Why Dentists Should Be Concerned about HIPAA Laws and the Security of Their Patient Records

dental officeBack in 1996, HIPAA (Health Insurance Portability and Accountability Act) became federal law. The United States government acknowledged the need for people and businesses in healthcare fields to better protect patients’ healthcare records because they are sensitive documents and every patient has a right to privacy and security.

The Healthcare community, health insurance plans and subcontractors were not taking measures to ensure basic security controls and privacy protocols were in place.  Much like PCI established the PCI Security Council to oversee credit card account numbers were protected, the federal government established governance and protocols as a baseline to oversee patient rights to their records, disclosures and securing their personal identities contained in the health and dental records.

The Office of Civil Rights (OCR) is a division of Health and Human Services.  The OCR was placed in charge of enforcing HIPAA Security and Privacy laws starting in 2009 as part of the HITECH Act to ensure those storing health records are taking basic care to ensure confidentiality, authorization, availability and appropriate disclosures of personal health information (PHI).  The OCR is incentivized to enforce HIPAA through Civil Money Penalties (CMP) and publishing investigations and resulting settlements under the Freedom of Information Act.

Dentists can fall in the radar of a Security and Privacy audit in the following ways:

  1. A patient complains their data isn’t secured or reports a suspected violation of their privacy rights on the HHS website (i.e. Whistleblower complaints).
    1. The OCR is required to investigate each complaint.
    2. OCR’s continuing random audit program into 2014-2015.
    3. A Dental Office could be randomly selected for Meaningful Use audits.

HIPAA has four rules outlined below:

HIPAA Privacy Rule

Every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored and shared orally, electronically and on paper, so a lot has to be done to keep these records out of the wrong hands.

HIPAA Security Rule

This rule relates directly to electronic patient files and states each covered entity—which includes Dentists—must keep them safe from any unauthorized access during transit and storage.

HIPAA Breach Notification Rule

The breach notification rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information

Patient Safety Rule

The final rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.

If Dentists don’t comply with HIPAA rules then are audited, they get penalized.

Dental records, in paper or electronic format, are considered Protected Health Information and are subject to the same Federal scrutiny for privacy and security as full medical records.

Dental records contain minimal medical information.  Demographic information such as:  name plus any numerical identifiers related to Dental health includes.  These include: address, birth date, phone numbers, insurance status, patient ID number, SSN,  etc.

Penalties vary and are determined by the seriousness of the security or privacy breach. Also taken into consideration are whether you knowingly or accidentally released patient records and private information. Either way, you’re held accountable. Penalties range from fines to being fired from your job to closing an office to potential jail time (in the event of knowingly losing 500+ PHI records and failing to report to HHS within 60 days).

So how can you and your dental office steer clear of these penalties?

First, you must understand and keep up-to-date with all HIPAA rules and regulations. You can also set up a HIPAA program in your office, perform consistent employee trainings, and conduct and document regular HIPAA risk analyses to evaluate and fix any potential problems.

Second, you must make sure that your dental practice management software is HIPAA compliant. Since this is where your patients’ dental records are stored, a breach can be detrimental to your office and can bring several fines.

If your practice is currently running on a practice management system, penetration testing can help you identify different threats and openings that hackers could exploit to gain access into your system. If you’re currently shopping for a software, make sure you choose a platform that is guaranteed to be HIPAA secure.

Complying with HIPAA laws and regulations is crucial so you and your dental practice don’t have to face penalties and to keep the trust and satisfaction of your patients by keeping their healthcare records safe and secure.

About the Authors

This post was co-authored by Steven Marco, the President of HIPAA One® and Modern Compliance Solutions as well as Trevor James, the marketing manager for Viive, a Mac-based dental practice management system, and Dentrix Ascend, a cloud-based dental practice management system.

Comments

  1. Do you have any video of that? I’d like to find out some
    additional information.

  2. If a dental office is recording phone calls and not telling patients they are being recorded by a third party, their treatment and billing information is being discussed, is that a hippa violation?

    • Steven Marco says:

      HIPAA Privacy disclosures would be more of a disclosure of a patient’s information without their permission outside of treatment, payment or health care operations. We always recommend notifying the parties on a phone call their call is being recorded. Recording phone conversations may violate other state or consumer protection laws but in itself does not appear to violate HIPAA Privacy rule in this example provided.

      Also consider the voice-recording system is now containing Protected Health Information so should be secured to reduce the risk of unauthorized disclosures (like the Dental EHR software, imaging, email communications, etc.).

      Disclaimer: We are not attorneys as such always recommend sound legal advise from an Attorney however we are Auditors so must understand HIPAA!

  3. derek caldwell says:

    If a dental office has a http website and a contact form on it where a patient can unknowingly enter PHI on that contact form via a website that is unsecured (http) is that considered a HIPAA violation?

    • Hi Derek!

      The following response was provided by our VP of Data Security, John Lazo.

      A web site must at a minimum ensure that all protected health information (ePHI/PII):

      Transport Encryption: Is always encrypted as it is transmitted over the Internet
      Backup: Is never lost, i.e. should be backed up and can be recovered
      Authorization: Is only accessible by authorized personnel using unique, audited access controls
      Integrity: Is not tampered with or altered
      Storage Encryption: Should be encrypted when it is being stored or archived
      Disposal: Can be permanently disposed of when no longer needed
      Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).

  4. Karen Sizemore Fuller says:

    Hi there I’ve been reading through compliance information and I have read a couple of conflicting things about emails. Can anyone tell me whether emails can be deleted if they’ve been sent to a patient or do they need to be kept for a certain period of time like dental records?

  5. Tracy Johnson says:

    Taking my daughter to a Orthadontist, while filling out my information as her mother. It also requested information regarding the spouse. I listed my spouse who is the step father to my daughter.
    Someone at the Dr. Office told her father that I had listed the Step Father on my paperwork and not the father.
    The paper work requested asked about the spouse, I completed the requested information. Is this a violation?

  6. Is it a HIPAA violation for a clinical dental assistant to access insurance information on a patient they are with to find out hx/eligibility?

    • Steven Marco says:

      Hi Cassie. That does not appear to be a violation. Be sure to do your HIPAA training, have Policies and Procedures to ensure they have gone through the appropriate training, background checks, etc. before being granted access to your patient’s PHI.

  7. Lisa Vaughn says:

    We utilize paper a hard patient record as well as computer. Staff recently stated that we are not to place patient labels on front or inside of patient record. Is this correct? If so how do we identify patient beside their name on the spine of the record?

    • Steven Marco says:

      Hi Lisa,

      If the paper charts are out-of-site (e.g. in a back-room under lock-and-key, or physically separated from the patient waiting areas) you can put the regular indexing (e.g. first 3 letters of last name). The paper-chart needs to be treated with concern of unauthorized disclosure to people who are not authorized to see the chart unless for Treatment, Payment or healthcare Operations. The charts should not be accessible by anyone other than staff and the HIPAA training should include specifics on handling both paper charts and computer safeguards (e.g. windows+L to lock the screen when leaving any computer).

  8. Rhonda Solis says:

    Hello,
    Recently a dental office closed by a sole owner dentist and he became an independent contractor and works at another facility. He didn’t sell his practice, charts or data base. He is now accessing the patient information from the charts to come into the new facility. I thought patient information was the property of the practice and not just the individual dentist. Once the patient comes in, the facility is paying the dentist a commission. Is this an ok practice for HIPPA? It feels like he’s sharing personal information with fellow employees without patient permission. HIPPA forms were signed for the dental practice for use at the dental practice and not to used at another facility.

Speak Your Mind

*