Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

NueMD’s Startling HIPAA Compliance Survey Results

Posted on December 12, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent HIPAA compliance survey of 1,000 medical practices and 150 medical billing companies, NueMD found some really startling results about medical practices’ understanding and compliance with HIPAA. You can see their research methodology here and the full HIPAA Compliance survey results.

This is the most in depth HIPAA survey I’ve ever seen. NueMD and their partners Porter Research and The Daniel Brown Law Group did an amazing job putting together this survey and asking some very important questions. The full results take a while to consume, but here’s some summary findings from the survey:

  • Only 32 percent of medical practices knew the HIPAA audits were taking place
  • 35 percent of respondents said their business had conducted a HIPAA risk analysis
  • 34 percent of owners, managers, and administrators reported they were “very confident” their electronic devices containing PHI were HIPAA compliant
  • 24 percent of owners, managers, and administrators at medical practices reported they’ve evaluated all of their Business Associate Agreements
  • 56 percent of office staff and non-owner care providers at practices said they have received HIPAA training within the last year

The most shocking number for me is that only 35% of respondents had conducted a HIPAA risk analysis. That means that 65% of practices are in violation of HIPAA. Yes, a HIPAA risk analysis isn’t just a requirement for meaningful use, but was and always has been a part of HIPAA as well. Putting the HIPAA risk assessment in meaningful use was just a way for HHS to try and get more medical practices to comply with HIPAA. I can’t imagine what the above number would have been before meaningful use.

These numbers explain why our post yesterday about HIPAA penalties for unpatched and unsupported software is likely just a preview of coming attractions. I wonder how many more penalties it will take for practices to finally start taking the HIPAA risk assessment seriously.

Thanks NueMD for doing this HIPAA survey. I’m sure I’ll be digging through your full survey results as part of future posts. You’ve created a real treasure trove of HIPAA compliance data.

Firewall & Windows XP HIPAA Penalties

Posted on December 11, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

Are You A Sitting Duck for HIPAA Data Breaches? – Infographic

Posted on November 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The people at DataMotion, cloud based HISP providers, sent me the following infographic covering the HIPAA data breaches. It’s a good reminder of the potential for data breaches in healthcare. As Marc Probst recently suggested, we should be focusing as much attention on things like security as we are on meaningful use since the penalties for a HIPAA violation are more than the meaningful use penalties.

Are You A Sitting Duck for HIPAA Data Breaches Infographic

HIPAA Privacy Infographic

Posted on November 4, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Caradigm, a population health company, recently sent me this HIPAA Privacy infographic. As a sucker for infographics, I had to share. While related to HIPAA, the BYOD data at the top of the infographic certainly paints an important picture for healthcare IT administrators. What data stands out to you?

Privacy Breaches

Data Sources:

http://www.arubanetworks.com/pdf/solutions/HIMSSSurvey_2012.pdf

http://www.pcworld.com/article/250642/85_of_hospitals_embrace_byod_survey_shows.html

http://apps.himss.org/content/files/FINALThirdAnnualMobileTechnologySurvey.pdf

“Fourth Annual Benchmark Study on Patient Privacy and Data Security.” Ponemon Institute. 12 March 2014.

http://www.redspin.com/docs/Redspin-2013-Breach-Report-Protected-Health-Information-PHI.pdf

http://www.fiercehealthit.com/story/ocr-levies-2-million-hipaa-fines-stolen-laptops/2014-04-23

http://www.fiercehealthit.com/story/boston-teaching-hospital-fined-15m-ephi-data-breach/2012-09-18

http://blogs.wsj.com/cio/2014/05/09/patient-data-leak-leads-to-largest-health-privacy-law-settlement/

http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all&_r=0

Are You HIPAA Secure?

Posted on October 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently asked to provide some tips on health IT and data security for a healthcare lawyer’s website. You can see the final blog post here, but I thought I’d share the 3 suggestions and tips I sent to them.

1. Encrypt all of your computers that store PHI (Protected Health Information) – If your hard drive is lost or stolen and it’s not encrypted, you’ll pay the price big time. However, if it’s encrypted you won’t have to worry nearly as much.

2. Avoid Sending SMS Messages with PHI – SMS is not HIPAA secure and there are plenty of high quality secure, HIPAA compliant text message options out there. Find one you like and use it. While being secure it also has other features like the ability to see if the recipient has read the message or not.

3. Do a HIPAA Risk Assessment – Not only is this required by HIPAA and meaningful use, it’s a good thing to do for your patients. Don’t fake your way through the assessment. Really dig into the privacy and security risks of your organization and make reasonable choices to make sure that you’re protecting your health data.

No doubt there’s a lot more that could be said about this topic, but I think these three areas are a good place to start. A huge portion of the HIPAA breaches that have occurred could have been prevented by doing these three things.

