Skip to content

Most Common HIPAA Violations in the Dental Office

HIPAA violations can be detrimental to your practice, leading to costly fines and reputational damage. The recent HHS enforcement actions underscore the importance and necessity for healthcare practices of all sizes to be HIPAA compliant.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

So, what are common HIPAA violations you can prepare your dental practice against?

Common Reasons Practices Are Fined

In 2022, eight dental practices settled with the HHS resulting in $305,500 worth of HIPAA fines. Most of these fines had something in common. They were due to right of access violations. However, there are also a handful of other reasons practices were fined in 2022 and in previous years.

1. Failure to Meet Right of Access Requirements
Since the OCR announced its right of access enforcement initiative, they have fined more than forty healthcare providers for failing to meet the standard.

“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Health care organizations should take note of the enforcement actions under our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

The right of access standard allows patients to request copies of their medical records. Practices must provide the patient records within 30 days of the request, in the format the patient requests. The standard also requires providers to adhere to a reasonable cost-based fee for meeting the request.

Although some providers have been fined for charging excessive fees for providing records, most right of access violations resulted from failing to provide patients with timely access to their medical records.

2. Improper Response to Patient Reviews

The dental practice fined this year for improperly responding to a patient review was not the first for this reason. In 2019, a single-practitioner dental office was fined $10,000 for responding to a patient’s Yelp review.

Responding to patient reviews while complying with HIPAA can be tricky. It is not permitted to confirm that a patient is a patient, even if they have self-disclosed their information publicly. Even, “Thank you for coming in!” or “Sorry you had a bad experience” are HIPAA violations. The best way to respond to a patient review is a simple “thank you” or “please call us,” or not at all.

“Social media is not the place for providers to discuss a patient’s care,” said former OCR Director Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

3. Unauthorized Disclosure of PHI on Social Media

While social media can be an excellent way to increase patient engagement, there are restrictions on when patient information can be shared publicly. To use any protected health information (PHI) on social media, HIPAA requires practices to have signed written consent from the patient. Using patient testimonials, images, or videos for marketing purposes without prior written consent is a HIPAA violation.

4. Improper Disposal of Medical Records

There have been several instances in which healthcare providers have been investigated for dumping paper records in unsecured public dumpsters. One of these instances involved a dentist that left more than sixty boxes of patient files in a dumpster in Indianapolis and was fined $12,000 for doing so.

To properly dispose of paper medical records, they must be shredded, burned, pulped, or pulverized to render PHI unreadable and unable to be reconstructed. PHI stored in an electronic format must be cleared, purged, or destroyed for proper disposal.

5. Failure to Conduct an Accurate and Thorough Risk Assessment

Dental practices must conduct an accurate and thorough security risk assessment (SRA) annually to identify risks and vulnerabilities to PHI. When practices fail to conduct an SRA, they are ill-equipped to keep patient information secure, often leading to breaches.

Conducting an annual SRA is one of the most important aspects of HIPAA compliance, as healthcare breaches have skyrocketed over the past few years.

Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help! Their simplified software solution and Compliance Coach® guidance help dentists achieve HIPAA compliance with ease. As an AAE Advantage Partner, endodontists can be confident in their compliance program. Find out more about Compliancy Group and HIPAA compliance. Get HIPAA compliant today!