By Lee Slaton, Vice President of Healthcare; Smart Training

“Come listen to a story ‘bout a man named Jed” kept rolling through my brain as I was organizing this article in my mind. It’s about two data breaches that occurred in the last three months at North Texas dental practices.

Both were low-tech, inside jobs. But the outcomes for each office will probably be 180 degrees apart.

A critical item ignored by the majority of dental practices we’ve inspected over the last five years has the potential to be the determinant in whether or not one of the practice owners loses his proverbial shirt.

Let’s first look at the similarities between these breaches. Both involved:

  • Relatively small practices, owned and operated by solo practitioners.
  • Inside jobs committed by employees.
  • Simple, low-tech occurrences. Employees absconded with patient data procured while working. There were no network intrusions, hackers, or phishing attacks involved; just plain employee theft.
    One employee used a smartphone to take photos of a computer screen with patient records displayed on it. The other printed a monthly recap report containing the names, patient numbers, procedure codes, and billing amounts for every patient seen that month.
  • Approximately 400 patient records. This was a sliver of good news, because when breaches involve under 500 records, they don’t have to be reported immediately. They have to be reported by the end of the year in which the breach was identified. That’s a huge difference-maker to a practice owner, as it gives them more time to prepare their response.

I guess I’ve strung out the suspense as long as I can. What’s the difference-maker I referred to at the beginning of the article? A nasty term we all hate: paperwork. Specifically, a signed Employee Privacy Policy Agreement (EPP). One of the practices mentioned had one with each of its employees. The other did not.

A properly crafted and executed EPP spells out the employees’ responsibilities with regard to Protected Health Information (PHI); and notes that should an employee create a data breach, they can be referred to the authorities for criminal prosecution. In other words, the EPP, in much the same way a Business Associate Agreement (BAA) does, helps to indemnify a covered entity—in this case a dental practice—from a data breach.

Which begs the question of all practice owners reading this: do you have signed EPPs from all your employees and signed BAAs from all your business associates? They can be get-out-of-jail-free cards in worst-case scenarios.

If you’re wondering what kind of shape your practice is in from a compliance standpoint, don’t bury your head in the sand. Perks partner Smart Training conducted over 1,000 inspections of dental practices across the country, and the company is happy to share what it’s learned with TDA members.