This article originally appeared in the Principles of Practice Management e-newsletter. Subscribe to this informative twice monthly practice management ENL here.
The finance industry is an overrated poster child when it comes to industries at risk of experiencing privacy breaches. According to the World Policy Forum, an active credit card sells on the black market for $3. Compare this to a medical record that can sell for $50 at its peak. The black market value of stolen medical patient records has fluctuated based on the growth of the ransomware market.
The digital transformation journey that dental practices are embarking on has increased the likelihood of a privacy breach. As dental practices transition from physical to digital recordkeeping, personal information may be compromised during the transition due to lack of established protocols regarding how to manage and dispose of paper records. There are also a number of access points to medical patient data that opens up the chance for personal information to be compromised once the migration takes place. Twenty-five percent of data breaches are caused by human error, and the lack of management when it comes to adopting privacy practices in the workplace does not help.
There are regulatory compliance expectations in almost every jurisdiction and it is crucial to ensure that clear policies, procedures, and training are in place. In the US, HIPAA ensures health information is appropriately safeguarded, and in Canada, PIPA regulates privacy practices in British Columbia and Alberta. Dental practices should strive to update their privacy program in order to appropriately protect patient data or they could expose themselves to financial and reputational consequences.
The risks around privacy breaches and the expectations set forth by regulators mean that each dental practice should strive to have a privacy program commensurate to the size of their operation that will ensure the appropriate management of personal information.
The three-legged stool: the pillars of success for a privacy program
I like to use the analogy of the three-legged stool when dental consultants ask what’s required for dental practices to change their privacy culture and comply with regulators. There is a misconception that all a dental practice needs is the software technology or the services of a lawyer to mitigate the occurrence or the severity of privacy breaches. This is simply not the case. There are three key pillars that make up a successful privacy program, and all three must work together to ensure privacy risks are managed appropriately.
Ensuring that the appropriate security safeguards, such as antivirus, firewalls, and encryption, are in place in order to protect from external threats such as hackers, is a critical step to minimizing data compromising or loss.
Understanding the applicable privacy regulations that the practice needs to comply with ensures that the appropriate policies and legal framework are in place to mitigate the risk of lawsuits and penalties.
3. Operational enablement
Translating the regulatory and technical requirements into day-to-day business processes help ensure that employees understand the importance of data protection. It also teaches them how to avoid phishing scams, and how to take responsibility of the patient data they deal with. This is the glue that binds everything together to adopt good privacy practices and avoid a data breach that could bring down an entire practice.
Good privacy practices in any organization are important, but in health care and in particular in the dental industry, these practices must become the default approach to managing patient personal information.