Practice owners transitioning out of clinical dentistry are making surprising mistakes, as revealed by a jaw-dropping incident involving HIPAA compliance.
As a seasoned HIPAA Privacy and Cybersecurity consultant, I had never given much thought to practice transitions, except for concerns about job security. However, that changed when my own dentist shared an astonishing story with me—a story so wild it left me in disbelief, even though I’ve encountered my fair share of bizarre incidents over the years.
The scenario unfolded when the seller dentist and their spouse met a potential buyer at the practice after hours to discuss the numbers and information. The buyer requested sterilizer reports, and while the seller and spouse went to retrieve the data, an alarming sight caught their attention. The buyer had plugged in a thumb drive and was about to access the Dentrix practice management system. The spouse intervened, questioning the buyer’s actions, and discovered an export database window open on the screen. The seller acted swiftly, removing the thumb drive from the computer and securing it.
The situation escalated as the seller dentist returned to the scene, leading to a confrontation. It was later revealed that the potential buyer had been visiting multiple practices in the area, feigning interest in purchasing them while covertly extracting patient lists and contact information. The intent was to send targeted solicitations to these patients, rather than acquiring the practices legitimately.
This incident was not just a case of theft; it also constituted a serious HIPAA violation. An unauthorized individual had unrestricted access to Protected Health Information, with criminal implications under HIPAA. While the federal Office for Civil Rights decided not to pursue a full investigation due to the seller’s intervention, the state dental board took action, suspending the fake buyer’s dental license for Unprofessional Conduct.
Beyond the deceptive actions of the would-be buyer, there were concerns about the HIPAA violation and its potential consequences. HIPAA mandates physical safeguards to prevent unauthorized access to Protected Health Information. In this case, the buyer should never have been left unattended at the computer. A simple solution would have been to lock the screen and require a password for access.
Consider the various individuals who may have access to sensitive patient information within your practice, including cleaning crews and equipment repair technicians. While they are not hired to handle patient data, they could come across it. Locking computer screens is a straightforward and cost-free option that aligns with computer security and, crucially, HIPAA compliance.
Despite having undergone multiple HIPAA courses, the seller neglected to follow these guidelines, nearly allowing a thief and an unethical dentist to tarnish the reputation of the dental profession.