SECOND QUARTER 2017 Vol.19, No.2

dds4dds.com

Also in this issue: Managing Cyber Threats

The healthcare sector is not immune

to cybercrimes which, in today’s world

seem to be running rampant. Dentists

must be diligent in securing their patient

information, and understand that fines and

penalties may be levied for non-compliance

with HIPAA.

A Risk Management Newsletter from Fortress Insurance Company

• Earn A 10% Premium

Credit on Your Policy

• DDS Guardian To Be

Published Quarterly

• Live Seminar Calendar

• e-Learning Center Courses

Practice Safety

2HIPAA - Managing Cyber ThreatsWhat proactive steps can your office take to prevent cybercrimes and what are the HIPAA HITECH implications of these threats? By: Joshua Larman, JD

Practice Considerations

4Ransomware: We’ve Been Attacked, Now What? A reference guide for managing a ransomware data breach. Learn valuable steps to follow after an attack.

Patient Management

5PDMP: A Tool for Improved Prescribing and Enhanced Patient SafetyRoutine use of the Prescription Drug Monitoring Program (PDMP) has the potential to curtail the opioid epidemic. By: Colin S. Bell, DDS, MSD

Closed Claim Summary

6Incidental Post-Operative Infection Read this analysis of a closed claim involving an incidental post-operative infection and discover which factors led to a successful verdict for the insured. By: David Balzer, JD

Staff Corner

8Preventing Opioid Abuse and Utilizing the PDMP Staff members are often the first to take patient health histories and to document any specific complaints from patients. This places staff in an excellent position to identify patients with the potential to abuse opioid medications. By: Julie Goldberg, DDS

SECOND QUARTER 2017 Vol.19, No.2 2

HIPAA - Managing Cyber Threats

Joshua Larman, JD - Fortress Corporate Counsel

The healthcare sector is not immune to cybercrimes which, in today’s world, seem to be running

rampant. In fact, according to a report published by the Department of Health & Human Service’s

Office of Civil Rights (“OCR”), more than 100 million health care records were compromised in

2015, making healthcare the most targeted industry for cybercrime. These attacks can come in

many shapes and sizes, including: malware and viruses, phishing scams, ransomware, and even

botnets. There is logic behind this trend. Provider healthcare information includes numerous

fields of data stretching over a patient’s full lifetime. The value of these records far outweighs

that of credit card or bank information. Your healthcare record is also inherently permanent,

creating more value and demand on the black market. For example, a health record can include

the patient’s name, birth date, social security number, as well as additional treatment information

that would not necessarily be part of that patient’s credit card or bank file. Also, the protected

health information does not change over a patient’s lifetime; whereas, a credit card number or

bank account can be revised with relative ease.

Given this ever-growing threat, healthcare providers, including dentists, must be diligent in

securing their patient information, and must also understand that they can be subject to fines

and penalties for non-compliance with HIPAA, even without a data breach or other incident

occurring. In the past, the Office of Civil Rights, the oversight agency which enforces HIPAA,

would impose fines and penalties on covered entities, following a breach incident or investigation

showing lack of HIPAA compliance. However, as a result of the HITECH Act, the OCR is now

mandated with carrying out HIPAA Compliance Audits. Any dentist can be subject to a potential

audit, and if selected, he or she will be required to demonstrate compliance regarding their

privacy, security, and breach notification processes and procedures. If one is discovered to be

out of compliance, a HIPAA violation can be very costly.

Civil fines have ranged from $50,000 to $1.5 million per

violation. Also, if a serious security incident were to occur,

one faces losing the trust and goodwill of one’s patients,

which can be crippling to a practice.

It is important to not allow cyber risks to deter you from

taking advantage of the evolution of digital technologies, which can add value to your practice

and improve patient care. Remember, you can manage this risk by taking the steps necessary to

prepare for it. Like any other risks, you must measure and assess your vulnerability to a potential

breach and implement appropriate safeguards to counter the risk. Begin by conducting a

security risk analysis of your practice. Specifically, review the flow of electronic protected health

information (“ePHI”) throughout your office. Do you utilize mobile devices such as tablets or

smart phones? Also, where are computer workstations located and who has access to patient

information? Are the devices password protected and encrypted and do they ever leave the office

after business hours? These are just a handful of questions you need to ask to properly evaluate

your risk of a potential cyber-attack.

