Dental Receptionist Sentenced to Prison for Stealing PHI – HIPAA

According to U.S. News and World Report, in April 2018, a dental receptionist was sentenced to 2 to 6 years in prison for stealing over 600 patients’ protected health information (PHI). The woman stole patients’ names, addresses, dates of birth, and Social Security numbers in 2012. She and three accomplices used the information to fraudulently obtain Apple gift cards worth collectively over $700,000. While this particular type of breach would be difficult to prevent, since no one expects employees to act criminally, there are steps that dental offices can take to minimize PHI breaches.

First and foremost, as part of Health Insurance Portability and Accountability Act (HIPAA) requirements, HIPAA-covered entities, including dentists who transmit electronic health records, must comply with the Security Rule, which requires them to adopt adequate means for safeguarding the confidentiality, integrity, and availability of patients’ protected health information. Along with that, all HIPAA-covered entities are required to perform a security risk analysis as needed to assess vulnerabilities and the mechanisms currently in place to mitigate them. Additional controls should be implemented as needed.

Other steps that should be taken to minimize a PHI breach include encrypting and password-protecting all of the electronic equipment in the office, including email (unless a patient has requested unencrypted email); training all staff people on HIPAA policies in the office; monitoring computer access; otherwise securing patient files, both hard electronic copies; ensuring business associated are following HIPAA requirements.

Regarding conducting employee background checks when hiring personnel, employment laws must be followed and vary considerably by state. Contact an attorney who specialized in employment law for guidance on conducting background checks.

While nothing can fully prevent an employee from committing a criminal act, taking the steps above can help to minimize the risks.

For our OSHA Review Subscribers: The January/February 2014 issue of OSHA Review covers HIPAA requirements and includes information about conducting a security risk analysis. Additionally, a HIPAA risk analysis checklist is available from OSHA Review’s website.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.