Prioritizing HIPAA Compliance for Your Dental Practice

November 2019--“When it comes to HIPAA, dental practices are definitely not under the radar,” says HIPAA expert Linda Harvey, who cites three examples. It's scary to see how easy it is to make mistakes.

HIPAA requires medical/dental records to be retained for six years from the date of its creation or last use—whichever comes later. The following different types of Patient Health Information are protected under HIPAA privacy laws:

• Contact information for patients and their emergency contacts: names, addresses, phone numbers, fax numbers, email addresses
• Demographic information (race and gender)
• Social Security numbers
• Driver license numbers
• Health plan beneficiary numbers
• Dental/medical record numbers
• Patient/financial account numbers
• Insurance communications
• Diagnostic and treatment records, for example, descriptions of clinical procedures provided, perio charting, x-rays, digital impressions, photo images, notes about treatment plan review, patient treatment acceptance, and prescriptions.
• Vehicle identifiers and serial numbers, including license plates
• Communications with and about patients containing Web URLS, Internet Protocol (IP) address numbers, devise identifiers and serial numbers 
• And more . . .  basically, any recorded identifying numbers, characteristics, or codes

HIPAA Breach Example 1: Failure to Shred Disposed Dental Patient Records

My first example of a HIPAA breach is an Indiana dentist who hired a professional company to dispose of 63 boxes of patient records and that company put them in a dumpster in a church parking lot. The dentist was fined $12,000. Before hiring someone to shred and dispose your records, look deeply into their business history.

When it comes time for disposal, you can’t just throw patient records in the trash. According to the Department of Health and Human Services), a properly destroyed medical record or piece of Patient Health Information has to be made “unreadable, indecipherable, and otherwise unable to be reconstructed.”

HIPAA Breach Example 2: Failure to Notify Patients that Their Data Was Compromised

My second example of a HIPAA breach is an Arkansas oral surgery group that was attacked by ransomware on their computer. All their data was locked for a three-week period. They were unable to access their patient records, so as a result, they needed to notify all those patients that their data had possibly been compromised. This is a reminder that no matter how secure you think your systems is, you have got to keep reviewing and updating your security software on a regular basis. Plus, you need a back up of patient contact information so you can notify your patients if their data may have been compromised.

HIPAA Breach Example 3: Digital Records Denied Access by Software Vendor

My third example is a Florida practice whose electronic health records (EHR) vendor will not return their records after the practice terminated the vendor’s service. Not only does this violate the end user license agreement, but it's also violates HIPAA. This is apt to become a visible and interesting case as the law is very specific. Even if the dental practice owed that vendor money, the vendor is not allowed to withhold the records. 

If you do not have an electronic back up of your patients’ EHR information, in a situation like this one, your hands are tied while resolution is sought. You will be unable to comply with patient requests for a copy of their records and adhere to other important aspects of HIPAA compliance. 

Carefully evaluate any EHR vendor under consideration. Make sure your patient records are backed up on a secure server you have access to at all times, emergency or otherwise.

The Consequences of HIPAA Breaches

There are many additional types of HIPAA breaches that have put dental practices in “hot water” and increased the risk of negative consequences such as the following, but at the end of the day, the patients are the real victims.

When your dental practice breaches HIPAA privacy rules, you are at risk for:

• Rupture in the good relationships you have with patients
• Injury to patient trust
• Damage to the practice reputation
• Department of Health and Human Services review and penalties
• Disruption of smooth practice operations 
• Litigation and recovery costs in terms of time, money, and emotions
• Employee concerns about the stability of the practice 
• Lowered workplace enjoyment

I recommend that dental practice owners team with their office managers and team leaders to eliminate risk by:

• Being well informed about HIPAA compliance and common pitfalls 
• Making sure all team members receive HIPAA training  
• Safeguarding electronic information and paper documents 
• Being vigilant to spot potential problems in your operations that could lead to HIPAA compliance failures 
• Having a HIPAA expert come in to do a compliance audit and coach the team
• Taking any needed corrective measures as fast as possible 

More HIPAA Related Resources

Within this Patient Prism blog, you will find more videos that focus on HIPAA compliance. And Patient Prism subscribers can access additional HIPAA compliance videos in Patient Prism Academy -- an extensive, online, video-learning library that contains over 900 videos featuring experts in dentistry.