Diane Evans

Diane Evans

By Diane Evans

Publisher, MyHIPAA Guide


For a dentist, social media can be a great way to communication valuable information.  Conversely, it could be your worst nightmare if patient privacy is violated.


The challenge is in harnessing the benefits of social media without violating anyone’s privacy.   And that is best achieved through a Social Media Policy that encourages the sharing of information while always protecting privacy.


With a Social Media Policy, you as a dentist can set and enforce clear processes for what may be posted and by whom.    Here are some suggestions on what to include in your policy:


  • Allow social media postings only with proper authorization.
  • Prohibit the transmission of patient images via any electronic media.
  • Educate staff on appropriate social media activities.
  • Require explicit permissions from patients for even the slightest online reference linking an individual to your practice.
  • Prohibit staff from taking photos or videos of patients on personal devices.
  • Set restrictions on patients’ use of personal devices once they are in your clinical area.
  • Require prompt reporting of any infractions or potential breaches.

The objective is to create a culture of vigilance so that privacy protections become instinctive.  It’s about a mindset, rather than the mere motions of a regulatory requirement.

What’s at stake is the integrity of your practice.  Your patients trust you, and you of course want to uphold that trust.


Once you have a Social Media Policy in place, it’s helpful to have a collective understanding within your practice of how social media infractions commonly happen.    Here are the leading culprits:


  • Carelessness:  This is the most common issue of all in breaches, and typically involves well-meaning intent.  Here is an example from an federal case that led to a fine: A small practice included a patient testimonial on its website, but failed to get written permission to do so.


In situations such as this, a practice can expect to avoid fines if an underlying HIPAA compliance program is in place, and the breach occurred due to a violation of internal policy.


  • Personal vendetta: In some cases, an employee discovers embarrassing information about a patient, and then spreads that information via social media.  An example from an actual case, reported by ProPublica and resulting in a lawsuit and undisclosed settlement: A medical staff member discovered that her former friend had a sexually transmitted disease.  A post to Facebook followed, noting the former friend’s diagnosis and her full name.


A cautionary note to dentists:  Be extra careful with information with high gossip value.  For instance: If a local mayor gets a tooth knocked out in a fight, and then shows up at your office, take extra security precautions.


  • Laxity:  This is also a common cause of fines. In these cases, regulations under the Health Insurance Portability and Accountability Act (HIPAA) get relegated to low-priority status.  Privacy is not top-of-mind, and breaches become more likely.

If a complaint leads to a HIPAA audit, expect stiff fines for lack of an underlying HIPAA compliance program, which must include risk assessment, security policy implementation and management of Business Associates.


Dentists, for our plan to help you get compliant in three easy steps, go to https://www.myhipaaguide.com/3steps/






Thursday, 24 January 2019 10:37

Set the Table for Compliance

If you really want to protect the privacy of those you serve, it is important to establish a culture of vigilance within your organization.

Now, if that sounds like blah-blah, think again.  The culture of your organization is a real thing.  It is a silent, yet potent communicator of the values reflected in your leadership.  High ethical behavior at the top sets the expectations for all.  

During our January podcast-and-webinar series, we discussed the importance of a Code of Conduct as a starting point for a HIPAA compliance program.  Why?  Because it's a great vehicle for describing ethical standards that employees are expected to meet. If expectations aren't in writing, how are they to know? 

Basic elements of a Code of Conduct set forth principles of:

  • Leadership values
  • Respectful behavior 
  • Protection of privacy
  • Safety
  • Integrity

Importantly, the commitment should go both ways -- with leadership pledging a commitment to a healthy work environment and employees pledging good conduct. (Yes, pledges should be signed!)

Once the basic standards are set, then there is context for the details of HIPAA compliance relating to safety and security.  

If you are a subscriber to MyHIPAA Guide, email Brenna Hughey at This email address is being protected from spambots. You need JavaScript enabled to view it. for a Code of Conduct template if you do not have it already. 

To learn more about our  HIPAA compliance program tailored for dentistry, visit https://www.myhipaaguide.com/3steps/

For our program tailored to residential providers, visit http://hipaa.opra.org/





Tuesday, 04 December 2018 09:54

HIPAA's Hand Rises from the Grave

Just a quick reminder to any dentists who may be thinking about selling their practices.  Even when you are no longer in business, you are still responsible for protecting patient information under the Health Insurance Portability and Accountability Act (HIPAA).  

A case reported on the website of the American Dental Association earlier this year sheds light on the consequences of what could happen.  And yes,  expect that somebody will end up paying.

