by the violation; the amount necessary to deter future violations; and any efforts taken by the covered entity to correct the violation.

    If a violation is found to be negligent, it can cost up to $5,000 per violation each year the violation persists. Knowingly or intentionally violating disclosure laws can cost $25,000 per violation each year it persists. If the violation is known or intentional and produces financial gain, the penalty can reach $250,000 per violation each year that it persists. If the court finds that the violations are a “frequent pattern of practice,” a covered entity can face up to $1.5 million dollars in fines as well as license revocation, civil action from the AG, and the AG can request an audit by HHS. These penalties are in addition to the similar penalties that can be assessed by HHS under HITECH, so a covered entity could be facing fines up to $3 million per year for the same violations under state and federal law.”

    D. Kellus Pruitt DDS


  9. HIPAA – No more fun and games

    “Get set: New HIPAA has teeth – New HIPAA rule will bring more enforcement action, expert says,” by Diana Manos, Senior Editor for Healthcare IT News, was posted yesterday.

    “According to Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin, the biggest difference in the new rule is a change in breach notification. Under the old rule, providers were presumed innocent of harming patients when a breach occurred – until they proved otherwise. Under the new rule, providers are presumed guilty of harming patients when data is breached. They will have to prove their innocence.”

    Jorge Rey: “I think they are putting out the message that they are serious about enforcement. They are going after small and large cases.”

    D. Kellus Pruitt DDS


  10. HIPAA Audits Resume in October
    [HIPAA audits will resume in less than six months]

    Are you prepared, Doc?

    In an interview with, Verne Rinker, an OCR health information privacy specialist from HHS, discusses:

    – Key audit findings regarding non-compliance with the HIPAA privacy and security rules;

    – How non-existent or poorly conducted risk assessments by covered entities led to other HIPAA non-compliance audit findings;

    – Plans for a new HIPAA audit protocol that takes into account the release of the HIPAA Omnibus Rule.

    Darrell K. Pruitt DDS


  11. BEWARE: Monday, September 23rd 2013?

    Have dentists (other than my readers) been warned to prepare for Monday, September 23, 2013? I say probably not.

    In spite of EDR stakeholders’ notorious unresponsiveness – a manifestation of unaccountability which stoic dentists have inadvertently nurtured for years – I am confident that HIPAA compliance information I openly share has already helped at least a few dentists avoid findings of “willful neglect” by HIPAA auditors only months from now. My pleasure.

    Here is more news others are likely to miss:

    “[Even dentists] need to be in a position to demonstrate due diligence and show you have not been ignoring HIPAA and other related privacy and security statutes for years.”

    – Chris Apgar, CISSP, CEO and President of Apgar & Associates
    [Privacy, Information Security, Compliance Experts, HCCA, ISSA]

    I admit that between the brackets sits abject editorial liberty. But seriously, if I don’t warn HIPAA-covered dentists about the liabilities of maintaining ePHI, who will? Nobody. The downsides to identity-laden EDRs continue to be hidden from consumers (often through censorship): A sign that stakeholders with too much power have unhealthy interests in dentists’ purchase of dental software – which in turn causes the dental media to employ anonymous censorship to protect revenue from questionable ads. Virtually all popular media in dentistry have abandoned journalistic ethics. That’s my opinion. Am I wrong?

    With permission from Chris Apgar, may I present his recent Linkedin post titled, “Don’t panic – just plan very quickly because September 23rd is all too close.” Apgar’s sensitive, realistic approach to compliance is fresh air:

    “The world won’t end on September 23rd but it could become very uncomfortable if you’re not prepared and OCR comes to call. My advice – make a compliance plan, identify your high risks/what you need to do first (risk analysis, training, etc.), document your time line and make sure it’s reasonable, assign resources and get busy.

    Many won’t be in a position to meet all of the compliance requirements by next month. If you’re doing what you need to do to comply, have a reasonable plan and have assigned resources to make sure you do comply shortly, I believe OCR will at least cut you a little slack. You need to be in a position to demonstrate due diligence and show you have not been ignoring HIPAA and other related privacy and security statutes for years.

    Demonstrate due diligence and that you’re serious about compliance has import. That import, though will not go very far if you’re a covered entity who has ignored HIPAA for now a decade. it likely also won’t go very far is your a business associate and have been ignoring compliance for that same ten year span (you were supposed to comply with HIPAA by contract way back in 2003). Good luck!”


