9 common HIPAA violations and how to avoid them

by | Apr 18, 2023 | Dental Office, Employer advice, Practice Advice, Practice Compliance | 0 comments

Today’s blog post comes from Michelle Frank at DentistryIQ and deals with the most common ways a practice can be non-compliant with HIPAA regulations. These tips could save you from a sizable fine, so we highly recommend checking this one out.

“The 1996 Health Insurance Portability and Accountability Act (HIPAA) is a federal law created to regulate health-care organizations, such as dental clinics, regarding how they handle protected health information (PHI). Human error, lack of upgraded security systems, minimal training, and no oversight of data handling procedures are a few ways HIPAA violations can occur. 

There are many reasons why HIPAA matters. Neglecting to follow HIPAA regulations can result in the failure to protect patients’ rights and information, data breaches, and costly fines, not to mention the blemish on your dental practice’s reputation. Here are nine common HIPAA violations to avoid.

Not assessing risk and data regulating processes

This is one of the most common HIPAA violations. When data is not handled through highly secure channels within your practice, there’s an increased likelihood the data will get lost or fall into the wrong hands. One of the first steps is to evaluate your risks. Assess your current security systems, your methods to catalog data, your maintenance of confidentiality, and ensure you’re using HIPAA-compliant CRM software. Consider setting up a system for how data should be entered, saved, and secured in your practice. 

You might also be interested in: Are your vendors HIPAA compliant? Find out before it’s too late

Having minimal HIPAA training programs 

An untrained staff significantly increases a practice’s vulnerability. It’s easy to make mistakes when you’re not aware of what constitutes the errors. This is why HIPAA training programs are crucial. All staff—administrators, dental assistants, receptionists, hygienists, and dentists—in your dental practice should undergo mandatory HIPAA training. This should occur annually and when upgrading or changing your system security. Even businesses that interact with your PHI, such as pharmacies, scrubs vendors, and medical equipment suppliers, should follow HIPAA compliance rules.

Failing to account for theft of devices

While it may seem rare at dental clinics, it’s possible for devices to be stolen. Anything from laptops, cellphones, iPads, or portable storage devices is susceptible to theft. Medical fraud, identity theft, malicious use of stolen data, and the sale of stolen goods are all consequences of device theft. To prevent this, avoid the use of work-related devices outside the office and ensure the devices are safely secured at the end of each day. You should also equip all devices with tracking software as a precautionary measure. HIPAA training should include proper handling of the office’s devices to minimize the possibility of theft.

Not having data encryption

Sometimes device theft and data breaches are inevitable. This means you should never leave your data unsecured and easily accessible. Unencrypted information is considered a serious and reportable security risk. Avoid this HIPAA violation by encrypting all data and securing it behind firewalls. This requires you to update firewalls and encryption keys regularly to reduce vulnerability.

Disposing of data improperly

Incorrectly discarding medical data, whether paper or digital, is another common HIPAA violation. This includes disposing of health-care records with information still accessible or attainable. PHI on paper should be shredded or pulped to permanently eliminate the information. All data on electronic devices can be permanently destroyed by wiping, degaussing, or destroying the device. It is recommended that assigned staff members be put in charge of securely disposing patient data. 

Disregarding patient data access

At small practices, allowing everyone to access all devices and refraining from excessive security protocols may be too easy. However, one mistake can result in a data breach in the organization. Implementing access controls to your data through simple login credentials on all devices is a must. Biometrics or two-factor authentication techniques can also be used for system access as an additional layer of security. Third-party users of your electronic PHI systems should have limited access to patient data and be allowed to use information based only on their requirements. Change login information and update user access controls regularly.

Failing to have HIPAA-compliant business associate agreements and online forms

Your dental clinic enlists the assistance of several third-party organizations for different types of services. This can include the cleaning crew and those who supply medical equipment or medications. The staff of these companies may have access to PHI at your clinic. When onboarding the services of other individuals or organizations, you must enter into a HIPAA-compliant Business Associate Agreement (BAA). While it is not likely they will use or even view the data, it’s good practice to have such systems in place in case of security leaks. 

As cyberattacks increase and become more sophisticated, it’s essential to use HIPAA-compliant forms to collect patient information. These provide the necessary security to protect PHI. HIPAA-compliant form builders are available and offer various templates for your practice. Many provide BAA, screening, medical history, and HIPAA release of information forms, as well as the option for secure e-signatures. “

Find the rest of this helpful article here at DentistryIQ. We hope this article helps protect both you and your patients in the future.


Holli Perez 

DirectDental- How it works for Dental Professionals
DirectDental- How it works for Dental Offices
DirectDental Home Page