If you have other suggestions for people, I’d love to hear them in the comments. I’m sure there are some more obvious ones that I’ve missed.

Confusing HIPAA Compliance With Security

Posted on October 2, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most people  who read this publication know that while HIPAA compliance is necessary, it’s not sufficient to protect your data. Too many healthcare leaders, especially in hospitals, seem satisfied with the song and dance their cloud vendor gave them, or the business associate that promises on a stack of Bibles that it’s in compliance.

I was reminded of this just the other day when Reuters came out with some shocking statistics. One particularly discomforting stat it reported was the fact that medical data is now worth 10 times more than your credit card number on the black market (even if John has argued otherwise). Why? Well, among other things, because medical identity theft isn’t tracked well by providers and payers, which means that a stolen identity can last for months or years before it’s closed down.

Healthcare is not only lagging behind other industries in terms of its hardware and software infrastructure, but the extent to which its executives give a care as to how exposed they are to a breach. Security experts note that senior executives in hospitals see security as a tactical, not a strategic problem, and they don’t spend much time or money on it.

But this could be a deadly mistake. As Jeff Horne, vice president at cybersecurity firm Accuvant, noted to Reuters, “healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10+ years old that have not seen a patch.”

As if that wasn’t enough, it’s been increasingly demonstrated that medical devices — from infusion pumps to MRIs — are also frighteningly vulnerable to cyber attacks. The vulnerabilities might not be found for months, and when they are, the hapless provider has to wait for the vendor to do the patching to stay in FDA compliance.

So far, even the biggest HIPAA breaches — notably the 4.5 million patient records stolen from hospital giant Community Health Systems — don’t seem to have generated much change. But the sad truth is that unless hospitals get their act together, focused senior executive attention on the issue, and spend enough money to fix the many vulnerabilities that exist, we’re likely to be at the forefront of a very ugly time indeed.

The Just Enough Culture of HIPAA Compliance

Posted on September 10, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today I was lucky to finally have a long lunch with Mike Semel from Semel Consulting. Ironically, Mike has a home in Las Vegas, but with all of his travel, we’d never had a chance to meet until today. However, we’ve exchanged a lot of emails over the years as he regularly responds to my blog posts. As Mike told me, “It feels like I’ve known you for a long time.” That’s the power of social media in action.

At lunch we covered a lot of ground. Mostly related to HIPAA security and compliance. As I try to process everything we discussed, the thing that stands out most to me is the just enough culture of HIPAA compliance that exists in healthcare. I’ve seen this over and over again and many of the stories Mike shared with me confirm this as well. Many healthcare organizations are doing just enough to get by when it comes to HIPAA compliance.

You might frame this as the “ignorance is bliss” mentality. In fact, I’m not sure if it’s even fair to say that healthcare organizations are doing just enough to comply with HIPAA. Most healthcare organizations are doing just enough to make their conscience feel good about their HIPAA compliance. People like to talk about Steve Jobs “reality distortion field” where he would distort reality in order to accomplish something. I think many in healthcare try and distort the realities of HIPAA compliance so they can sleep good at night and not worry about the consequences that could come upon them.

Ever since HIPAA ombnibus, business associates have to be HIPAA compliant as well. Unfortunately, many of these business associates have their own “reality distortion field” where they tell themselves that their organization doesn’t have to be HIPAA compliant. I don’t see this ending well for many business associates who have a breach.

The solution is not that difficult, but does take some effort and commitment on the part of the organization. The key question shouldn’t be if you’re HIPAA compliant or not. Instead you should focus on creating a culture of security and privacy. Once you do that, the compliance part is so much easier. Those organizations that continue this “just enough” culture of HIPAA compliance are walking a very thin rope. Don’t be surprised when it snaps.

OCR Fines Are the Least of Your Worries in a HIPAA Related Breach

Posted on August 27, 2014 I Written By

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Ask any medical professional about their biggest concern for protecting patient information and they will probably tell you about the threat of a random audit conducted by the Office of Civil Rights (OCR). OCR is tasked with enforcing HIPAA regulations and has the ability to hand out fines up to $1.5 million per violation for a HIPAA breach and failing to comply with HIPAA regulations.

With recent fines of $4.8 million handed out to New York and Presbyterian Hospital and $1.7 million fine to Concentra Health Services, physicians have good reason to worry.  These massive fines were levied not as the result of a random audit, but for the mandatory reporting of patient data breaches to the Department of Health and Human Services (HHS), and the investigation that followed.  So physicians need to reconsider where their real concerns should lie.

Ponemon Study

The 2013 Cost of a Data Breach Study by the Ponemon Institute calculated lost or stolen patient records at $233 per record. Let’s take a look at how quickly the cost of a HIPAA breach can add up:

# of Records Breached Cost
1 $233
10 $2,330
100 $23,300
1,000 $233,000
10,000

100,000

$2,330,000

$23,330,000

The cost of the recent Community Health Systems 4.5 million patient records breach could cost more than $1 billion!

