1. Using Windows XP
For some doctors this may seem a laughable idea, but a full seven percent of businesses in the US are still using computers running the operating system Windows XP, which is no longer being updated or investigated for security holes. This extends well beyond the operating system itself – nearly every application has stopped being updated for Windows XP, so if any security flaws in an application are found, it will be by hackers, and not the developers such as in the recent WannaCry ransomware attack.
How to fix it: Pony up for Windows 10. Although the time frame for a free upgrade has passed, it's much cheaper than paying to de-virus your network in addition to any HIPAA penalties should your breach include patient information. You are liable for any breaches in most cases, not your IT department.
2. Not Shredding Trash
Another item that is obvious in hindsight yet often overlooked is the need to completely shred all patient-related trash, including documents but also other accessory items. A pharmacy incurred severe penalties for throwing out pill bottles with patient information on the label still affixed to the side. Rather than try to feed pill bottles through your shredder, simply remove and shred the labels.
How to fix it: If you're not willing to invest in a quality paper shredder (which, even so, can still jam and be a major pain) consider using a secure shredding service like Iron Mountain.
3. Releasing Information to a Non-Designated Party
Here's a familiar scenario: the 18-year-old college kid forgets to include his mom on his HIPAA release forms. His mom is paying for treatment and swings by your office on her way home, looking to pay the bill and know what treatment was performed. Flustered, your front desk assistant tells her that the dentist gave her son a filling and patched a small chip. While a well-intended gesture, this is a HIPAA violation.
How to fix it: To remain compliant with HIPAA, you cannot release any information pertaining to an adult patient to a parent without proper authorization from the patient. Even if it's obvious they've simply missed an item on the form, it's better to be safe than sorry. You never know whether a parent trying to pay a bill might be estranged and attempting to locate or put pressure on their child and the other parent, possibly in violation of a protective order.
The information contained in this, or any case study post in Incisor should never be considered a proper replacement for necessary training and/or education regarding adult oral conscious sedation. Regulations regarding sedation vary by state. This is an educational and informational piece. DOCS Education accepts no liability whatsoever for any damages resulting from any direct or indirect recipient's use of or failure to use any of the information contained herein. DOCS Education would be happy to answer any questions or concerns mailed to us at 106 Lenora Street, Seattle, WA 98121. Please print a copy of this posting and include it with your question or request.