< Table of Contents continued next page

dds4dds.com

Dentists must be diligent in securing their patient information, as well as understand that they can be subject to fines and penalties for non-compliance with HIPAA, even without a data breach.

HIPAA - Managing Cyber Threatscontinued from previous page

Once the security risk analysis is complete, policies and procedures should be refined to align

them with the practice’s security philosophy and priorities. Policies should take into account

“addressable” vs “required” vulnerabilities and base implementation strategies around your

office’s highest priorities and available resources. The HIPAA Security Rule requires you to

implement physical, technical, and administrative safeguards to secure

patient healthcare information.

• A physical safeguard can be as simple as maintaining all mobile devices

in a locked storage area during non-business hours. This basic safeguard

can prevent the office cleaning crew member from wrongfully stealing

the device and trying to access ePHI.

• A technical safeguard can range anywhere from the number of

characters required for your office device password to a full encryption

package of your complete data network.

• Administrative safeguards can include your office policy for training

staff on how to avoid a phishing scam.

These various safeguards, both large and small, can be crucial for

preventing data breaches. In many instances, cyber threats and attacks

are prevented by knowing what to look for and what to avoid. More

often than not, cyber intrusions are a result of human error and a lack

of appropriate training. However, you should remember that HIPAA is

flexible and the safeguards can align with the needs of your office environment. That being said,

it is crucial to document your analysis as well as your rationale for making decisions.

Lastly, you need to know what to do if and when a cyber breach occurs. Your incident response

plan should be documented and established well before any incident occurs. This will allow you

and your staff to manage the incident, causing as little disruption to your practice and patients as

possible. Also remember, the Breach Notification Rule within HIPAA requires different steps to be

taken depending on the scope of the incident. Notifications to affected patients, Health & Human

Services, and even the media may be required.

________________________________________________________________

1. http://www-03.ibm.com/security/data-breach/cyber-security-index.html

SECOND QUARTER 2017 Vol.19, No.2 3

< Table of Contents

dds4dds.com

In the event of a ransomware attack…

1. Disconnect the computer from the network.

2. Disable all shared drives.

3. Alert the rest of your users.

4. Contact your IT company.

5. Report the matter to your insurance agent.

Next, ask yourself the following questions to assess the damage…

1. Are there backups for all the machines affected?

2. How often were backups running?

3. Were measures taken to ensure that backups were separated from local machines to reduce

the risk of them getting encrypted as well?

If restoring isn’t an option, things to consider when contemplating paying a ransom…

1. Had you conducted any kind of assessment to determine the value of your data prior to the

attack?

2. Can you calculate the value of the data that was lost so you can weigh that against the

ransom demand?

3. Can you quickly calculate the cost of any downtime associated with the attack?

By running through a mock scenario and answering these questions ahead of time, you will be

much more prepared to make the tough call of whether to pay or not.

• If you have experienced a ransomware attack:

https://www.fbi.gov/contact-us/field-offices

https://www.ic3.gov/default.aspx

• Security training tips for employees:

https://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstraining.html

• Comprehensive view on privacy & security in healthcare:

https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources

Ransomware: We’ve Been Attacked, Now What?

dds4dds.com

SECOND QUARTER 2017 Vol.19, No.2 4

< Table of Contents

Act:

Assess:

Analize:

Additional Resources

In the United States, over a sixteen year span (1999-2015), 183,000 people have died from opioid

overdoses related to prescription opioids;1 a number that now exceeds that of individuals annually

perishing in motor vehicle collisions.2 It is estimated that over 30% of legally prescribed opioids

are used non-medically with an economic impact exceeding 72 billion dollars a year.3 Opioid

abuse contributes to increased numbers of emergency department visits, rising substance abuse

admission and treatment rates, and transition to IV drug abuse. When more opioid analgesic

drugs are prescibed than are required for adequate pain relief, the chance for diversion and non-

medical use of these drugs increases.

