In response to HIPAA enforcement, many practices have implemented policies and procedures to mitigate risk. Unfortunately, many times, dental offices are still breaking HIPAA laws without realizing it.
Here are eight of the most common mistakes dental practices are making in their everyday workflows and how to correct them.
1. Using personal devices or misplacing devices
Today's technology allows dental practices to communicate more easily and look up and share patient information or their status on personal devices.
It's a bit unrealistic to think that employees won't ever use their personal devices at work. The key is to train your employees on the importance of handling with care their devices and the data they store or access. Consider implementing a personal device policy that enforces passcodes or authentication to log on, installing encryptions, and enabling personal firewalls.
Employees should not be storing patient claims or data on a personal device. This is an easy way for a hacker to gain access to data, as personal devices rarely have the same security as office-issued devices.
Stolen and lost devices are also an issue for dental practices. It's important to have devices like USB flash drives, cellphones, and laptops stored securely to keep them from being stolen or lost.
2. Missing the trash can
How you purge patient records is just as important as how you store them. An easy way to trigger a data breach, and therefore a HIPAA violation, is if someone steals records out of your trash or recycling.
If you throw out an old computer without having a professional wipe the data, those files that you "deleted" are easy to recover. The same is true for external hard drives. All physical documents must run through a cross-cut shredder before being disposed.
3. Not using encryption
Files that contain patient data should be encrypted. Dozens of solutions can protect your data with encryption. Select the one you need based on the software environment where the data are stored or transferred.
For example, one encryption program can protect the files on your desktop, while another helps protect your email. Encryption protects personal health information (PHI) where it is extremely exposed.
Sending an email with PHI is not a violation. It's when the email is delivered to the incorrect recipient or intercepted by someone without authorized access.
4. Being a little too loud
HIPAA protection doesn't just apply to stored data. Someone's PHI could be shared by staff talking about it within earshot of other patients. Ask staff to gather in a private, designated area to talk about patient issues. Remember, even a small slipup could be reported as a HIPAA violation.
Employees speak to patients every day. Remind them that discussing a patient's information with an employee lacking authorized access or with other patients can put your whole practice at risk of being fined by HIPAA.
5. Divulging too much in a phone message
While a patient may have authorized you to call him or her to discuss a treatment plan, it doesn't mean you should leave a detailed voice message that relays PHI. You could also make the mistake of calling the wrong number. The best practice is when a patient doesn't answer, leave a message simply requesting a call back.
6. An absence of the right-to-revoke clause
Your HIPAA forms must give your patients the right to revoke the permissions they've given to disclose their information to certain parties. Not providing this means your HIPAA forms are invalid, and releasing subsequent information to another party puts you in breach of HIPAA.
7. Not being careful on social media
In one case, a dental practice responded to reviews of the practice on the internet and discussed patient information, including last names and details of individuals' health. This dental practice faced a large fine and additional monitoring for the next two years.
Social media is not the place to discuss patient information. While this instance was likely a careless mistake to negate a review, it was still a break of HIPAA laws that resulted in large penalties.
8. Not considering PHI after a practice closes
Even if a dental practice is closing, HIPAA protects the PHI from that office. For example, if someone improperly disposes of PHI, the office violates HIPAA and face fines even if it shutters.
HIPAA violations in dental offices are all too common. By keeping these eight common mistakes in mind, your practice can work to prevent future HIPAA violations that can lead to costly fines, legal action, and lost patients.
Robert Patrick is Vyne's president of dental. He has served the dental industry for more than 20 years and has authored numerous pieces for most of the sector's leading publications on a number of its most pressing practice administration topics.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.
Copyright © 2020 DrBicuspid.com