If you’re a dental care provider practicing in North America, you definitely know the importance of abiding by the rules and regulations stated within the Health Insurance Portability and Accountability Act (HIPAA).
The act mandates that healthcare providers deploy certain measures in place to safeguard their patients’ health information. Improper disclosure of such information, due to any reason, results in a reportable violation of HIPAA rules. This can also lead to hefty fines and penalties.
According to a recent research report, a total of 418 HIPAA breaches were reported in 2019 alone. These figures suggest that close to 34.9 million Americans had their PHI compromised in that year.
While at times human errors cause these violations, other times workforce members may share patient health information (PHI) with the wrong individuals causing a breach. More often than not, breaches occur when hackers spot and exploit cybersecurity vulnerabilities.
It is important for healthcare leaders to remain proactive and employ adequate measures in place to avoid possible violations and hefty penalties. HIPAA privacy and security rules are applicable to the data collected by dental practitioners as well.
In this piece, we will be looking at a few common HIPAA violations and what dental care providers can do to avoid them.
1) Releasing Protected Health Information to an Unauthorized Individual or Group
Any disclosure of PHI that hasn’t been authorized under the HIPAA Privacy Rule can lead to a heavy financial penalty.
This violation majorly constitutes: careless handling of the protected information, potential disclosures following the theft or loss of unencrypted laptop computers, disclosing PHI without any need, disclosing PHI to a patient’s employer, not following the ‘minimum necessary’ standard set by concerned authorities, or disclosure of PHI after retention periods have expired.
Sometimes, it is also possible that your staff might be disclosing HIPAA sensitive patient information in an unintentional manner since phishing attacks are becoming more common by the day.
One best practice for dental care providers here would be to ensure that an authorization form is obtained from the patient right before any of their PHI is released to or even disclosed before a third party vendor for a reason other than one expressly permitted by the HIPAA Privacy Rule.
Not long ago, a patient submitted a complaint to the Office for Civil Rights (OCR) against Elite Dental Associates, a dental care provider based in Dallas, after a similar incident that took place on the business review platform Yelp.
The dental care provider responded to a public review on the said platform by releasing the reviewer’s last name and particulars about their existing health condition.
On conducting a thorough investigation, the OCR deduced that this wasn’t the first time the dental care practice had violated patient data under the HIPAA rule. The organization had disclosed PHI of other patients in response to reviews on it's Yelp page in the past too. Elite paid $10,000 to settle their inappropriate disclosures of PHI.
This is only one among the many incidents where a dental care practice has had to pay a hefty fine due to disclosure of PHI to an unauthorized group on an unauthorized platform. Many such stories surface on the internet every now and then.
Therefore, dentists must, at all times, ensure that patient particulars aren’t disclosed before any individual/group whose name hasn’t been included on the authorization form. Also, it is important to remember that authorization forms are only held valid when they have been duly signed by the patient or the representative nominated by them.
2) Improper Disposal of Protected Health Information
When retention periods have become obsolete and PHI (whether stored physically within files and folders, or electronically on computer systems or other remote locations) isn’t required any longer, HIPAA Rules mandate that the information be permanently destroyed in a secure manner.
However, that doesn’t always happen. Now when such a breach occurs, whether due to external factors or internal ones, it is the dental care provider’s responsibility to make sure that your employees as well as your business associates or partners comply with HIPAA rules.
Take for example the case of Florida-based Key Dental Group.
When the organization switched providers, it requested its previous vendor to hand back its EMR database. And even though the end-user license agreement (EULA) stated that the vendor must return all patient information after the termination of the agreement, the vendor declined.
This led to a visible violation of HIPAA on the vendor’s part since it was a business associate. However, since the violation could also have tarnished Key Dental’s reputation in the market due to unauthorized retrieval of PHI, informing patients the same became extremely important.
To avoid landing up in such a situation, dental care providers can ensure a few best practice are being followed at their end such as:
- Trying to group and safeguard patient information that requires added preventive measures such as social security numbers, patient diagnosis reports, credit or debit card details, etc.
- Carrying out random inspections to ensure every person within the organization and outside of it (partners) is adhering to compliance ethics.
- Making sure all information disposal clauses are mentioned within the contract when involving a third party vendor.
- If you have a dedicated software for your facility, make sure to integrate it with a HIPAA compliant hosting server to save sensitive information in a compliant manner remotely.
- Utilizing clearing hardware or software to overwrite sensitive ePHI data and thus protect it.
- Some of the options that dental care providers can use to destroy ePHI on unauthorized devices include purging, which requires a strong magnetic field to destroy the data, or destroy the device using methods such as incinerating, shredding, and melting.
Apart from the ones mentioned above, there are many other effective ways in which dental care providers can make sure that sensitive patient information doesn’t fall in wrong hands and is disposed of safely.
3) Downloading/ Accessing ePHI through Unauthorized Devices/ Accounts
The HIPAA Security Rule mandates that covered entities and their business associates limit ePHI access to only individuals who have been authorized to do so. [Info about dovetail’s permissions feature]
Even then, not having adequate ePHI access controls in place happens to be a common HIPAA violation; one that has resulted in healthcare organizations being charged with heavy financial penalties in the recent past.
The dental care provider needs to ascertain that access to patient health information and medical records is only granted to authorized individuals that use registered devices. This can easily be achieved by formulating access controls through logins unique to every individual.
Authorized individuals on your staff also need to understand that passing on login information could not only lead to unacceptable disclosure of ePHI, but any actions taken by this individual would be attributed to the employee whose login credentials were used to gain access.
Delta Dental Arizona is one organization that faced a similar situation in 2019.
The dental care practice noticed suspicious activity with an employee’s email account in July that year. On investigating further, the care provider found that one of the practice’s employees fell for an email phishing attempt. An unauthorized individual gained access to the said employee’s account through the scheme.
Delta Dental Arizona had no affirmation of data fraud within the account, but couldn’t completely neglect the possibility of such a breach happening either. The practice took steps to locate all data within the compromised account so that it could notify concerned individuals.
Your staff members need to be well-aware of the privacy and security risks that come alongside downloading sensitive information onto portable electronic devices that haven’t been sanctioned permission.
All in all, regular and effective staff training is a crucial step for providers to carry out when wanting to avoid HIPAA violations. Teach your staff how to be careful with PHI, and share it only with those authorized individuals who must know. Also, remember to be observant yourself.
It doesn’t matter if violations are the result of gossip, substandard human behavior, a mere human error, or insider or outsider hacking. It is critical for healthcare systems to execute robust data security solutions to help guarantee compliance.