5 Common HIPAA Violations and How to Avoid Them

Running a dental practice involves compliance with numerous regulatory requirements. These processes and their documentation can seem tedious and sometimes unproductive, but they remain unavoidable, and in truth there is good reason for them.

Regulations cover infection control, training and licensure, records management, and patient information management. Whatever you think about these processes, they are all enacted with the overarching goal of protecting patients and providers.

This is especially true of HIPAA, which covers the requirements for maintaining patient records and keeping them private. HIPAA is designed to protect information that practices keep about their patients, and a violation of HIPAA rules can become an expensive headache for any dental practice. Staying on the right side of these rules can be a challenge, and with so many ways of communicating with patients and colleagues, accidentally violating HIPAA rules can happen to anyone. With that in mind, here are 5 HIPAA violations that could happen in any practice and some strategies to mitigate the risks.

1. Inappropriate staff access to patient records—A misbehaving team member who decides to check out an old high school rival’s oral health woes could be trouble. Although stopping bad actors is a challenge, instituting document access controls through your practice software can limit access to certain records for individual team members and even track who accessed which records and when they were accessed.

2. Lost or stolen computer hardware containing patient information—If you or someone on your team accesses patient records from a laptop, tablet, smartphone, or any other device, that device needs to be locked and protected from unauthorized access. Even better, all hardware should have an initial lock, and a second login should be required to access any information from the practice.

3. Patient information stolen via phishing or ransomware attack—Online criminals see small dental practices as soft targets. They may not have the biggest cache of records, but they tend to have less security. Although being the victim of hacking and data theft is not necessarily the practice’s fault, it is seen as a failure to secure patient information. Cybercriminals continue to grow more devious and deceptive, so it’s important for all team members to use unique, strong passwords and 2-factor authorization whenever possible. In addition, practices should provide regular training to make staff aware of the latest phishing and hacking threats.

4. Improper communication of patient records—Do you use digital technologies to communicate with patients and colleagues? Email, texting, and online chat platforms can be amazing tools for connecting with patients and collaborating with colleagues, but it’s important to make sure you send and protect information via secure, encrypted channels. If you use personal email, texting, or chat client services to send this information, you could be violating HIPAA regulations. Instead, find a medical-grade digital communications platform with a service designed to meet specific requirements in HIPAA for the digital transfer of patient information.

5. Improper disposal of patient records—How often do you update your computer hardware, including that of tablets and phones? Do you properly wipe drives of equipment you no longer plan to use? Even if a hard drive or other device is headed for the electronics recycler, it needs to be properly scrubbed to remove all protected patient information. This is a service your information technology provider can likely provide. If not, be sure to find someone with expertise in HIPAA-compliant data disposal.