Whether a medical provider loses 1,000 or 10,000 patient records the financial impact could easily set back the organization or even put it out of business.  But the “hidden cost” of a HIPAA breach that shouldn’t be overlooked is the damage to the provider’s reputation, lost trust from patients and the resulting sharp decline in revenues.

Lost patient records sparks negative publicity.  Take Phoenix Cardiac Surgery (PCS) for example. The Arizona medical practice with five physicians got slapped with a $100,000 fine for a HIPAA breach in 2012. A current search on Google returns the practice’s website plus 28 links to negative news stories related to the HIPAA fine. The consequences? A patient searching a referred cardiac surgeon from PCS finds the negative publicity and decides to continue searching for another surgeon. Or, an existing patient of PCS decides to look for another medical practice that takes every measure to safeguard his privacy.

Other Cost Factors

Beyond revenue loss and a damaged reputation are the direct overhead costs associated with a breach. The cost of discovering and stopping a breach may involve IT services, forensic investigative services to determine which systems and patients were affected, and legal counsel if patients file a lawsuit. There are also hard costs associated with notifying patients affected by the breach, including time spent to pull together their contact information, mailing out notifications and providing toll-free inbound phone numbers to handle complaints. Most organizations also provide identity and credit monitoring services for affected patients. All of these expenses add up, not to mention the cost of lost productivity due to the diverted attention of employees tasked with managing these processes.

Today it’s not uncommon for laptops, tablets and USB drives with patient records to disappear.  Or, for crime rings to hack into EHR systems to steal patient information and commit tax fraud, and for meth dealers to steal patient identities to obtain prescriptions.  If a large hospital system can lose 4.5 million patient records think how easy it is for a hacker to grab thousands of patient records from smaller medical practices and turn them into cash. The threat of a HIPAA breach has never been greater and all organizations should take heed.

Risk Assessment as a First Step

Healthcare organizations, particularly smaller medical practices, should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. It examines the risks of a breach and recommends steps to lower them. Without performing a risk assessment an organization may be lulled into a false sense of security, mistakenly believing they won’t suffer the consequences of a HIPAA breach.  At $233 per lost or stolen record that could be a costly miscalculation.

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

Chinese Hackers Reportedly Access 4.5 Million Medical Records

Posted on August 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The headline of a tech startup blog I read pretty regularly caught my attention today, “Another day, another Chinese hack: 4.5M medical records reportedly accessed at national hospital operator“. The title seems to say it all. It’s almost like the journalist sees the breach as the standard affair these days. Just to be clear, I don’t think he thinks breaches are standard in healthcare, I think he thinks breaches are standard in all IT. As he says at the end of the article:

Community Health Systems joins a long list of large companies suffering from major cybersecurity breaches. Among them, Target, Sony, Global Payment Systems, eBay, Visa, Adobe, Yahoo, AOL, Zappos, Marriott/Hilton, 7-Eleven, NASDAQ, and others.

Yes, healthcare is not alone in their attempt to battle the powers of evil (and some not so evil, but possibly dangerous) forces that are hacking into systems large and small. We can certainly expect this trend to continue and likely get worse as more and more data is stored electronically.

For those interested in the specific story, Community Health Systems, a national hospital provider based in Nashville reported the HIPAA breach in their latest SEC filings. Pando Daily reported that “Chinese Hackers” used a “highly sophisticated malware” to breach Community Health Systems between April and June. What doesn’t make sense to me is this part of the Pando Daily article:

The outside investigators described the breach as dealing with “non-medical patient identification data,” adding that no financial data was stolen. The data, which includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers, was, however, protected under the Health Insurance Portability and Accountability Act (HIPPA).

I’m not sure what they define as financial data, but social security numbers feel like financial data to me. Maybe they meant hospital financial data, but that’s an odd comment since a stack of social security numbers is likely a lot more valuable than some hospital financial data. The patient data they describe could be an issue for HIPAA though.

As is usually the case in major breaches like this, I can’t imagine a chinese hacker is that interested in “patient data.” In fact, from the list, I’d define the data listed as financial data. I’ve read lots of stories that pin the value of a medical record on the black market as $50 per record. A credit card is worth much less. However, I bet if I were to dig into the black market of data (which I haven’t since that’s not my thing), I bet I’d find a lot of buyers for credit card data tied to other personal data like birth date and addresses. I bet it would be hard to find a buyer for medical data. As in many parts of life, something is only as valuable as what someone else is willing to pay for it. People are willing to pay for financial data. We know that.

