• linkedin
  • Increase Font
  • Sharebar

    7 ways to avoid becoming a HIPAA horror story

    You've heard the terrifying stories of HIPAA-compliance failures and the havoc they can cause for a practice... but how can you ensure it doesn't happen to you?

    Which one of the following scenarios constitutes a HIPAA violation?

    A.   After work, two employees at happy hour discuss a difficult case, mentioning specific patient details. Their conversation happens to be overheard by the patient’s neighbor.

    B.    You hire a vendor to shred old patient records. Instead of destroying the records as promised, the company tosses the records in a dumpster. The old files are discovered by the news media.

    C.   Your front desk coordinator punches in the wrong number and faxes a patient’s detailed dental and medical history to a bank, instead of a referring doctor.

    D.   You get permission to post a patient’s before-and-after photos on Facebook. In the background of the “after” shot, another patient is visible and identifiable.

    E.    You take home your work laptop, which contains patient information. The next morning, you stop to get a coffee. While you’re gone, somebody breaks into your car and steals the laptop.

    If you said all of the above, you would be correct. As these situations demonstrate, a HIPAA violation doesn’t have to occur in your practice or even be committed by you or one of your employees.

    If you hire another business to perform a service, as in example B, you could still liable.

    Just ask the Indiana dentist who was fined $12,000 for hiring a company that didn’t properly dispose of old patient records. A local TV station found them sitting in a dumpster.

    Related reading: How to evaluate HIPAA compliance in your dental practice

    HIPAAThreats, vulnerabilities, breaches

    When it comes to the Health Insurance Portability and Accountability Act (HIPAA), you want to do everything you can to protect your patients’ privacy as well as your practice from fines and violations. Strong practice management systems that include documented HIPAA protocols are your best first line of defense. Where is your office most vulnerable for a security breach? Are you doing everything you can to protect your patients’ data? Here are some questions to consider:

    ·  Has your entire team received HIPAA training?

    ·  Does your team regularly shut down computers at the end of day, so patient information can’t be accessed by visitors (e.g., cleaning personnel)?

    ·  Do you use software that obscures patient information on computers used by team members in public areas, such as the front desk?

    ·  Do employees have patient information on devices that they take home with them? Are those devices stored in a secure location? What happens to the device when the employee stops on the way to or from the office? See example E above.

    ·  How secure is the practice’s Wi-Fi? Can it be easily hacked? Can users gain information about other patients’ identities?

    ·  Do you use a patient portal? What is the providing company’s reputation? How secure is the site?

    ·  Do you close operatory doors when treating patients to avoid conversations being heard by others?

    ·  Do team members double-check contact information before communicating via phone, fax or email with patients to avoid mishaps? See example C previously mentioned.

    · Does your team know what to do if there is a security breach?

    Trending article: Can email really be HIPAA compliant?

    I hear some dentists grumbling about HIPAA and the burdens it places on their businesses, yet think about what happens when companies fail to safeguard customer information. A month seemingly doesn’t go by without some Fortune 500 company announcing a major security breach. Just this month, Equifax announced that 143 million (!) customer records had been compromised. That’s more than half of the US adult population. We all know someone who has dealt with identity theft, and that can take months or even years to clear up.

    As dentists, we have a duty to protect patients’ sensitive health information. HIPAA has been the law of the land since 1996, with parts of it phased in over the past two decades. My point is that it’s not going away. In fact, maybe HIPAA or something like it should be applied to other industries based on the frequency of data breaches. Sorry, that’s my non-dental rant for the day.

    Dentistry is one of the most respected professions in the country. We’ve earned that trust by doing what’s right for our patients. Our profession has track record of quality patient care and service that extends back a century or more. In a digital world, patients also expect us to safeguard their personal information. To me, that’s not too much to ask.

    Trending article: 8 steps for a successful HIPAA-compliance plan

    What to watch out for

    Not complying with HIPAA can be time consuming and costly in terms of both money and reputation. Some healthcare companies have received million-dollar fines for violations. Also, if you were a patient at a practice that failed to protect your personal information, would you remain a patient? If your office had a serious data breach, what percentage of your patient base would you lose? Would it be 10 percent, 25 percent, 50 percent or more? Such a mistake could damage your dental business for years.

    Continue to the next page to see the seven ways you can avoid becoming a HIPAA horror story.


    Dr. Roger P. Levin
    Roger P. Levin, DDS, is Executive Founder of Dental Business Study Clubs – Dentistry’s only All-Business Study Clubs, the next ...


    Add Comment
    • No comments available