7 ways to avoid becoming a HIPAA horror story

Which one of the following scenarios constitutes a HIPAA violation?

A.   After work, two employees at happy hour discuss a difficult case, mentioning specific patient details. Their conversation happens to be overheard by the patient’s neighbor.

B.    You hire a vendor to shred old patient records. Instead of destroying the records as promised, the company tosses the records in a dumpster. The old files are discovered by the news media.

C.   Your front desk coordinator punches in the wrong number and faxes a patient’s detailed dental and medical history to a bank, instead of a referring doctor.

D.   You get permission to post a patient’s before-and-after photos on Facebook. In the background of the “after” shot, another patient is visible and identifiable.

E.    You take home your work laptop, which contains patient information. The next morning, you stop to get a coffee. While you’re gone, somebody breaks into your car and steals the laptop.

If you said all of the above, you would be correct. As these situations demonstrate, a HIPAA violation doesn’t have to occur in your practice or even be committed by you or one of your employees.

If you hire another business to perform a service, as in example B, you could still liable.

Just ask the Indiana dentist who was fined $12,000 for hiring a company that didn’t properly dispose of old patient records. A local TV station found them sitting in a dumpster.

Related reading: How to evaluate HIPAA compliance in your dental practice

Threats, vulnerabilities, breaches

When it comes to the Health Insurance Portability and Accountability Act (HIPAA), you want to do everything you can to protect your patients’ privacy as well as your practice from fines and violations. Strong practice management systems that include documented HIPAA protocols are your best first line of defense. Where is your office most vulnerable for a security breach? Are you doing everything you can to protect your patients’ data? Here are some questions to consider:

·  Has your entire team received HIPAA training?

·  Does your team regularly shut down computers at the end of day, so patient information can’t be accessed by visitors (e.g., cleaning personnel)?

·  Do you use software that obscures patient information on computers used by team members in public areas, such as the front desk?

·  Do employees have patient information on devices that they take home with them? Are those devices stored in a secure location? What happens to the device when the employee stops on the way to or from the office? See example E above.

·  How secure is the practice’s Wi-Fi? Can it be easily hacked? Can users gain information about other patients’ identities?

·  Do you use a patient portal? What is the providing company’s reputation? How secure is the site?

·  Do you close operatory doors when treating patients to avoid conversations being heard by others?

·  Do team members double-check contact information before communicating via phone, fax or email with patients to avoid mishaps? See example C previously mentioned.

· Does your team know what to do if there is a security breach?

Trending article: Can email really be HIPAA compliant?

I hear some dentists grumbling about HIPAA and the burdens it places on their businesses, yet think about what happens when companies fail to safeguard customer information. A month seemingly doesn’t go by without some Fortune 500 company announcing a major security breach. Just this month, Equifax announced that 143 million (!) customer records had been compromised. That’s more than half of the US adult population. We all know someone who has dealt with identity theft, and that can take months or even years to clear up.

As dentists, we have a duty to protect patients’ sensitive health information. HIPAA has been the law of the land since 1996, with parts of it phased in over the past two decades. My point is that it’s not going away. In fact, maybe HIPAA or something like it should be applied to other industries based on the frequency of data breaches. Sorry, that’s my non-dental rant for the day.

Dentistry is one of the most respected professions in the country. We’ve earned that trust by doing what’s right for our patients. Our profession has track record of quality patient care and service that extends back a century or more. In a digital world, patients also expect us to safeguard their personal information. To me, that’s not too much to ask.

Trending article: 8 steps for a successful HIPAA-compliance plan

What to watch out for

Not complying with HIPAA can be time consuming and costly in terms of both money and reputation. Some healthcare companies have received million-dollar fines for violations. Also, if you were a patient at a practice that failed to protect your personal information, would you remain a patient? If your office had a serious data breach, what percentage of your patient base would you lose? Would it be 10 percent, 25 percent, 50 percent or more? Such a mistake could damage your dental business for years.

Continue to the next page to see the seven ways you can avoid becoming a HIPAA horror story.

Make computer security a priority

Ensure that all computers and devices with access to patient information have proper and updated security mechanisms in place, including passwords, user authentication, encryption, and remote disabling of the device. Moreover, we are in a new world where hacking is commonplace. If large companies are hacked, a dental practice is certainly not immune. Enact robust internet-security measures recommended by a credible firm in this field.

Keep track of portable devices

They can easily be misplaced, lost or stolen. Except for the doctor or perhaps the office manager, no employees should be taking work home with them, negating any need to remove devices from the office. That said, devices should be shut down and perhaps even locked away at day’s end. Due to their size, laptops and tablets are easy targets for thieves. If your practice uses a janitorial company, or if other vendors have access to your office after hours, it’s best to secure all portable devices.

Beware of office gossip

Employees talk about work… about problem patients… about difficult cases, etc. That can be an issue if those conversations can be heard by other patients or visitors. Keep in mind it’s not just about dentistry. There are medical, psychological and other factors that could harm patients if the information were to become available. Workplace gossip is never a good thing, but it can be much worse when patient information is involved. Make it a point to stamp out gossip in your practice.

Trash it, but do it right

In addition to retaining all HIPAA-related documents for the required length of time, there are also specific regulations regarding the proper disposal of patient information. Shredding files by a secure company is essential. Of course, the vendor must actually follow through as advertised.  Check reviews and testimonials before hiring an outside firm. There are also methods of deleting information from electronic devices to ensure that it’s non-retrievable by others.

Get it in writing

Be sure that patients sign their HIPAA compliance forms and exercise caution when sharing patient information with outside parties. Double-check email addresses, fax numbers, etc., before sending protected info to referring doctors, hospitals and other healthcare professionals.

Exercise extreme caution with social media

Always get permission before posting patient photos and testimonials on Facebook and other sites. Also, speak with employees about the danger of sharing any practice-related information on their personal social media accounts. One, they shouldn’t be doing that. Two, it could have serious repercussions for both them and you if identifiable patient information is revealed.

If there’s a breach, you must report it

Don’t ignore it or hope it goes away. By law, you must report any breach, including the nature of the incident, the unauthorized person(s) who had access to the information, whether it was actually viewed, and what has been done to remedy the situation. If the breach affected more than 500 individuals, you must notify the media serving your local area.

Technology has brought us greater convenience and efficiency but it also can expose us to greater risks. Use these seven tips to tighten your HIPAA procedures and better protect your practice from potential violations.

Attend Dr. Levin’s new seminar, “The Mid-Career Plateau: How to Avoid It, Overcome It, Get Out of It.” See his complete seminar schedule by visiting: www.levingroup.com/gpseminars.