Do careless ‘low tech’ HIPAA breaches threaten patient privacy?
What your dental office can do to reduce risk
That casual conversation between front office staff and a patient can actually be a HIPAA breach. But does everyone in the office know what's considered a breach? Only training will guarantee everyone's in the know.
Dental health-care providers who work in small practices might read headlines about huge data breaches and million dollar fines and believe HIPAA breaches are a concern only for large health plans and medical centers.[1] But many small breaches that don’t make headlines occur daily in small medical and dental practices. Even though the civil fines and penalties might be smaller, the costs of compliance can be daunting. In addition to potential lawsuits, reputational harm, and staff morale, there are the costs of mitigation, sanctions, patient notification, and reporting. These are HIPAA requirements that apply to all covered entities, regardless of the entity’s size. Added up, these expenses can cause serious problems for your pocketbook and your practice.[2]
If you use electronic health records (EHRs), you no doubt have protections in place to keep the records secure and safe from cyber criminals intent on ID theft. But what sort of training are you providing to your front desk staff, billing clerk, and chairside assistants to prevent “low-tech” privacy breaches? Does your training meet the “reasonableness” standard applied by federal investigators after a breach? This is an area where you might be the most vulnerable, and unless you train every member of your staff when they’re hired, and on a regular basis thereafter, you’re not only at risk for a breach but also for fines and penalties related to your failure to take reasonable measures to prevent the breach from happening at all.
Here are five examples of “low tech” breaches that occur far too frequently in health care:
1. Your front office manager has been with you for years and knows your patients well. Clearly patients love her. But have you ever heard her casually greet someone and note that she saw his mom at the office earlier in the week? Or have a patient tell her, “Today must be teeth cleaning day for Oak Street” after seeing a neighbor in the parking lot, andshe responds, “Well, maybe a little more than teeth cleaning.” Little comments like this violate HIPAA, even if they don’t communicate details such as a patient’s birth date or social security number. Whether it’s an offhand remark made to a neighbor implying more serious dental problems, or the simple sharing of contact information with someone’s probation officer, a privacy breach has occurred.
Solution: Instruct your staff that under no circumstances should they discuss patient information with others unless the law requires or permits it, and your policy allows it. HIPAA regulations provide that the mere fact someone is your patient and receives services from you is confidential.
RELATED READING:Breach happens. How prepared is your dental practice?
2. You have been meaning to get a new copier because the “three-in-one” (copy, fax, and scan) in the front office is getting old. Staff have been told that anything with patient information on it should be shredded, but the shredder is noisy. So instead, staff occasionally toss an imperfect copy into the wastebasket. A skewed copy that includes even a tiny glimpse of patient information is “protected health information” (PHI) according to HIPAA. That PHI might journey to the dumpster when cleaning staff comes in, followed by an early morning ride in a bag atop a garbage truck, with a final drop into the city’s landfill. Scavengers looking for copper wire who come across PHI now have something else of value they can sell on the black market. Something that started with a blurred copy innocently tossed in the wastebasket is now a reportable HIPAA security breach.
Solution: Instruct your staff to scrupulously separate PHI from other materials and shred it promptly when needed. Never leave it out overnight if others have access to your office. Patient information that makes its way to your trash out back is most definitely not secure from “dumpster divers” who specifically look to steal patient information in order to commit ID theft.
3. That same copy machine has a collection tray that catches incoming faxes as well as copies. You ask your chairside assistant to walk your implant patient to the waiting room and to make her a copy of her discharge instructions. Unbeknownst to your assistant, a fax came in a few minutes earlier from another patient’s cardiologist with recommendations for prophylactic antibiotic care prior to his procedure next week. Everything in the tray is accidentally handed to your implant patient, who now goes home with her instructions plus the cardiologist’s report about another patient’s heart problem. This careless error resulted in a privacy breach.
Solution: Train your staff to carefully look at every single page of information they hand to patients. Although it’s tedious, if it saves you from even one HIPAA breach it’s well worth the extra minute or two. A related problem can happen when “boiler plate” documents accidentally include a former patient’s ID number or name when a new document is created. Tell staff that some things should be done slowly, and you want them to double check all documents they create in order to avoid oversights of any kind.
RELATED READING:Do your dental patients witness you violating HIPAA?
4. Have you ever sent out a mass email to your patients? You may think your administrative assistant knows what she’s doing, but this recent breach may give you pause. Over 500 patients received a notice from a small specialty clinic informing them they could now sign up to access the patient portal of the clinic’s EHR system. This would allow them to make or change appointments, access their records, and leave messages for their provider. When the phone started ringing the next day, the clinic staff learned to their horror that the person who hit “send” did not make sure that blind carbon copy was properly activated. Now each patient had 500 other patients’ email addresses and knew they were receiving specialty care, and each patient now also knew that 500 other people had the same information about them. Clearly this was not a sinister or deliberate breach, but it required costly mitigation in the form of ID theft protection, reporting, and notification. That was just the cost of compliance; fines, penalties, and privacy lawsuits could still be in their future.
Solution: Ensure that all of your staff members are trained on your office’s communication tools. Always send a test email prior to actually sending a large multiple-recipient communication to make sure that other actions have not accidentally disabled the blind carbon copy function.
5. Do all of your staff members understand when it’s acceptable to provide records to third parties? Do they know to check with you before they send off dental records to the coroner? How would they respond to a subpoena? Does every member of your staff know what your state laws say about permissive or mandatory disclosures of PHI, and which law they must follow? It is very likely that most of your new hires will not be HIPAA experts. A very common “low tech” error involves disclosing PHI to third parties, for example, to friends, family, or neighbors who just want to help. When it’s too late comes the realization that there was no legal pathway that would have permitted the disclosure. Prevent this through training.
Solution: The HIPAA Privacy Rule is complicated, and if your state law has stringent privacy provisions, it’s not easy to know what to do. It is therefore essential that staff members be trained to know when they must or cannot disclose PHI. Perhaps even more importantly, they need to be reminded to always check with you if they are not sure.
Conclusion
You’ve no doubt told your staff to keep paper records securely locked at night, and to never open suspicious emails that might shut down your system. But the more likely cause of a breach in a small dental practice is an inadvertent, careless, or unknowing wrongful disclosure by your own staff. This is why it’s essential to provide thorough privacy training to new staff, with ongoing training for all staff on a regular basis. If you do experience a breach event, part of your mitigation will involve retraining.
Taking the time to provide staff training will reduce the risk of low tech breaches, help you demonstrate that you have engaged in reasonable measures to protect patient privacy, and save countless hours and dollars in the long run.
For the most current practice management headlines, click here.
For the most current dental headlines, click here.
Linda Garrett, JD, is a former medical/dental malpractice defense attorney who provides risk management consultation and training on HIPAA and related privacy regulations to numerous public entity and private sector clients. She has extensive experience helping clients investigate and respond to breach incidents. Ms. Garrett recently worked with Kantola Training Solutions to develop three HIPAA video training kits that include checklists, sample forms, and other materials designed to support HIPAA compliance for professional practices. Kantola offers free trials of these and other courses.
REFERENCES
[1] A case in point is the recent $5.5 million Advocate Health System settlement of three data breaches affecting over 4 million patients in 2013 which is now the largest HIPAA settlement ever.
[2] HIPAA breach compliance requires mitigation, sanctions, patient notification and reporting to DHHS if patient information has been used, accessed or disclosed in violation of the HIPAA Privacy Rule if it results in a compromise of that information.