Risks for diversion and abuse include the following:

1) Family or personal history of alcohol, illegal or prescription drug abuse or addiction;

2) Depression;

3) Psychiatric conditions of ADHD, OCD, Bipolar Disorder, and Schizophrenia; and

4) Legal history of DUI or incarceration.

The PDMP Defined

Prescription Drug Monitoring Programs (PDMPs) are state-run electronic databases used to track

the prescribing and dispensing of controlled prescription drugs (e.g. opioids) to patients even

in the event of cash payments. They are designed to monitor this information for suspected

abuse or diversion (i.e. channeling drugs into illegal use), and can provide a prescriber or

pharmacist critical information regarding a patient’s controlled substance prescription history. This

information can assist both prescribers and pharmacists in the identification of patients at high-

risk. Such patients would possibly benefit from early interventions.

The Future of the PDMPAccording to the CDC, PDMPs are among the most promising state-level interventions to improve

opioid prescription patterns, inform clinical practice, and protect patients at risk. Information

related to the use of and registration for PDMPs can be obtained by an electronic query to a

practitioner’s state board of pharmacy/dentistry, or medicine. After registration, information

about an individual’s past prescription history can be obtained from a secure, password-protected

website.

ConclusionArmed with this data, it is possible to improve the way drugs are prescribed (possibly by more

widely utilizing NSAID or other non-narcotic drugs) reducing the number of people that misuse,

abuse, or overdose from these powerful and addictive drugs, while making sure patients have

access to safe, effective pain management.

References

1. https://www.cdc.gov/drugoverdose/data/overdose.html

2. http://www.cnsnews.com/news/article/susan-jones/dea-drug-overdoses-kill-more-americans-car-crashes-or-firearms

3. https://www.cdc.gov/drugoverdose/pdf/hhs_prescription_drug_abuse_report_09.2013.pdf

PDMP: A Tool for Improved Prescribing & Patient Safety

Colin S. Bell, DDS, MSD - Fortress Director and Member, Patient Safety & Risk Management

SECOND QUARTER 2017 Vol.19, No.2 5

< Table of Contents

dds4dds.com

The Background

The patient presented to the insured for the evaluation of tooth #13, which had extensive decay

and an existing filling. The insured planned a root canal treatment, but explained to the patient

that the tooth’s prognosis was guarded and that it might not be restorable. The patient had

an unremarkable health history, and no pre-medications were given. During the treatment,

the insured determined that the decay was too extensive to restore. A temporary filling was

placed, and the extraction of the tooth was planned for a later date. Written and verbal post-

operative instructions were provided to the patient and his escort. No post-operative antibiotics

were prescribed. The patient never returned for the planned extraction. Several months later the

insured was contacted by an attorney representing the patient, informing the office of a lawsuit

that had been filed on the patient’s behalf against the insured dentist.

Here is What Happened

The insured’s office followed up multiple times with the patient to schedule a date for the

extraction of tooth #13, but the patient failed to schedule the appointment. These attempts

were documented in the patient’s record. Several months later the patient contacted the office

to request a copy of his record. Unbeknownst to the insured, the patient had been hospitalized

five days following the attempted root canal with symptoms of what was thought to be

early appendicitis. Post appendectomy, he continued to have issues and was found to have

strep viridans in his bloodstream. This led to bacterial endocarditis, and ultimately the patient

underwent an aortic valve replacement procedure.

The patient believed his medical issues were a sequela of the attempted root canal and filed a

lawsuit. He alleged that the insured departed from the standard of care by failing to prescribe

prophylactic and post-operative antibiotics.

