search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
BENEFITS Common HIPAA Dental Office Violations D


id you realize the Health Insur- ance Portability and Account- ability Act (HIPAA) was enacted 25 years ago? We’ve lived with


it for so long … perhaps your office is doing it so well it’s on autopilot or perhaps it’s become a constant din in the background and needs attention. Both practice scenarios still can be prone to HIPAA violations, which can be detrimental to your practice, leading to costly fines and reputation damage. What many practices fail to realize is while many breaches lead to the discovery of HIPAA vio- lations, it’s not the breach itself that causes the violation; rather, it’s typically due to the lack of a comprehensive HIPAA program and lack of training. So, what are common HIPAA violations you can prepare your den- tal practice against?


UNAUTHORIZED DISCLOSURE OF PHI ON SOCIAL MEDIA


While social media can be a good way to increase patient engagement, there are restrictions on when patient information can be shared publicly. To use any protected health information (PHI) on social media, it is required to have signed, written consent from the patient to do so. Using patient testimonials, images or videos for marketing purposes without prior written consent is a HIPAA violation. In the past, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has fined multiple healthcare providers for social media viola- tions. Some of these incidents were acciden- tal, with healthcare workers posting an image on social media with PHI unknowingly in the background, while others were intentional, with healthcare workers exposing diagnosis information online.


IMPROPER RESPONSE TO REVIEWS


In 2019, a single-practitioner dental of- fice was fined $10,000 for responding to a patient Yelp review. The dental practice responded to several reviews on their Yelp


18 focus | SEP/OCT 2021 | ISSUE 5


page in which they improperly disclosed patient information, including patients’ full names and treatment information. “Social media is not the place for providers to discuss a patient’s care,” said former OCR Director, Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.” Responding to patient reviews while complying with HIPAA can be tricky. It is not permitted to confirm that a patient is in fact a patient even if the patient has self-disclosed their information publicly. Even, “thank you for coming in” or “sorry you had a bad experience,” are HIPAA violations. The best way to respond to a pa- tient review is a simple “thank you” or “please call us,” or not at all.


FAILURE TO MEET RIGHT OF ACCESS


Since the OCR announced its right of access enforcement initiative, they have fined 19 healthcare providers for failing to meet the standard. The right of access standard gives patients the right to request copies of their medical records. Records must be provided to the patient within 30 days of the request, in the format the patient requests, when it is reasonably appropriate to do so. The standard also requires providers to adhere to a reasonable cost-based fee for meeting the request. Although some providers have been fined for charging excessive fees for providing records, most right of access HIPAA viola- tions resulted from failing to provide patients with timely access to their medical records. In some instances, patients were only pro- vided their records after the OCR intervened, and closed their investigation years later.


IMPROPER DISPOSAL OF RECORDS


There have been several instances in which healthcare providers have been investigated for dumping paper records in unsecured public dumpsters. One of these instances involved a dentist that dumped more than 60 boxes of patient files in a dumpster in India- napolis and was fined $12,000 for doing so.


To properly dispose of paper medical records, they must be shredded, burned, pulped or pulverized to render PHI unreadable, and unable to be reconstructed. PHI stored in an electronic format must be cleared, purged or destroyed for proper disposal.


FAILURE TO CONDUCT AN ACCURATE AND THOROUGH RISK ASSESSMENT


Dental practices are required to conduct an accurate and thorough security risk assess- ment (SRA) annually to identify risks and vulnerabilities to PHI. When healthcare organizations fail to conduct an SRA, they are ill-equipped to keep patient information secure, often leading to breaches. Con- ducting an annual SRA is one of the most important aspects of HIPAA compliance, as healthcare breaches have skyrocketed over the past couple of years. Hackers often target healthcare organizations due to the vast amount of sensitive information they hold on their patients. The information obtained in a healthcare breach can be sold on the black market, leading to identity theft and financial fraud. f


This article has been contributed by Compliancy Group, a HIPAA consulting and coaching group co-endorsed by the ADA and MDA. Compliancy Group helps practices achieve HIPAA compliance with coaches to guide through the entire process. Learn more bout their products and services at compliancy-group.com or call 855-85-HIPAA. Read more about common HIPAA violations at compliancy-group.com/ common-hipaa-violations and security risk assessments at compliancy-group.com/what-is-a-hipaa-security-risk- analysis.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32