second quarter 2017 vol.19, no - dds4dds.com resources/dds guardian/dds...hipaa hitech implications...
TRANSCRIPT
SECOND QUARTER 2017 Vol.19, No.2
dds4dds.com
Also in this issue: Managing Cyber Threats
The healthcare sector is not immune
to cybercrimes which, in today’s world
seem to be running rampant. Dentists
must be diligent in securing their patient
information, and understand that fines and
penalties may be levied for non-compliance
with HIPAA.
A Risk Management Newsletter from Fortress Insurance Company
• Earn A 10% Premium
Credit on Your Policy
• DDS Guardian To Be
Published Quarterly
• Live Seminar Calendar
• e-Learning Center Courses
Practice Safety
2HIPAA - Managing Cyber ThreatsWhat proactive steps can your office take to prevent cybercrimes and what are the HIPAA HITECH implications of these threats? By: Joshua Larman, JD
Practice Considerations
4Ransomware: We’ve Been Attacked, Now What? A reference guide for managing a ransomware data breach. Learn valuable steps to follow after an attack.
Patient Management
5PDMP: A Tool for Improved Prescribing and Enhanced Patient SafetyRoutine use of the Prescription Drug Monitoring Program (PDMP) has the potential to curtail the opioid epidemic. By: Colin S. Bell, DDS, MSD
Closed Claim Summary
6Incidental Post-Operative Infection Read this analysis of a closed claim involving an incidental post-operative infection and discover which factors led to a successful verdict for the insured. By: David Balzer, JD
Staff Corner
8Preventing Opioid Abuse and Utilizing the PDMP Staff members are often the first to take patient health histories and to document any specific complaints from patients. This places staff in an excellent position to identify patients with the potential to abuse opioid medications. By: Julie Goldberg, DDS
SECOND QUARTER 2017 Vol.19, No.2 2
HIPAA - Managing Cyber Threats
Joshua Larman, JD - Fortress Corporate Counsel
The healthcare sector is not immune to cybercrimes which, in today’s world, seem to be running
rampant. In fact, according to a report published by the Department of Health & Human Service’s
Office of Civil Rights (“OCR”), more than 100 million health care records were compromised in
2015, making healthcare the most targeted industry for cybercrime. These attacks can come in
many shapes and sizes, including: malware and viruses, phishing scams, ransomware, and even
botnets. There is logic behind this trend. Provider healthcare information includes numerous
fields of data stretching over a patient’s full lifetime. The value of these records far outweighs
that of credit card or bank information. Your healthcare record is also inherently permanent,
creating more value and demand on the black market. For example, a health record can include
the patient’s name, birth date, social security number, as well as additional treatment information
that would not necessarily be part of that patient’s credit card or bank file. Also, the protected
health information does not change over a patient’s lifetime; whereas, a credit card number or
bank account can be revised with relative ease.
Given this ever-growing threat, healthcare providers, including dentists, must be diligent in
securing their patient information, and must also understand that they can be subject to fines
and penalties for non-compliance with HIPAA, even without a data breach or other incident
occurring. In the past, the Office of Civil Rights, the oversight agency which enforces HIPAA,
would impose fines and penalties on covered entities, following a breach incident or investigation
showing lack of HIPAA compliance. However, as a result of the HITECH Act, the OCR is now
mandated with carrying out HIPAA Compliance Audits. Any dentist can be subject to a potential
audit, and if selected, he or she will be required to demonstrate compliance regarding their
privacy, security, and breach notification processes and procedures. If one is discovered to be
out of compliance, a HIPAA violation can be very costly.
Civil fines have ranged from $50,000 to $1.5 million per
violation. Also, if a serious security incident were to occur,
one faces losing the trust and goodwill of one’s patients,
which can be crippling to a practice.
It is important to not allow cyber risks to deter you from
taking advantage of the evolution of digital technologies, which can add value to your practice
and improve patient care. Remember, you can manage this risk by taking the steps necessary to
prepare for it. Like any other risks, you must measure and assess your vulnerability to a potential
breach and implement appropriate safeguards to counter the risk. Begin by conducting a
security risk analysis of your practice. Specifically, review the flow of electronic protected health
information (“ePHI”) throughout your office. Do you utilize mobile devices such as tablets or
smart phones? Also, where are computer workstations located and who has access to patient
information? Are the devices password protected and encrypted and do they ever leave the office
after business hours? These are just a handful of questions you need to ask to properly evaluate
your risk of a potential cyber-attack.
< Table of Contents continued next page
dds4dds.com
Dentists must be diligent in securing their patient information, as well as understand that they can be subject to fines and penalties for non-compliance with HIPAA, even without a data breach.
HIPAA - Managing Cyber Threatscontinued from previous page
Once the security risk analysis is complete, policies and procedures should be refined to align
them with the practice’s security philosophy and priorities. Policies should take into account
“addressable” vs “required” vulnerabilities and base implementation strategies around your
office’s highest priorities and available resources. The HIPAA Security Rule requires you to
implement physical, technical, and administrative safeguards to secure
patient healthcare information.
• A physical safeguard can be as simple as maintaining all mobile devices
in a locked storage area during non-business hours. This basic safeguard
can prevent the office cleaning crew member from wrongfully stealing
the device and trying to access ePHI.
• A technical safeguard can range anywhere from the number of
characters required for your office device password to a full encryption
package of your complete data network.
• Administrative safeguards can include your office policy for training
staff on how to avoid a phishing scam.
These various safeguards, both large and small, can be crucial for
preventing data breaches. In many instances, cyber threats and attacks
are prevented by knowing what to look for and what to avoid. More
often than not, cyber intrusions are a result of human error and a lack
of appropriate training. However, you should remember that HIPAA is
flexible and the safeguards can align with the needs of your office environment. That being said,
it is crucial to document your analysis as well as your rationale for making decisions.
Lastly, you need to know what to do if and when a cyber breach occurs. Your incident response
plan should be documented and established well before any incident occurs. This will allow you
and your staff to manage the incident, causing as little disruption to your practice and patients as
possible. Also remember, the Breach Notification Rule within HIPAA requires different steps to be
taken depending on the scope of the incident. Notifications to affected patients, Health & Human
Services, and even the media may be required.
________________________________________________________________
1. http://www-03.ibm.com/security/data-breach/cyber-security-index.html
SECOND QUARTER 2017 Vol.19, No.2 3
< Table of Contents
dds4dds.com
In the event of a ransomware attack…
1. Disconnect the computer from the network.
2. Disable all shared drives.
3. Alert the rest of your users.
4. Contact your IT company.
5. Report the matter to your insurance agent.
Next, ask yourself the following questions to assess the damage…
1. Are there backups for all the machines affected?
2. How often were backups running?
3. Were measures taken to ensure that backups were separated from local machines to reduce
the risk of them getting encrypted as well?
If restoring isn’t an option, things to consider when contemplating paying a ransom…
1. Had you conducted any kind of assessment to determine the value of your data prior to the
attack?
2. Can you calculate the value of the data that was lost so you can weigh that against the
ransom demand?
3. Can you quickly calculate the cost of any downtime associated with the attack?
By running through a mock scenario and answering these questions ahead of time, you will be
much more prepared to make the tough call of whether to pay or not.
• If you have experienced a ransomware attack:
https://www.fbi.gov/contact-us/field-offices
https://www.ic3.gov/default.aspx
• Security training tips for employees:
https://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstraining.html
• Comprehensive view on privacy & security in healthcare:
https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources
Ransomware: We’ve Been Attacked, Now What?
dds4dds.com
SECOND QUARTER 2017 Vol.19, No.2 4
< Table of Contents
Act:
Assess:
Analize:
Additional Resources
In the United States, over a sixteen year span (1999-2015), 183,000 people have died from opioid
overdoses related to prescription opioids;1 a number that now exceeds that of individuals annually
perishing in motor vehicle collisions.2 It is estimated that over 30% of legally prescribed opioids
are used non-medically with an economic impact exceeding 72 billion dollars a year.3 Opioid
abuse contributes to increased numbers of emergency department visits, rising substance abuse
admission and treatment rates, and transition to IV drug abuse. When more opioid analgesic
drugs are prescibed than are required for adequate pain relief, the chance for diversion and non-
medical use of these drugs increases.
Risks for diversion and abuse include the following:
1) Family or personal history of alcohol, illegal or prescription drug abuse or addiction;
2) Depression;
3) Psychiatric conditions of ADHD, OCD, Bipolar Disorder, and Schizophrenia; and
4) Legal history of DUI or incarceration.
The PDMP Defined
Prescription Drug Monitoring Programs (PDMPs) are state-run electronic databases used to track
the prescribing and dispensing of controlled prescription drugs (e.g. opioids) to patients even
in the event of cash payments. They are designed to monitor this information for suspected
abuse or diversion (i.e. channeling drugs into illegal use), and can provide a prescriber or
pharmacist critical information regarding a patient’s controlled substance prescription history. This
information can assist both prescribers and pharmacists in the identification of patients at high-
risk. Such patients would possibly benefit from early interventions.
The Future of the PDMPAccording to the CDC, PDMPs are among the most promising state-level interventions to improve
opioid prescription patterns, inform clinical practice, and protect patients at risk. Information
related to the use of and registration for PDMPs can be obtained by an electronic query to a
practitioner’s state board of pharmacy/dentistry, or medicine. After registration, information
about an individual’s past prescription history can be obtained from a secure, password-protected
website.
ConclusionArmed with this data, it is possible to improve the way drugs are prescribed (possibly by more
widely utilizing NSAID or other non-narcotic drugs) reducing the number of people that misuse,
abuse, or overdose from these powerful and addictive drugs, while making sure patients have
access to safe, effective pain management.
References
1. https://www.cdc.gov/drugoverdose/data/overdose.html
2. http://www.cnsnews.com/news/article/susan-jones/dea-drug-overdoses-kill-more-americans-car-crashes-or-firearms
3. https://www.cdc.gov/drugoverdose/pdf/hhs_prescription_drug_abuse_report_09.2013.pdf
PDMP: A Tool for Improved Prescribing & Patient Safety
Colin S. Bell, DDS, MSD - Fortress Director and Member, Patient Safety & Risk Management
SECOND QUARTER 2017 Vol.19, No.2 5
< Table of Contents
dds4dds.com
The Background
The patient presented to the insured for the evaluation of tooth #13, which had extensive decay
and an existing filling. The insured planned a root canal treatment, but explained to the patient
that the tooth’s prognosis was guarded and that it might not be restorable. The patient had
an unremarkable health history, and no pre-medications were given. During the treatment,
the insured determined that the decay was too extensive to restore. A temporary filling was
placed, and the extraction of the tooth was planned for a later date. Written and verbal post-
operative instructions were provided to the patient and his escort. No post-operative antibiotics
were prescribed. The patient never returned for the planned extraction. Several months later the
insured was contacted by an attorney representing the patient, informing the office of a lawsuit
that had been filed on the patient’s behalf against the insured dentist.
Here is What Happened
The insured’s office followed up multiple times with the patient to schedule a date for the
extraction of tooth #13, but the patient failed to schedule the appointment. These attempts
were documented in the patient’s record. Several months later the patient contacted the office
to request a copy of his record. Unbeknownst to the insured, the patient had been hospitalized
five days following the attempted root canal with symptoms of what was thought to be
early appendicitis. Post appendectomy, he continued to have issues and was found to have
strep viridans in his bloodstream. This led to bacterial endocarditis, and ultimately the patient
underwent an aortic valve replacement procedure.
The patient believed his medical issues were a sequela of the attempted root canal and filed a
lawsuit. He alleged that the insured departed from the standard of care by failing to prescribe
prophylactic and post-operative antibiotics.
Closed Claim Summary: Incidental Post-Operative InfectionDavid Balzer, JD - Senior Claims Analyst
SECOND QUARTER 2017 Vol.19, No.2 6
< Table of Contents
dds4dds.com
continued next page
SECOND QUARTER 2017 Vol.19, No.2 7
< Table of Contents
dds4dds.com
The Outcome
Fortress defended the case through trial. An endodontist was retained as an expert witness
and testified that the insured complied with the standard of care. A cardiology expert witness
was retained and testified that there was no causal relationship between the patient’s injuries
and the insured’s treatment. The insured’s defense was strengthened as a result of the detailed
documentation of care provided, which included the patient’s diagnosis, planned treatment, and
many attempts to follow up. The trial lasted four days. During closing arguments the plaintiff’s
attorney asked the jury to award the patient a substantial dollar amount. Following forty-five
minutes of deliberation, the jury returned a verdict in favor of the insured.
The Analysis
In the event of a lawsuit, a provider’s documentation of the care provided can have a significant
impact on the defensibility of a claim. Ensure that documentation of patient care includes details
such as:
• Conversations about the nature of any proposed treatment, the potential benefits and risks
associated with the treatment, any alternative to the treatment proposed, and the potential
risks and benefits of alternative treatment, including no treatment;
• Patient noncompliance and missed appointment notes; and
• Postoperative or home instructions (or reference to pamphlets given).
Closed Claim Summary: Incidental Post-Operative Infectioncontinued from previous page
Staff members are often the first to take health histories and to document complaints from
patients. This places staff in a unique position to identify behavior which could be connected
with opioid medication abuse. While it may be difficult at times to know whether a
suspicion is valid, your state’s PDMP (Prescription Drug Monitoring Program) can be a
valuable resource to support your efforts.
The majority of states have their own PDMP - you can access your state’s website by visiting
http://www.pdmpassist.org/content/state-pdmp-websites. The PDMP database is a tool
which can be used to detect and prevent “drug shopping.”
Once your doctor’s registration is approved, you can log in and view the last six months
of controlled substance activity for any patient. If you see a pattern of excessive use of
controlled substances, you can bring it to the attention of the doctor, who can consider
alternate prescription choices for that patient. The PDMP is updated daily and is populated
by information sent from pharmacies.
Many people wonder how the PDMP is a permissible database when we hear so much
about HIPAA in our workplace.
Because the disclosures of information to the PDMP by pharmacies are mandated and not
discretionary, the patient
does not need to be
informed of the disclosure,
and is not required to
consent to it. Only licensed
prescribers and dispensers
of controlled substances
can view the PDMP data
for current and prospective
patients.
Another use of the
PDMP database is to
detect pharmacy errors
or fraudulent use of DEA
numbers. A prescriber can
log in and generate a report displaying all scheduled drugs reported with their DEA number.
Identifying drug seeking behavior starts with careful observation and taking a complete
health history. The PDMP can be an asset in this process.
Preventing Opioid Abuse and Utilizing the PDMP Julie Goldberg, DDS, Dental Education Coordinator
SECOND QUARTER 2017 Vol.19, No.2 8
< Table of Contents
dds4dds.com
Since the Company’s inception, risk management education has been a fundamental service
available for Fortress policyholders. We now offer two ways in which you can earn a 10%
premium credit on your policy for participation in risk management courses:
1. One Year 10% Risk Management Premium Credit
Effective January 1, 2017, you can take advantage of an alternative option to earn a risk
management premium credit on your policy. Complete any of the One Year 10% Premium
Credit Courses in the Fortress e-Learning Center to earn a 10% premium credit on your
Fortress policy for one policy period*. Complete a different course each year to renew your
credit. You will also earn CE credit upon completion of each course.
2. Three Year 10% Risk Management Premium Credit
You will continue to have the option to earn a 10% risk management credit for three
consecutive policy periods* upon completion of RMC 315 in the e-Learning Center,
or by attending a live, three-hour risk management seminar. You will also earn 3 CEs for
completing this course.
Details Applicable to Both Credit Options:
• Credits are renewable, but cannot be stacked. A single 10% risk management premium
credit is allowed per policy term.
• Completion of the three-hour program (live or online) will take precedence over a credit
earned for completion of a one-credit-hour risk management course.
• Available to current and new-to-practice policies*
*Not applicable to the 1st year of new-to-practice in states with the $50 claims made/$100 occurrence policies.
Earn A 10% Premium Credit in One HourFortress Patient Safety and Risk Management Team
dds4dds.com
SECOND QUARTER 2017 Vol.19, No.2 9
< Table of Contents
Reminder: The DDS Guardian Will Be Published QuarterlyAs announced via email, this is the second of our new quarterly schedule for the DDS
Guardian, with the next issue scheduled to arrive in your inbox in July.
The DDS Guardian will continue as a comprehensive newsletter, focused on contemporary
topics specific to the dental practice. In the periods between, we will send brief Risk
Management related emails that focus on a single topic in an easily consumable format.
We believe regular communication with our insureds helps improve patient safety and
mitigate the risk of litigation.
Our goal is not to reduce the information we share with you, but to improve the way in
which we do, so you can most effectively learn and apply changes to your practice as
needed.
Fortress Insurance Company6133 North River Road, Suite 650Rosemont, IL 60018-5173
800-522-6675dds4dds.com
DDS Guardian Editor: Patricia A. Pigoni
The DDS Guardian is published by Fortress Insurance Company to provide insureds with up-to-date information on issues relevant to dentists. The DDS Guardian is dedicated to the education and scholarship of the dental community. It is meant to provide you with information regarding risk management topics. Fortress makes no representations or warranties, expressed or implied, as to the quality, accuracy, or completeness of information provided herein. Because federal, state and local law varies by location and situation and changes over time, nothing in this publication is intended to serve as legal advice or to establish any standard of care. Legal advice, if desired, should be sought from competent counsel in your state. This publication is not intended as a modification of the terms, conditions or coverage of your Fortress Professional Liability Insurance Policy. Please refer to your Fortress Professional Liability Insurance Policy for the specific terms, conditions and coverage. Copyright © 2016 Fortress Insurance Company
Fortress Board of Directors
James Q. Swift, DDS Chair
Colin Bell, DDS, MSD
Nicholas Bournias, DDS
Robert F. Guyette, DMD, MD
Michael J. Stronczek, DDS, MS
Anthony M. Spina, DDS, MD
William Passolt, CPAPresident & CEO
Patricia PigoniSr. Vice President & COO
Katherine A. Ehmann, CPASr. Vice President & CFO
2017
Visit the e-Learning Center for Complimentary Online CE Courses
Fortress offers over 10 hours of complimentary, online continuing education credit courses in the
e-Learning Center at dds4dds.com. Courses are designed for dentists and staff, and are available
on demand to be completed at your own convenience. Curriculum covers basic risk management
as well as emerging issues in dentistry.
Get CE Credit: Earn CE credit upon successful completion of any e-Learning Center course.
Fortress Insurance Company is a wholly owned subsidiary of OMS National Insurance Company (OMSNIC). Fortress Risk Management Seminars are produced and sponsored by OMSNIC. OMSNIC is an ADA CERP Recognized Provider. ADA CERP is a service of the American Dental Association to assist dental professionals in identifying quality providers of continuing dental education. ADA CERP does not approve or endorse individual courses or instructors, nor does it imply acceptance of credit hours by boards of dentistry. Upon successfully completing any live or online seminar, OMSNIC provides CE credit verification to each participant.
dds4dds.com
SECOND QUARTER 2017 Vol.19, No.2 10
Fortress Patient Safety and Risk Management ProgramEarn a 10% Premium Credit
Live Risk Management Seminars
The live Fortress three-hour seminar, Improving Patient Safety: An Analysis of Dental Risks and
Liability, discusses several risk management scenarios including extractions, implants, failure
to diagnose oral cancer and periodontal disease, and informed consent. For more information
about the live seminars, visit our online calendar for an upcoming seminar in your area or email
Can’t Attend a Live Seminar?
RMC 315 is available in the e-Learning Center on demand. Complete RMC 315 to earn three CEs
and qualify for the renewable 10% risk management credit off your base rate which is applicable
for three policy periods.
< Table of Contents
2017