Common HIPAA Violations in the Dental Field + How to Avoid Them
Learn the most common HIPAA violations in the dental field, what the consequences (and penalties) are, and how to avoid them to keep patient information secure.
By nature, medical and dental practices have to collect, store, and manage patients’ electronic health records. HIPAA compliance is more important than ever - patient information is extremely personal and private, so it must be kept safe and secure at all times.
To ensure that ePHI is managed properly, practices must follow HIPAA regulations, which define standards for storing and transmitting ePHI. In addition to outlining how to properly handle patient records, these guidelines outline penalties and try to protect you against violating patients’ private information.
Despite practices’ best efforts, errors can still occur that breach private information.
You can keep your patients’ information safe by following some of the most common HIPAA violations in the dental field, as well as addressing how you can avoid them. This article will dive deeper into HIPAA compliance and the following topics.
- What are HIPAA violations in the dental industry?
- 5 ways dental offices breach or violate HIPAA compliance
- 6 examples of dental HIPAA violations
- Avoid common HIPAA violations with NexHealth
What are HIPAA violations in the dental industry?
The Health Insurance Portability and Accountability Act (HIPAA) sets the necessary standards and measures to protect patients’ health data to prevent the disclosure of sensitive patient information without proper and prior consent. Unfortunately, even the best systems are not foolproof, and HIPAA violations in the dental field can occur.
The severity of a dental office's offense determines the consequences and penalties for dental HIPAA violations. If sensitive patient information is improperly disclosed and you break HIPAA rules, it can lead to as much as a $100,000 fine. It’s extremely important for your practice to keep patient information secure and avoid violating HIPAA regulations.
5 ways dental offices breach or violate HIPAA compliance
Dental office HIPAA violations can occur for different reasons. The cause of breaches can range from human error to cyberattacks. Often, dental offices breach these HIPAA laws regarding security and privacy. Let's examine 5 ways dentists and dental practices breach HIPAA compliance.
1. Poor cybersecurity
Security should be a significant priority in healthcare since any compromise will have repercussions. As a dental office in our technology-filled world, you need the right software and systems to prevent phishing, viruses, spam, and potential malware that can steal patient data.
How to avoid it:
Under the Security Rule, HIPAA violations in the dental field must be avoided by ensuring that technical, physical, and administrative safeguards are in place. One of these safeguards is having the technology needed to protect your patients’ information, such as firewalls, access control, activity logs, and adequate encryption.
2. Unauthorized access to patient information
One clear example of a dental HIPAA violation is unauthorized access to a patient’s dental information. Lapses in administration can lead to this, especially if employees snoop around patient data or computer systems have weak safety or lack proper access controls.
How to avoid it:
Dental offices can avoid such an incident with technology that regulates access to only authorized personnel. With systems in place to regulate the handling of patient information, you can better protect patients from breaches of ePHI and also better track where the breach occurred.
3. Improperly disposing of patient information
Wrongly disposing of papers and devices with patient information can lead to breaches, as we will see in dental HIPAA violation cases. While printed information can be disposed of by throwing it away, it has to be shredded first to destroy the records adequately. When electronic devices with patient data are being replaced, the devices need their hard drives wiped clean and should not have a trace of information on them.
How to avoid it:
Rather than printing information and storing it, many dental offices have opted for a cloud-based platform that can easily store data on a remote and secure server, helping you avoid common dental office HIPAA violations.
4. Releasing protected health information to unauthorized groups
Dental offices cannot release patient health information to any groups without authorization, as it breaches the HIPAA Privacy Rule. This kind of breach includes potential disclosures through data loss, theft, and the use of unencrypted computers and devices. Your practice may incur a hefty financial penalty for these dental office HIPAA violations.
How to avoid it:
Such HIPAA violations can be avoided by having encrypted computers and devices with strong security. That way, even if the devices are stolen, patient information is still protected and cannot be accessed.
Cloud-based platforms with high-security systems are often the solution, as they allow access only to authorized users, while the data is stored elsewhere.
5. Inadequate staff training
Many HIPAA violations occur through dental staff who may have poor training or a poor understanding of the regulations they have to follow. An example of this could be procedure photos or videos that are uploaded to social media without consent. Employees who have access to patient information must have a valid reason for accessing it and must access it via controlled systems, or they can be subject to HIPAA violations.
How to avoid it:
Ensure dental office staff are properly trained on HIPAA policies and that they fully understand the rules, regulations, and downsides of any violation. To adhere to HIPAA guidelines, front desk staff must know how to use their EHR and patient experience software to ensure patient information is protected.
6 examples of dental HIPAA violation cases
Historically, dental practices have been caught violating HIPAA rules and some still do each year. The resulting lawsuits can be costly for your practice and can also negatively impact your reputation as a dentist.
