Sep 21, 2022

How Dentists Can Avoid 7 Common HIPAA Violations

Sarah Harris | Sep 21, 2022 | 7 min read

Even a single HIPAA violation can have some serious repercussions for your dentistry practice. Failing to comply with federal regulations could not only lead to fines, but HIPAA violations could compromise confidential patient data.

Ultimately, this could lead to long-term damage to your dental practice’s reputation and prompt patients to seek a new provider.

Like most providers, you are probably extremely careful to protect your patients’ protected health information (PHI) when actively handling this data. However, what about when you are not interacting with or accessing the data? Is it secure when it is “at rest” on your servers?

Most dental providers are very cognizant of HIPAA regulations governing the sharing of PHI. Unfortunately, many practices have compliance blind spots that can lead to unintentional HIPAA violations. Most of these blind sports are related to how they manage patient data on their technology platforms like Dentrix and Eaglesoft.

To help you avoid falling victim to these same oversights, we have created this list of 7 common HIPAA violations and how you can avoid them. The violations that you should be on the lookout for include the following:

1. Releasing PHI to Unauthorized Entities

The much talked about HIPAA Privacy Rule governs when you can release protected health information and who you can release it to. If you or a staff member releases PHI to unauthorized individuals, businesses, or other entities, you can incur severe penalties.

It is important to note that these releases do not have to be intentional to constitute a violation. Inadvertent or negligent information sharing can also open your practice up to liability.

There are many real-world examples of this. For instance, let’s say that an insurer requests information about a patient and their recent dental procedure for legitimate purposes.

If a staff member sends the insurer the patient’s entire dental records, this may constitute a violation. You are required to disclose the minimum amount of information necessary when sharing PHI with authorized third parties.

Another possible means by which your staff could be disclosing HIPAA-protected PHI is via phishing attacks. A phishing attack is a widely used tactic for committing cybercrime.

During a phishing attack, a hacker will send their target a fake email that is made to appear legitimate. They are attempting to trick the target into sending them confidential data, such as protected health information.


How to Avoid Releasing Data to Unauthorized Parties

To avoid this mishap, you must thoroughly vet people or businesses before providing them with confidential patient data. However, this can be easier said than done.

Therefore, it is vital that you implement a comprehensive health cybersecurity strategy, properly train your staff, and leverage modern practice management software (PMS). We will take a deeper dive into these solutions in the upcoming sections.

2. Disposing of PHI Improperly

HIPAA regulations not only regulate when and how you disclose PHI but also what to do with it when you dispose of it. Discarded PHI records could fall into the wrong hands if they are left in a viewable condition.

Once again, many dentistry practices go wrong here by focusing solely on tangible records. Naturally, you would shred any paper patient files or other physical records before tossing them in the recycling bin.

But what about devices that store patient data? Are you completely wiping their hard drives before you throw them out or send them to an e-waste recycler?

To avoid this common HIPAA violation, you should:


Wipe All Devices Before Disposal

If you are still storing all of your patient data using on-premises solutions, it is well past time for an upgrade, but that is a conversation for another time.

Let’s say that you still store most patient data on local devices. If so, it is critical that you completely wipe their hard drives before turning them over to a third-party recycler. Otherwise, that data could be recovered by bad actors and used for malicious purposes.

Even if you get lucky and the data is not abused, failing to wipe your devices before disposal still constitutes a HIPAA violation. This reality means that you are opened up to hefty fines and other penalties.

3. Using Unauthorized/Personal Devices to Access Data

You must have a comprehensive data security policy to be compliant with HIPAA regulations. Among other things, that policy should outline what devices you and your staff can use to access PHI.

There is nothing wrong with allowing your staff to access this data using their personal mobile devices, provided the right security measures are taken.

However, if you want to limit PHI access points, you may want to prohibit your staff from using their own devices. If you decide to go this route, make sure to enforce your policy. If staff members are using unsecured or personal electronic devices to access PHI, they could be exposing patient records and committing a HIPPA violation in the process.

Save yourself some headaches and guard against this violation by:


Setting Clear Rules and Enforcing Them

Provide your employees with clear rules regarding which devices they can use to access PHI. After you have established these provisions, enforce them. If you are going to allow your staff to use personal devices to access confidential data, implement security measures to minimize the risks of data exposure.

4. Failing to Train Staff

Even the best dental practice cybersecurity strategy will not be effective if your staff has not received any data security training. Investing in cybersecurity technologies and neglecting training is like purchasing an expensive alarm system and then leaving your front door unlocked.

With that being said, you do not have to spend hours training your staff every single month. One or two in-depth training sessions per year should allow you to cover the basics. However, you should follow up these annual or bi-annual sessions with monthly or quarterly refreshers.


Train and Train Some More

When you’re planning employee cybersecurity training, do not rush through it so you can check it off your list. Take the time to develop a proper training course and administer it to your staff.

If you cannot devote an entire day to cybersecurity training, spread it out into 1-hour blocks that staff can complete over a week or month. Make sure to test them post-training to determine whether they retained the information that was presented to them.

5. Improper/Non-Existent Data Protection Practices

Do you have a data protection policy? If not, you are setting yourself up to be the next victim of an opportunistic cyber-criminal. Data security policies should serve as your roadmap for preventing and responding to cyber threats. If you do not have such a policy, you are leaving yourself vulnerable to attack.

To solve this issue, all you need to do is:


Create a Cohesive Plan

If you do not have a cybersecurity plan or policy, start creating one as soon as possible. An imperfect plan is better than no plan at all. Once you have hammered out the rough details of your plan, go back and refine it. If you have no idea where to begin, seek out a local dental IT support provider for help.

6. Neglecting Physical Security

What is stopping an unauthorized user from accessing your patient file room or computer equipment? Hopefully, the answer is not “nothing.”

Physical files should be protected by a locked door, at a minimum. Only authorized individuals should have a key to access said files. If practical, you should also secure files in locked filing cabinets and install a camera covering  the entrance to the room. This setup will help you regulate access to your files.

You will also need to implement some physical security measures to protect your electronic files. Ideally, you want to use a two-factor authentication process for accessing all devices.

This setup simply means that users must complete two separate login processes to begin using a device. For example, they might be required to enter a password and swipe their ID badge.

7. Failing to Create a Risk Management Plan

A risk management plan is a distinct part of your overall cybersecurity strategy. The latter should outline your entire set of policies and procedures related to data security. On the other hand, a risk management plan is your guide for responding to potential data breaches or other security threats.

One of the worst mistakes you can make is to assume that your staff will “know what to do” during a breach. A response plan takes the guesswork out of dealing with cybersecurity threats and will help your staff mitigate the amount of damage that a breach causes.

If you are at a loss when it comes to creating a risk management plan, we recommend that you:

Connect with Zenith Dental IT

As dental IT support experts, Zenith Dental IT has the knowledge and expertise necessary to help you tackle your biggest HIPAA compliance concerns. We can connect you with the right dentistry technology to improve data security, drive efficiency, implement automation practices, and enhance the patient care experience.


Get a Free Consultation

Zenith engineers carry an extensive understanding in
remote IT Solutions.

Icon Message sent