What Do Dental Clinics, Prison & HIPAA Have In Common?
A receptionist from a New York Dental Practice was recently sentenced to a 2 – 6 year Jail Term for accessing and disclosing protected health information from the Dental Clinic where she worked.
For a 6-month period of time, the dental receptionist accessed patient information from the dental practice and disclosed it to a third party via unsecured email. The third party then used the information to steal identities of the patients.
You don’t want to think that this scenario will ever happen to your practice or that your employees will ever go rogue. Unfotunately, something like this could happen again and if you don’t have the right processes established or safeguards implemented, your ability to quickly and appropriately respond can be delayed.
Employees snooping through patient medical records or stealing patient information is a big HIPAA risk that needs to be addressed within a practice. Workforce members causing HIPAA violations is one of the leading causes of reported data breaches to the federal government. I commonly see that Dental Practices have very limited, if no HIPAA Compliance Program implemented. In fact, it is not uncommon to see practices that have never trained employees on HIPAA or have no written and implemented policies and procedures.
In today’s world, there is no excuse for not having a complete HIPAA Compliance Program. If a Dental Practice is investigated by the Office for Civil Rights (OCR) of the Department of Health and Human Services and there is not an established HIPAA Compliance Program, the Dental Practice may be assessed a HIPAA Fine and/or a Corrective Action Plan.
Simple steps can be taken to help prevent and mitigate an issue, such as the one above, from occurring.
Step #1 – HIPAA Policies and Procedures
I know – we are all busy and the last task anyone wants to do is sit down and write HIPAA Policies and Procedures. It can be time consuming and a challenge when a practice doesn’t know and understand the regulations; however, in the scenario above, policies and procedures could actually be a necessary safeguard in the defense against a data breach lawsuit or an OCR investigation. Dental practices must have written policies and procedures that define the appropriate use and disclosure of protected health information as well as processes for reviewing electronic access to patient information. Your foundation to a strong HIPAA compliance program is a complete set of practice-specific policies and procedures.
Step #2 – Applying Minimum Necessary
Limiting information that a workforce member can see in an electronic system is an essential step to the protection of patient’s information. Workforce members should only gain access to information on patients when it is needed to do their job. For example, if an individual doesn’t have a business need to know a social security number, best practice would limit the social security number to the last 4 digits or block access all together.
Step #3 – Conducting Information Activity Reviews on Audit Logs
Most electronic systems, especially electronic health records, produce audit logs. The audit logs provide information on when workforce members accessed specific patient’s electronic information and what they did in the chart (viewed, created, deleted, etc.). HIPAA requires that these audit logs are regularly reviewed to ensure that the access to the patient’s information is appropriate and meets business needs. If you are unsure or unaware of audit logs produced by your electronic systems, reach out to your vendors as they can help you with accessing the reports.
Step #4 – Workforce Education
HIPAA Training is one of the least popular tasks for a practice; however, it is an essential step in setting up your workforce as well as your practice for success. Workforce members should have a high-level understanding of what the HIPAA regulations are and understand how your practice is protecting the information that is provided by your patients. Annual HIPAA Training with periodic HIPAA educational updates throughout the year will keep HIPAA in the forefront of your workforce’s mind and support the protection of patient information.
Patient’s come to you to get care that they need. They provide you with a lot of valuable information that they trust you are going to keep confidential and protect. Don’t let your patients down and put your practice at risk by not taking time to comply with the HIPAA regulations. They were established to protect the patients and the information they trust you with. Take the time so you don’t become the next headline.
HIPAA Journal (2018, April 11). 2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dental office. Retrieved from https://www.hipaajournal.com/2-to-6-year-jail-term-for-receptionist-who-stole-phi-from-dentist-office/