Is your office HIPAA-proofed as well as you think it is? In an age of daily computer security breaches, hacker wars and the "dark net," it's easy to assume proper HIPAA compliance begins with a hefty check to an IT consultant and lengthy, ever-changing passwords. While these indeed contribute to a strong defense against privacy threats, an often-overlooked vector for HIPAA violations comes through low-tech means. Have you seen any of the following in your practice?
- Discarding rather than shredding documents
When office staff make a copy of patient records, and it turns out blurry or cut-off, do they shred it immediately? Shredding machines can be loud and troublesome, and it would be easy to toss a blurry and incomplete copy in the recycling instead of the shredder. However, this is potentially a HIPAA violation, as some protected health information can still escape the building. Recycling bins are frequent targets for would-be identity thieves, so make sure yours are a spectacular waste of time for these criminals.
- Copy Machine Accidents
Here's another copy issue in smaller offices that make use of a combination scanner/fax machine/printer: "form sandwiching." With many staff sharing the same printer, it is not uncommon for other documents to slip in between different patient forms. For example, staff could print a consent form for scaling and root planing, and another for nitrous oxide sedation. In between printing the first and second forms, a fax could come through containing a report by different patient's cardiologist, discussing the patient's cardiac history and recommending against oral sedation. The staff member picks up the stack and leafs through it quickly, seeing both the consent forms, and delivers it to the patient. Unfortunately, they have also been handed a cornucopia of protected health information. Make sure that your staff is carefully examining each print stack for any inadvertently layered documents!
- Neglecting Auditory Privacy
Here's an everyday interaction that could violate HIPAA hundreds of times a week. When a patient checks in, does your front desk associate ask them "Are you (name)? Do you still live at (address)? And is your date of birth (date)?" If any of this could be overheard by other patients or staff who are not working on that patient, it's a HIPAA violation. Names, birthdates and addresses are all personal information protected under HIPAA. You are absolutely NOT covered by the placard saying, "We cannot guarantee auditory privacy in this area." It is the office's responsibility to ensure privacy, not the patient's to ask for it. Consider having patients confirm their information on a screen or tablet that is difficult to read at a distance, or print an appointment confirmation slip that patients must initial before seeing the dentist.
The information contained in this, or any case study post in Incisor should never be considered a proper replacement for necessary training and/or education regarding adult oral conscious sedation. Regulations regarding sedation vary by state. This is an educational and informational piece. DOCS Education accepts no liability whatsoever for any damages resulting from any direct or indirect recipient's use of or failure to use any of the information contained herein. DOCS Education would be happy to answer any questions or concerns mailed to us at 106 Lenora Street, Seattle, WA 98121. Please print a copy of this posting and include it with your question or request.