Closed Claim Summary: Incidental Post-Operative InfectionDavid Balzer, JD - Senior Claims Analyst

SECOND QUARTER 2017 Vol.19, No.2 6

< Table of Contents

dds4dds.com

continued next page

SECOND QUARTER 2017 Vol.19, No.2 7

< Table of Contents

dds4dds.com

The Outcome

Fortress defended the case through trial. An endodontist was retained as an expert witness

and testified that the insured complied with the standard of care. A cardiology expert witness

was retained and testified that there was no causal relationship between the patient’s injuries

and the insured’s treatment. The insured’s defense was strengthened as a result of the detailed

documentation of care provided, which included the patient’s diagnosis, planned treatment, and

many attempts to follow up. The trial lasted four days. During closing arguments the plaintiff’s

attorney asked the jury to award the patient a substantial dollar amount. Following forty-five

minutes of deliberation, the jury returned a verdict in favor of the insured.

The Analysis

In the event of a lawsuit, a provider’s documentation of the care provided can have a significant

impact on the defensibility of a claim. Ensure that documentation of patient care includes details

such as:

• Conversations about the nature of any proposed treatment, the potential benefits and risks

associated with the treatment, any alternative to the treatment proposed, and the potential

risks and benefits of alternative treatment, including no treatment;

• Patient noncompliance and missed appointment notes; and

• Postoperative or home instructions (or reference to pamphlets given).

Closed Claim Summary: Incidental Post-Operative Infectioncontinued from previous page

Staff members are often the first to take health histories and to document complaints from

patients. This places staff in a unique position to identify behavior which could be connected

with opioid medication abuse. While it may be difficult at times to know whether a

suspicion is valid, your state’s PDMP (Prescription Drug Monitoring Program) can be a

valuable resource to support your efforts.

The majority of states have their own PDMP - you can access your state’s website by visiting

http://www.pdmpassist.org/content/state-pdmp-websites. The PDMP database is a tool

which can be used to detect and prevent “drug shopping.”

Once your doctor’s registration is approved, you can log in and view the last six months

of controlled substance activity for any patient. If you see a pattern of excessive use of

controlled substances, you can bring it to the attention of the doctor, who can consider

alternate prescription choices for that patient. The PDMP is updated daily and is populated

by information sent from pharmacies.

Many people wonder how the PDMP is a permissible database when we hear so much

about HIPAA in our workplace.

Because the disclosures of information to the PDMP by pharmacies are mandated and not

discretionary, the patient

does not need to be

informed of the disclosure,

and is not required to

consent to it. Only licensed

prescribers and dispensers

of controlled substances

can view the PDMP data

for current and prospective

patients.

Another use of the

PDMP database is to

detect pharmacy errors

or fraudulent use of DEA

numbers. A prescriber can

log in and generate a report displaying all scheduled drugs reported with their DEA number.

Identifying drug seeking behavior starts with careful observation and taking a complete

health history. The PDMP can be an asset in this process.

Preventing Opioid Abuse and Utilizing the PDMP Julie Goldberg, DDS, Dental Education Coordinator

SECOND QUARTER 2017 Vol.19, No.2 8

< Table of Contents

dds4dds.com

Since the Company’s inception, risk management education has been a fundamental service

available for Fortress policyholders. We now offer two ways in which you can earn a 10%

premium credit on your policy for participation in risk management courses:

1. One Year 10% Risk Management Premium Credit

Effective January 1, 2017, you can take advantage of an alternative option to earn a risk

management premium credit on your policy. Complete any of the One Year 10% Premium

Credit Courses in the Fortress e-Learning Center to earn a 10% premium credit on your

Fortress policy for one policy period*. Complete a different course each year to renew your

credit. You will also earn CE credit upon completion of each course.

2. Three Year 10% Risk Management Premium Credit

You will continue to have the option to earn a 10% risk management credit for three

consecutive policy periods* upon completion of RMC 315 in the e-Learning Center,

or by attending a live, three-hour risk management seminar. You will also earn 3 CEs for

completing this course.

Details Applicable to Both Credit Options:

• Credits are renewable, but cannot be stacked. A single 10% risk management premium

credit is allowed per policy term.

• Completion of the three-hour program (live or online) will take precedence over a credit

earned for completion of a one-credit-hour risk management course.