Let's examine six examples of dentists and dental practices that violated HIPAA compliance to understand how these violations occur and help you avoid them.
1. Not destroying old patient files properly
One early dental HIPAA violation case involved the improper disposal of patient information. In this case, a contracted data company failed to destroy the paper records. Five years of patient records were found in a recycling dumpster containing almost 7,000 files from his former Comfort Dental practice.
Outcome and consequences:
The Indiana Attorney General’s Office sued a dentist for improperly disclosing patient health information leading to revoking the doctor's practicing license for negligence and fining him $12,000.
How this could have been avoided:
If the dentist in Indiana had opted for a cloud-based and secure solution, this incident would not have happened. A modern tech-based solution gives the patient the right to delete and ensures that the files are wiped clean.
2. Disclosing health information
After receiving a negative review, Elite Dental Associates responded to it. However, they broke the HIPAA privacy rule in their retaliation to review. They divulged the patient’s information, including their name and details about their health condition.
Outcome and consequences:
Elite Dental Associates received a fine because of several similar violations. In the aftermath, the practice had to pay about $10,000 to settle the improper disclosures of protected patient information. In addition, the dental practice went through two years of corrective monitoring by the Office for Civil Rights for compliance with HIPAA regulations.
How this could have been avoided:
Proper staff training and understanding of HIPAA rules could have prevented the breach. Also, adopting a corrective action plan when minor violations occur can prevent major ones from happening later.
3. Hacking attacks on dental office systems
An Oregon-based company, Advantage Dental, detected hackers successfully infiltrating its computer systems using malware. After discovering the activity, the company shut off access to the data.
Outcome and consequences:
The hackers potentially accessed the records of over 150,000 patients within the internal computer systems. The incident was reported to the Oregon Attorney General’s office, the Oregon State Police, and the U.S. Secret Service.
How this could have been avoided:
They discovered that their computer systems were accessed by hackers using malware that escaped detection by its anti-virus software during the investigations. Thus, regularly updating antivirus and cybersecurity software is crucial in preventing breaches. Having a HIPAA-compliant solution ensures that you are compliant without you having to manage protections yourself.
4. Ransomware attacks that hold patient records hostage
A ransomware attack uses encryption to hold a victim's information hostage while preventing the victim from accessing critical data such as files, databases, or applications. A ransom is demanded before access is given to the victim. Such an attack happened to Complete Technology Solutions. A similar incident occurred at Digital Dental Record, affecting about 400 practices that used the medical record backup service, DDS Safe. However, Digital Dental Record used a decryptor to recover some client files.
Outcome and consequences:
The attack on Complete Technology Solutions affected more than 100 dental office clients. Those without insurance or backups suffered many losses. Other dental offices became victims of the ransomers and had to pay large sums of money to regain access to their data.
How this could have been avoided:
Although malware is difficult to detect, robust cybersecurity systems are always a good idea. Also, working with companies with a proven track record against cybercrime can give some assurance. It is also beneficial to have offsite backups in your dental office in the event that HIPAA violations or cyber breaches occur.
5. Filming patients without consent
A dentist in Alaska filmed and shared a tooth extraction on social media. In the video, it was clear that he actually performed the extraction on a hoverboard. The patient had not consented to have her tooth taken out while the dentist was on a hoverboard, nor did the patient consent to being filmed.
Outcome and consequences:
The dentist faced penalties for operating using the hoverboard and sharing a patient procedure without consent. This incident brought the dentist under investigation, and additional crimes were brought - in total, he was sentenced to 12 years in prison.
How this could have been avoided:
The dentist could have avoided the incident if he had simply not recorded the patient without consent or asked the patient for permission before the procedure. Furthermore, the dentist should have adhered to proper protocol and refrained from operating while using a dangerous device.
6. Phishing emails aimed at dental practices
Phishing is a cyber-attack used to steal user data like system login credentials, social security numbers, and other important information. Usually, the attacker dupes a victim into opening an email while pretending to be a trustworthy contact. In 2019, an employee of Delta Dental Arizona fell victim to a phishing attack.
Outcome and consequences:
The attack left patient health information prone to unauthorized individuals, so Delta Dental Arizona had to notify the affected clients, although there was no data misuse. However, investigations had to be conducted to ensure that other accounts were not compromised.
How this could have been avoided:
Proper employee training could have reduced the staff’s vulnerability to this attack. The staff should know how to identify and avoid phishing emails, and patients receiving communications by email should have provided informed consent.
Avoid common dental HIPAA violations with NexHealth
Patient’s health information contains sensitive data which must be kept secure. HIPAA regulations are in place to protect patient’s data and rights. Using NexHealth's EHR-integrated real-time scheduling software, you can be assured that the technical safeguards would let your dental practice avoid the most common HIPAA violations in the dental field.
And I've used at least 6 others." - Shaye, Falmouth Dentistry