Educate dental team about HIPAA compliance in morning huddles

The morning meeting for a dentist and their team helps outline the patient care for the day, but it also can serve as a good time to remind staff about the importance of protecting patient information.

Everyone on the dental team is responsible for protecting patient data, according to Rami J. Zreikat, president of a California company focused on safeguarding a dental practice’s information assets by providing information on HIPAA Privacy & Security rules, HIPAA security assessments as well as technology security consulting.

Zreikat says the morning huddle is the perfect time to remind the staff about the safeguards a practice uses.

"Spend time with your staff, educating them on some aspect of information privacy and security. You can consider using part of the morning huddles, at a minimum once a week, for that purpose,” said Zreikat, who led a lecture titled "Information Privacy and Security Update: HIPAA, HITECH and CMIA" at CDA Presents The Art and Science of Dentistry in San Francisco on Sept. 4. “Make sure you remind them about the importance of security and how it can impact the practice."  Below are items that dentists can bring up.

  1. User IDs/passwords: Don't exchange user IDs or passwords with each other.
  2. Passwords: Remember to change your password when prompted to change the password and refrain from writing the password anywhere.
  3. Authorized practice software use: Don't download software from the Internet or copy software to the practice’s computer systems before obtaining authorization from the practice’s information security officer.
  4. Internet use reminders: Remember that the Internet is full of websites that may seem secure, but could be infected with viruses. If you must access the Internet for business use, access known websites.
  5. Suspicious emails: Be cautious about opening emails from unknown senders. Do not click on any links included within the email unless you recognize the URL. 
  6. Secure electronic communication: Remember to use secure email when emailing or communicating patient information.
  7. Computer use policies: If your practice has a policy stating the practice computers are for official business use only, and then remind the staff that computer use is for official use only.
  8. Use of external devices (USB): Connecting external devices that have not been scanned for viruses to the practice’s computers is very risky. If your practice has a policy prohibiting the use of unauthorized devices or USBs with practice computers, remind the staff of this policy.
  9. Patient information disclosure outside the office: Do not discuss outside the practice any patient’s treatment or any information related to a patient’s treatment in the practice unless it is an allowed or authorized disclosure. If such a discussion occurs, ensure the discussion cannot be overheard by unauthorized individuals.

"It doesn't have to be a set of topics. It could just be one of these topics that you bring up in the morning meeting, ideally weekly at a minimum. For example, you could say, ‘Today, we want to talk about password management, make sure everyone changes their passwords every 90 days,’” Zreikat said. “Or tell them you are going to work with the practice's IT vendor to have all of their passwords changed on a specific date.”

Attendees of the CDA Presents lecture, which was co-presented by CDA Practice Analyst Teresa Pichay, also learned federal and state health information privacy law requirements.

Congress passed HIPAA in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information, and thus, the HIPAA Security Rule was created.

The Health Information Technology for Economic and Clinical Health Act (HITECH) amended HIPAA in 2009 and expanded patient rights with regard to their health information and added a breach notification rule for covered entities, such as dentists, to follow.

For a firsthand account of what can happen when patient data is compromised, read the story "Burglary leads to lengthy HIPAA investigation for CDA dentist."

View the CDA Practice Support resource HIPAA Security Rule — A Summary or Data Breach Notification Requirements at cda.org/privacy-HIPAA. The ADA HIPAA Compliance Kit, which is available at ada.org, also is a source for obtaining a risk analysis assessment form.

For more information on TDIC’s offerings in this area, visit thedentists.com.