• Available to current and new-to-practice policies*

*Not applicable to the 1st year of new-to-practice in states with the $50 claims made/$100 occurrence policies.

Earn A 10% Premium Credit in One HourFortress Patient Safety and Risk Management Team

dds4dds.com

SECOND QUARTER 2017 Vol.19, No.2 9

< Table of Contents

Reminder: The DDS Guardian Will Be Published QuarterlyAs announced via email, this is the second of our new quarterly schedule for the DDS

Guardian, with the next issue scheduled to arrive in your inbox in July.

The DDS Guardian will continue as a comprehensive newsletter, focused on contemporary

topics specific to the dental practice. In the periods between, we will send brief Risk

Management related emails that focus on a single topic in an easily consumable format.

We believe regular communication with our insureds helps improve patient safety and

mitigate the risk of litigation.

Our goal is not to reduce the information we share with you, but to improve the way in

which we do, so you can most effectively learn and apply changes to your practice as

needed.

Fortress Insurance Company6133 North River Road, Suite 650Rosemont, IL 60018-5173

800-522-6675dds4dds.com

DDS Guardian Editor: Patricia A. Pigoni

The DDS Guardian is published by Fortress Insurance Company to provide insureds with up-to-date information on issues relevant to dentists. The DDS Guardian is dedicated to the education and scholarship of the dental community. It is meant to provide you with information regarding risk management topics. Fortress makes no representations or warranties, expressed or implied, as to the quality, accuracy, or completeness of information provided herein. Because federal, state and local law varies by location and situation and changes over time, nothing in this publication is intended to serve as legal advice or to establish any standard of care. Legal advice, if desired, should be sought from competent counsel in your state. This publication is not intended as a modification of the terms, conditions or coverage of your Fortress Professional Liability Insurance Policy. Please refer to your Fortress Professional Liability Insurance Policy for the specific terms, conditions and coverage. Copyright © 2016 Fortress Insurance Company

Fortress Board of Directors

James Q. Swift, DDS Chair

Colin Bell, DDS, MSD

Nicholas Bournias, DDS

Robert F. Guyette, DMD, MD

Michael J. Stronczek, DDS, MS

Anthony M. Spina, DDS, MD

William Passolt, CPAPresident & CEO

Patricia PigoniSr. Vice President & COO

Katherine A. Ehmann, CPASr. Vice President & CFO

2017

Visit the e-Learning Center for Complimentary Online CE Courses

Fortress offers over 10 hours of complimentary, online continuing education credit courses in the

e-Learning Center at dds4dds.com. Courses are designed for dentists and staff, and are available

on demand to be completed at your own convenience. Curriculum covers basic risk management

as well as emerging issues in dentistry.

Get CE Credit: Earn CE credit upon successful completion of any e-Learning Center course.

Fortress Insurance Company is a wholly owned subsidiary of OMS National Insurance Company (OMSNIC). Fortress Risk Management Seminars are produced and sponsored by OMSNIC. OMSNIC is an ADA CERP Recognized Provider. ADA CERP is a service of the American Dental Association to assist dental professionals in identifying quality providers of continuing dental education. ADA CERP does not approve or endorse individual courses or instructors, nor does it imply acceptance of credit hours by boards of dentistry. Upon successfully completing any live or online seminar, OMSNIC provides CE credit verification to each participant.

dds4dds.com

SECOND QUARTER 2017 Vol.19, No.2 10

Fortress Patient Safety and Risk Management ProgramEarn a 10% Premium Credit

Live Risk Management Seminars

The live Fortress three-hour seminar, Improving Patient Safety: An Analysis of Dental Risks and

Liability, discusses several risk management scenarios including extractions, implants, failure

to diagnose oral cancer and periodontal disease, and informed consent. For more information

about the live seminars, visit our online calendar for an upcoming seminar in your area or email

rm@fortressins.com.

Can’t Attend a Live Seminar?

RMC 315 is available in the e-Learning Center on demand. Complete RMC 315 to earn three CEs

and qualify for the renewable 10% risk management credit off your base rate which is applicable

for three policy periods.

< Table of Contents

2017