    As the chances of a HIPAA audit increase exponentially in a few weeks, do you think de-identification of dentists’ primary records through tokenization is a feasible solution worth investigating? I and others sincerely want to know.

    D. Kellus Pruitt DDS


  12. Handy information for HIPAA-covered dentists – for when the time comes

    “United States: How To Analyze A HIPAA Breach” by Tabatha L. George for Fisher & Phillips LLP, was published today on

    This time last year, dentists were provided wide latitude in determining whether data breaches were bad enough to warrant reporting them to HHS and the patients involved. Just about any rationalization was as good as the next. That loophole closed in September when the far-stricter final Omnibus Rule went into effect. Since then, all breaches of dental patients’ identities are considered reportable unless they can be proven otherwise by tedious standards which leave little wriggle room. Tabatha L. George explains:

    -The nature and extent of the PHI involved

    Based on HHS guidance, covered entities should consider whether the disclosure involved PHI that is of a sensitive nature, including the types of identifiers and the likelihood of re-identification. Social security numbers would be considered sensitive items, whereas a city or state identifier would not be as sensitive. Entities should consider the likelihood that someone could suffer financial or reputational harm based on the information to determine its level of sensitivity.

    – The unauthorized person who used, accessed, or received the PHI

    Consider whether the unauthorized person is trained in HIPAA compliance, has obligations to protect the privacy and security of the information, has a track record of protecting similar information, and can be obligated to return it. HHS emphasizes that this factor should be considered in combination with the first factor regarding the risk of re-identification.

    – Whether the PHI was actually acquired or viewed

    Analyze whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. Entities may have the technology to confirm that information was unviewed, or they may be able to lock a lost cell phone or destroy files remotely in order to protect themselves under this factor.

    – The extent to which the risk to the PHI has been mitigated

    She adds, “Finally, covered entities must evaluate the extent to which the risk to the PHI has been mitigated. If the PHI is no longer in the entity’s possession, consider factors such as how easily it can be duplicated.”

    It is my sincere hope that none of you will experience the anguish of deciding that your (soon-to-be former) patients must be informed that their identities have been fumbled. Nevertheless, in case nobody has yet had the courage to point it out, hiding a reportable breach can be considered a felony offense – even as the odds of experiencing a breach are increasingly unfavorable for HIPAA-covered dentists.

    On the other hand, de-identification through tokenization is a HIPAA-compliant safe harbor – meaning nobody has to be notified if an office computer is stolen or hacked.

    D. Kellus Pruitt DDS


  13. Are you prepared for HIPAA?
    [Have you conducted your risk assessment yet, Doc?]

    “Mental Health Service Fined $150K for Ignoring HIPAA – Anchorage Community Mental Health Services will pay a $150,000 settlement fine and adopt a corrective action program for failure to substantially comply with the HIPAA security rule since its compliance date in 2005.” By Joseph Goedert for HealthData Management, December 9, 2014.

    Have you noticed that I am apparently the only person in the dental industry who dares to mention HIPAA these days? For example, have you noticed the absence of HIPAA consultants in dentistry? And where is the ADA? It’s been months since our dental leaders have mentioned HIPAA. In fact, my local ADA component dental society hides news of data breaches – not from patients who read about them in the local news, but from vulnerable ADA members.

    My profession harbors deceit concerning the liabilities of EHRs. I think anyone can see that this won’t end well.

    D. Kellus Pruitt DDS


  14. Are you prepared for an FTC audit?

    Is Your HIPAA Compliance Program Ready for the FTC?

    Everyone in healthcare knows that the next round of HIPAA audits is coming. Covered entities and business associates have long been advised to review and update their HIPAA security risk analyses, have business associate agreements close at hand, and review and update HIPAA policies and procedures.

    At a recent conference, representatives from the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) provided more insight into the status of the HIPAA audits.

    In addition, that conference reinforced the need for covered entities, business associates, and all others in the healthcare industry to be prepared for increasing enforcement activity by the Federal Trade Commission (“FTC”).”

    Jill Girardeau for Womble Carlyle
    [October 9, 2015]

    DK Pruitt DDS


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: