What Dental & Orthodontic Practices Need To Know About HIPAA

by | Mar 24, 2021 | Uncategorized | 0 comments

To get in touch with Debi:

Debi Carr
DK Carr & Associates
https://dkcarr.com/
debi@dkcarr.com
(844) 352-2771

View Full Transcript

Chris Pistorius (00:04):

Hello everybody. This is Chris Pistorius, the CEO and Founder of KickStart Dental Marketing. Thanks for joining us today. We have the distinguished Debi Carr of DK Carr and Associates with us today. And Debi is a consultant really in technology and security. Debi has over 22 years of private practice management experience, and she’s got over 30 years of experience in technology and security.

Chris Pistorius (00:34):

Now, she helps dentists in obtaining and maintaining a HIPAA HITECH compliance, which I know is top of the page to a lot of you guys out there listening. That includes performing risk analysis and team security training. And a lot of my interview today with Debi will be around that. Debi holds several certifications which is too many for me to list. And we’ll ask her about that in just a minute. But Debi, I want to thank you for being on our show today.

Debi Carr (01:04):

Thank you for having me.

Chris Pistorius (01:06):

Did I mess up the intro at all? Is that just pretty much cover what-

Debi Carr (01:08):

No.

Chris Pistorius (01:10):

Okay, good.

Debi Carr (01:10):

That’s pretty much summed up.

Chris Pistorius (01:12):

Well, that’s good. So, Debi it’s obviously you’ve got tons of experience with this stuff and you’re consulting in an area that I know that a lot of my clients ask about with HIPAA and security and website security, and all kinds of stuff. And why don’t you just tell us a little bit more about how you got started in this business?

Debi Carr (01:33):

Well, I 30 years ago married a wonderful man who was very involved with technology. He would rebuild computers at our home and he also was a computer programmer, and he still is a computer programmer and he doesn’t build computers anymore, but he is a computer programmer for a defense contractor. I went into the dental industry as a practice manager, but we always had our doctor to be state-of-the-art with technology, because I was a techie. So, anything new that came out, I wanted my doctor to have it.

Debi Carr (02:11):

When you have technology, there comes security. And because my husband works for department of defense, I was always having to adhere to that standards. In 2013, I realized that the law had changed. I was consulting, helping dentists go paperless and implement a paperless office, and realized that the law changed in September of 2013, which gave the office of civil rights, more bite in levy penalties and fines against them. And with technology you need security, and the way the law is structured, it can assist dentist and in implementing a security office, a secure office, while meeting compliance.

Chris Pistorius (03:06):

That totally makes sense. And it’s an interesting way to get a start in this crazy HIPPA security world. So that’s very interesting. Why don’t you tell me a little bit more about your business as it exists today and really what you’re specializing in and what really your passion is?

Debi Carr (03:26):

Well, one of the first things that my passion is, is to help dentists to become compliant. And we want them to secure their practice against the data breach. Because if they implement good security protocols, they will be compliant. Compliance doesn’t always bring security, but security will bring compliance.

Debi Carr (03:49):

So, the first thing that we do, is we do a random objective review of their current status, their current situation, we call it a risk analysis. It is the first letter the law mandates. And it’s the first protocol that you should always do in any security management program.

Debi Carr (04:16):

So, we’re going to do a risk analysis and we’re going to see what they have in place, and what they need to have in place. And what we’re looking at is, what is the likelihood of an event happening? What can we do to maybe stop or mitigate that? And most importantly, what is the financial impact that will have on that practice if this risk comes to fruition?

Chris Pistorius (04:42):

I think it’s certainly not over simplifying it, but I think you put it in a way that everybody understands. And I think with anything, I know with marketing on my side of it, it’s the same kind of thing. We put things into kind of an action plan step by step, and that’s how you overcome a lot of stuff that’s going on with the practice. So, I think that’s a great way to put that.

Chris Pistorius (05:05):

Now, obviously you’re not the only consultant that talks about things like this, and there’s several choices that dentists have. And that’s the other problem that I see, is that dentists don’t really know who to trust. Especially with consulting and especially with HIPAA related stuff when it comes to dentistry. There’s a lot of information out there from a lot of different sources, and who knows sometimes if it’s accurate or not.

Chris Pistorius (05:29):

So, what would you say is the biggest difference between you and maybe other consultants, and people that are in this arena, and why should dentists, really trust what you have to say in your authority?

Debi Carr (05:44):

Well, first of all, one of my certifications that I have is a healthcare information security privacy practitioner through (ISC)2. (ISC)2 is the certification organization that is recognized on an international basis for security. So, I am (ISC)2 certified. I’m also HIMSS certified.

Debi Carr (06:12):

The other thing that I think sets me apart is that, because one, I’ve worked in the healthcare industry IN the dental industry for 23 years. I know how practices work. I’ve been in the trenches and I know what it’s like to be in an operatory versus someone just coming in that’s never seen a operatory or understands.

Debi Carr (06:37):

For instance, one of the protocols in security is that, you should go to a screensaver after 90 seconds. I don’t want the dentist going to a screensaver after 90 seconds because he needs to look at that X-ray when he’s doing a surgery. So, because I’ve been there, I know how to overcome and how to do some work around while still securing.

Debi Carr (07:00):

I also have been in technology for 30 years. And so, I understand how technology and how vital and crucial technology is to dental practice, because whether it’s true or it’s not true, but this is how patient perception is. Patients perceive their doctor’s ability based on the technology in their practice.

Debi Carr (07:24):

So, the more technology that they have in the practice, the better reputation they have in the community, but the more they have to secure that technology.

Debi Carr (07:36):

So, there’s three legs to securing a practice. You want to have administrative, you want to have physical, and you also want to have technical. And because of my background, I’m able to look at all three. I work with your existing IT company. I don’t try to replace your IT company. I work with your existing IT company to make sure that they’re providing the service that you think that they’re providing for you, as well as helping you to implement policies and just securing your practice, using administrative, technical, as well as physical guidelines.

Chris Pistorius (08:22):

Yeah. I think that would be a good reason for me to use you for sure. But one thing that stood out from there is that, you make sure that IT companies are doing what they say that they’re doing, right? Or they’re doing what you think they’re doing. And I think that’s really important because the dentists that we work with, they don’t have time to check out and make sure that everybody that they’ve hired and every company that they use are really doing the things that they say. And I think having somebody in place like yourself overseeing some of that, is a very valuable service. So, I think that’s a great approach to it.

Debi Carr (08:57):

And the thing to remember is that ultimately when there’s a data breach, it’s not the IT company that’s held to the highest responsibility, it’s the doctor. It’s the doctor that’s going to be [inaudible 00:09:09] to facing the fines and penalties, not the IT company. Although now there are some fines and penalties that’s going against the business associates, but ultimately it’s still the doctor.

Chris Pistorius (09:22):

Yeah. I mean, it’s the IT company isn’t going to be one shelling out the box. It’s going to be the doc. That’s a very good point. So, just because you’re paying somebody, doesn’t necessarily mean that you’re passing on that liability as well, right?

Debi Carr (09:38):

Correct.

Chris Pistorius (09:39):

Okay. I think that’s great. Now, talk to me, do you service the entire country or do you just service a specific area, or are you even international?

Debi Carr (09:50):

We try to stay on the Eastern Seaboard. I’ve gone as far West of Texas. But when you specialize in the risk assessments and incident response. Incident response is when you’ve had a data attack or you turn on computers and you’ve got ransomware, or you walk in Monday morning and your computers are gone. Because that involves over 500 patients and any time over 500 patients are involved, you have to A, notify the office of civil rights. Chances are you have to notify your state department of justice, but you also have to notify the local media, and you have to notify your patients. And you have to have an incident response investigation.

Debi Carr (10:44):

So, we’re there to guide you through and help you to know what to do when you have to make that call. But our goal is to make it so that you’re proactive, and that when that happens, you’re ready to handle it. You just go right into what we call a coop mode or a disaster mode. And you’ve got a plan and you’re ready to deal with it. And everybody knows what to do. And they go to step one, step two, to step three.

Chris Pistorius (11:15):

Wow. I think that would be pretty important to have a resource like you, because there is no way that I would know, if I were a dentist I would have no idea where to go to first. And I can promise you that many out there don’t know that they need to do state filings, maybe national filings, contact the patients, and what’s the best way to contact the patients. And I just can’t even imagine how you would navigate through that without somebody like you.

Chris Pistorius (11:44):

Now, one thing you said in there Debi was ransomware, and that’s been on the news lately, right? I mean, that’s where somebody will hack into your computer, lock up the data that you own, encrypt it, and then try to sell you the password to your own data. Is that accurate? And then-

Debi Carr (12:02):

That is very accurate.

Chris Pistorius (12:05):

… to attach on to that, I can see some dentists out there listening to this right now, kind of shaking their heads like, “Yeah, right. That’s really going to happen to a dentist?” So, could you tell us number one, does it happen to dentists and am I accurate with my statement on-

Debi Carr (12:18):

Absolutely. It absolutely happens to dentists because they are a soft target. Because they don’t see security as a priority. Protecting their data. Their data is the most expensive piece of technology or equipment that they have in their practice, but they don’t put the emphasis on it.

Debi Carr (12:43):

And what happens is that they get a ransomware attack, and yes, it is exactly what you described. They’re holding your data ransom. And the FBI tells you not to pay the Bitcoin, because if you do there’s no guarantee that you’re going to receive your data back. These are bad actors that are holding your data. So, they may or may not give you your data back. But because you’re a small office, you are prime target because they are able to get into your network very easily if you’re not protecting and securing it correctly.

Debi Carr (13:23):

So yes, it absolutely is happening to dentists on a daily basis. And a lot of times what I’m seeing is that they will just restore their backup, which is a good thing to do. That’s part of their disaster plan. That’s what they should do. But they still have to do those other parts, and we still have to report it. It is a reportable offense. And you want to be proactive with the office of civil rights versus on the defensive, because you don’t want the FBI and the office of civil rights knocking at your door because they found your data on the dark web.

Chris Pistorius (14:02):

Well, that’s intriguing. And it’s also very scary, but you’re right. I think most, especially the smaller practices out there don’t have tons of security on their network. And it’s a scary thing that, I think potentially, and I hope I’m not overdramatizing things here, but I think that could potentially put a dentist out of business if somebody did this to them. Have you seen that in the past? I mean, is it-

Debi Carr (14:30):

It could be financially devastating. I mean, I’ve seen fines as low as 12,000. I’ve seen fines at 750,000. So, none of us want to pay the government anything. So, to have any penalties or fines coming at us, whether they’re 12,000 or 750,000, that’s a lot. And 750,000 could financially devastate a practice. Not to mention the reputation damage.

Chris Pistorius (15:05):

Yeah. And that’s a biggie with dental practices. I mean, one of the services we offer is online reputation marketing, and we talk to dentists how important their reputation is. And especially as competitive as dentistry is getting now. So that’s a biggie that you want to keep intact.

Debi Carr (15:24):

But imagine if you have to put on your website that you’ve been hacked.

Chris Pistorius (15:27):

Yeah. That wouldn’t help.

Debi Carr (15:29):

On the front page.

Chris Pistorius (15:31):

Yeah. A potential new patient would skip right over your website and go right to the next in line for sure. Debi, how would you describe your ideal client? Who would be your ideal practice that you would work with?

Debi Carr (15:44):

Private practice, usually one to five doctors in the practice. That’s pretty much who we concentrate on. There are a lot of consultants that will deal with the bigger practices, but it’s the singular practices that are the most vulnerable.

Chris Pistorius (16:03):

Okay. What’s the favorite thing about what you do?

Debi Carr (16:10):

Oh, I think the favorite thing is just teaching and training them how important it is to be very vigilant on protecting their data. And just getting through to them that this is something that they have to take on a daily basis take seriously daily.

Chris Pistorius (16:33):

Yep. I think that’s an awesome way to look at it. And there’s no doubt that you’re providing a service that can really help dental practices. Now, one of the services that we provide are website design. And we’ll build a website from scratch, or we’ll take over an existing website and just make it better.

Chris Pistorius (16:52):

And I get lots of questions from practices about HIPAA, all kinds of HIPAA related stuff. But you and I were actually talking about this offline, and I was hoping you could maybe talk to our listeners a little bit. And you were talking about making sure that you have a notice of privacy on the website. Can you just tell our listeners a little bit more about that?

Debi Carr (17:13):

Correct. Yes. Notice of privacy practices is the contract you have with your patients. A notice of privacy practices is required by the law, and it’s how you’re going to handle the data. And when I see a lot of times is that a dentist will download one from somewhere, and they never read it. But that contract has been held up in Supreme Court, inside state as a contract between the doctor and the patient. And that has allowed these patients to sue the doctor.

Debi Carr (17:50):

So, on top of the fines, and on top of the penalties, and on top of the other expenses, now you’ve got a patient suing you because you’ve breached it. The law says that your notice of privacy practice must be conspicuously displayed in your waiting room, and on your website, and must be available to hand out to your patients.

Debi Carr (18:14):

Most dentists are really good at handing it to their patients, but they’re not really good at posting it conspicuously in their waiting room and on their website. And there’s these paid people that work for our government, the office of civil rights has them, the FBI has them, the auditors have them, they troll websites to see if you have that information posted. And if you don’t, that’s a door to allow for a random audit because you’re already in violation.

Chris Pistorius (18:52):

Wow. And there are people paying attention dentists, don’t fool yourselves.

Debi Carr (18:58):

Absolutely.

Chris Pistorius (18:59):

There’s all kinds of trolls out there. This is one of them. We have one common in our business, where these people will actually troll dental websites and make sure that the images that they’re using on their website are not copyrighted from somebody else-

Debi Carr (19:12):

Exactly.

Chris Pistorius (19:12):

… and if they find one of those, they send you in the mail is a letter demanding a bill, and sometimes it’s a couple of hundred dollars and I’ve seen them, like you said earlier with the fines, several thousand dollars. So, it’s a lot to think about, but it’s very important to protect yourself.

Chris Pistorius (19:30):

So, that’s great information to have. And we’re out of time today Debi, is there anything else you would like? And actually I think it might be a good idea, could you tell people practices out there. What’s the best way to reach you if they have questions or if they want to potentially hire you, how can they get ahold of you?

Debi Carr (19:50):

They can email me at Debi and that’s D-E-B as in boy, i@dkcarr.com. And they can reach me at (844) 352-2771 or DK Carr1.

Chris Pistorius (20:08):

Awesome. Now, will you offer like if somebody called you say off of this program or something, would you be able to talk with them over the phone for a little bit, kind of as a free consult or do you offer anything like that?

Debi Carr (20:20):

Yes. Absolutely.

Chris Pistorius (20:22):

Well, that’s awesome.

Debi Carr (20:23):

My passion is helping them to avoid a data breach and avoid the negative connotations that come with a data breach.

Chris Pistorius (20:33):

Okay. Well, great. And is there anything else you’d like to add Debi before we wrap up?

Debi Carr (20:37):

I think that covers it.

Chris Pistorius (20:42):

Okay. All right. Well, awesome. Well, I really appreciate your time. I know how busy you are. But dentists out, if you are listening and you have more questions about this, Debi’s awesome. She’s part of our network, people that we trust and that we recommend out to our consultants. So, feel free to give her a call if you have questions regarding security, HIPAA, things like that. She’s just an awesome resource to have, and she’s very easy to work with. So, with that being said, thanks again Debi, and thanks for listening dentist.

 

Also available on Podcast

Submit a Comment

Your email address will not be published. Required fields are marked *