We shouldn’t use this idea as a reason why we don’t have to worry about the security and privacy of healthcare data. We should take every precaution available to create a culture of security and privacy in our institutions and in our healthcare IT implementations. However, I’m just as concerned with the local breach of a much smaller handful of patient data as I am the 4.5 million medical record breach to someone in China. They both need to be prevented, but the former is not 4.5 million times worse. Well, unless you’re talking about potential HIPAA penalties.

10 Ways Many Dental Offices Are Breaching HIPAA

Posted on July 28, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest blog post by Trevor James.

If you work in the health/dental/medical space, you already know that HIPAA violations are a serious matter. Fines today for not complying with HIPAA laws and regulations are a minimum of $100-$50,000 per violation or record and a maximum of $1.5 million per year for violations of the same provision. Some violations also carry criminal charges with them, resulting in jail time for the violators.

Many dental offices are breaching HIPAA laws without realizing it or have employees doing so without their knowledge.

If you’re a dentist, office manager, or someone who’s been tasked with ensuring HIPAA security within your group, here are the 10 most common ways dental offices are breaching HIPAA regulations so your practice doesn’t make the same mistakes as others.

1. Devices with patient information being stolen

This is a common HIPAA violation for dental offices. It’s important to ensure the devices your dental office uses, like USB flash drives, mobile devices and laptops, are carefully handled and securely stored to prevent them and the patient information on them from being stolen.

2. Losing a device with patient information

Along the same lines as above, it’s also easy (and common) for an employee to lose those kinds of devices. USB flash drives and mobile devices are smaller items, so it’s easy to misplace them. When that happens, it’s easy for sensitive patient information to end up in the wrong hands.

Train your employees on the importance of properly handling these devices and set up some sort of tracking device, like downloading the Find My iPhone app or Where’s My Droid, to help you locate a device if it ends up lost.

3. Improperly disposing of papers and devices with patient information

When it comes time to get rid of papers or devices containing dental records or billing information, be sure you properly dispose of them. Crumpling paper in a ball and throwing it in the trash isn’t the correct way to do things nor is shutting down a device and then tossing it in the garbage. Use a paper shredder and wipe your devices clean of all information before disposing of them.

4. Not restricting access to patient information

Unauthorized access to a patient’s dental information will get you in serious trouble with HIPAA. Patients trust your office with this personal information, so be smart when handling such information so other patients, employees and relatives who aren’t allowed access don’t come across it.

A dental practice breached HIPAA in a case relating to this when they put a red sticker reading “AIDS” on the outside cover of patient folders and those not needing to know said information were able to read it while employees handled the folders. Don’t make simple, costly mistakes like they did.

5. Hacking/IT incidences

Most patient dental information now is stored on computers, laptops, mobile devices, and in the cloud. Today’s technology allows dental practices to more easily communicate, and look up and share patient information or their status on these devices.

The downfall of this technology is the people who are just as smart or smarter than your technology and hack into your devices or systems to get their hands on patient information. Make sure every device has some type of passcode or authentication to get on, install encryptions and enable personal firewalls and security software.

6. Sending sensitive patient information over email

While it’s not a violation to send these kinds of emails, it is a violation if the email is intercepted and/or read by someone without authorized access. Use encryptions and double check that whomever you’re sending the email to is supposed to be receiving the email.

7. Leaving too much patient information over a phone message

A patient may give you the A-Okay to call them, but be sure you don’t leave a message disclosing too much of their information. A friend or family member could check your patient’s message and hear things they shouldn’t, making said patient upset, or equally as bad, you could call the wrong number and say more than you should, which would probably make your patient even more upset with you. Your safest bet when calling a patient and they don’t answer is to leave a message for them to call you back.

8. Not having a “Right to Revoke” clause

When your dental office creates its HIPAA forms, you have to give your patients the right to revoke the permissions they’ve given to disclose their private dental information to certain parties. Not providing this information means your HIPAA forms are invalid and releasing subsequent information to another party puts you in breach of HIPAA.

9. Employees sharing stories about patient cases

People talk. It’s a simple fact. Employees talk with one another and they also talk to patients every workday. Remind them, though, that discussing a patient’s information to an employee lacking authorized access or to other patients is unprofessional and puts your whole practice at risk of being fined by HIPAA.

10. Employees snooping through files

It might seem shocking — or maybe not to some — but employees have been caught snooping through patient and co-worker files before. They do this to find out information for themselves but also because relatives or friends ask them to find things out about a certain person. Snooping is wrong and unprofessional on all levels.

Make sure your employees are clear on this and that they understand how bad the consequences can be for them and your office for doing so.

HIPAA violations in dental offices are all too common. Now that you know the top 10 ways dental offices are breaching HIPAA, you can take every precaution necessary to prevent your practice from violating any HIPAA laws and regulations.

About The Author

Trevor James is the marketing manager for Dentrix Ascend, a cloud based dental practice management software and Viive, a dental practice software for Mac’s.