Your two hygienists have escaped the office to lunch at the Applebee’s about a mile from your office. They are sitting in a booth quietly chatting about the morning. It had been an eventful one: two late patients, one no-show, and then Mary, or “Crazy Mary” as the dental team likes to call her. She can say some of the craziest things, she is always sure to entertain the office with her ridiculous ramblings. Today it was this insane conversation with her little Yorkshire dog, Biffy. They were both enjoying some relaxing chuckles over it as they devoured their lunch in an effort to get back by 2:00.
That night while watching Monday night football, your home phone rings. Your wife says it is for you and tosses the phone to you like a football. You receive it, a great catch, and cradle it to your ear. It is Marsha Brown, a patient of yours. Marsha happened to be lunching in the booth behind your hygienists at Applebee’s today, and clearly heard the conversation your hygienists had about her sister, Mary. Marsha was NOT happy.
That is how it all started! This is how it ended: a surprise visit from the state, legal papers served, tons of time-consuming phone calls, hiring an attorney, and a $30,000 fine (not including your court and legal fees.) A seemingly harmless lunch conversation between coworkers turned into an expensive mess that you now have to deal with.
What could have prevented this incident, or at least reduced or even shifted the burden of the fine? Most dental practices know it is critical to have HIPAA dental team training meetings on a yearly basis. Although, many practices don’t talk about it much beyond that. Ongoing reminders throughout the year at team meetings can help keep HIPAA regulations on top of mind for everyone, which can help prevent situations like this. One way to help the team understand what can and can’t be discussed is by using role-play during team meetings. Create realistic scenarios and let a couple of people act them out, and have the rest of the team explain why or why not they meet HIPAA guidelines. This can help make a bunch of legal jargon more relatable to their everyday work life.
Unfortunately, you can only control so much when it comes to your team members’ conversations, especially once they leave the office. This is why it is critical to have all of the HIPAA documentation up-to-date, so your practice’s HIPAA Officer can have all of the following ready for your state inspector.
- Your practice’s written privacy policies document for your team.
- Your practice’s Privacy Practices document for your patients.
- Proof your practice had given each patient an opportunity to read and keep a copy of your Practice’s Privacy Practices.
- A list of your computers’ names, passwords, and locations.
- A list of each team members’ software usernames and passwords
- A record of your annual HIPAA team trainings, a list of everyone who attended, and verification that they attended.
- Your Practice’s Security Risk Analysis and the actions taken to compromise the risks.
- The document you have on file for each patient listing how to contact them, with whom you can share their PHI, and which method of contact they want your office to use when contacting them.
- A document outlining the PHI privileges each position on your team is entitled to use, what PHI privileges they have indicated in your software, and explanations to any exceptions.
- Copies of your signed Associate Agreements
If your practice is following HIPAA guidelines and has all of the documentation it can help shift some of the financial burden off you. It puts more liability on the team members who did not follow the guidelines, as well as reduce the fines.
Are you ready?Share