"The careless handling of [patients' protected health information] is never acceptable," U.S. Office of Civil Rights Director Roger Severino said in a news release. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."

The best protection against breaches and potential consequences:  Protect privacy, not just because it's the law, but because it's the right thing to do.  Above all, privacy is about upholding the trust of people who have entrusted their care to you.





Thursday, 15 November 2018 13:43

It's a HIPAA Breach! What do I do?

Our new webinar series gives you the answers on what to do after receiving a complaint about a potential HIPAA breach.  Register here for sessions on Nov. 19 at 3 p.m. EST  and Nov. 24 at noon EST.

We'll cover:

  • Breach reporting
  • Breach investigation
  • Assessment of the severity of an incident

We also have a special offer for webinar participants on a secure ReportaBreach.com webpage, customized for your organization, and complete breach reporting tools, plus a complimentary consult.

Join us on the webinar!

At the recent annual conference of the Association of Professional Developmental Disability Administrators (APDDA), we had the pleasure of hearing from administrators from facilities in Corpus Christi and San Antonio, Texas and Miami, Florida who spoke about their experiences preparing for and recovering from Hurricane Harvey and Hurricane Irma last fall. Part of building an emergency preparedness plan includes making provisions to meet the needs of residents with disabilities in the event of an evacuation.

But! Even in an emergency preparedness plan, a resident's health information is still protected by the HIPAA Privacy Rule.

Check it out! The Department of Health and Human Services offers a great interactive tool, The HIPAA Privacy Decision Tool, that through a series of questions helps you determine how the HIPAA Privacy Rule would apply in specific emergency situations (it's available as a flowchart, too!). Other emergency preparedness resources are also available through the HHS site.

Tuesday, 23 January 2018 11:54

2017 HIPAA Cases: Here's the message

At the start of each new year, it is always good to look back at federal settlements under the Health Insurance Portability and Accountability Act (HIPAA).  That is how you know matters most to the Feds in terms of privacy enforcement.

From 2017,  here is a short list of key messages:

  • It’s your job to understand HIPAA requirements.
  • Execute Business Associate Agreements with vendors and independent contractors with potential access to private health information.
  • Don’t rest easy because you have security policies; you also need to manage security processes for daily vigilance.
  • If you do experience a breach, report to the Feds in a timely manner.
  • Be sure to monitor activity on your databases.

Now let’s take these one by one, with examples illustrating each point.

Understanding HIPAA requirements:

In a case involving CardioNet, a provider of remote mobile monitoring of heart patients, the Feds said that a lack of understanding of HIPAA creates risk.  CardioNet paid the cost of such ignorance in a $2.5 million settlement, stemming from a laptop stolen from an employee’s vehicle, and containing private health information.  Read the Press Release.

  • Business Associate Agreements:

In April, the Feds put out a news alert with the headline, No Business Associate Agreement? $31K Mistake.

It’s was as if to say “Gotcha”  -- albeit in a small settlement by HIPAA standards.  The case involved a children’s digestive health center.  As the Feds were investigating one of the center’s Business Associates, they discovered the absence of a Business Associate agreement, which was the health center’s responsibility to execute. Read the Resolution Agreement and Corrective Action Plan - PDF.

  • Security management:

In a case involving unauthorized access to health information,  Memorial Healthcare System (MHS) paid the Feds $5.5 million to settle potential violations.  Private health information had been impermissibly accessed and disclosed through login credentials of a former employee of an affiliated physician’s office.  For a year’s time, the unauthorized access took place on a daily basis -- and without detection due to a failure to monitor of database activity.  Read the Resolution Agreement.

  • Timely breach response:

A case involving Children’s Medical Center of Dallas (Children’s) stemmed from impermissible disclosure of unsecured, electronic health information and non-compliance with HIPAA standards over many years, according to the Feds. The Feds issued a notice to Children’s, which included instructions for how Children’s could file a request for a hearing. Children’s did not request a hearing. Children’s paid a civil penalty of $3.2 million, and the Feds called out the issue of timely response. Read the Press Release.

  • Monitor databases:

This is essential to HIPAA compliance.  In a case resulting in a $2.3 million settlement,  the Federal Bureau of Investigation (FBI) notified  21st Century Oncology, Inc. (21CO)

on two separate occasions that patient information was illegally obtained by an unauthorized third party.  Evidence included 21CO patient files purchased by an FBI informant. Among other things, the Feds determined that 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Read the News Release.

The vast majority of HIPAA cases are resolved through corrective action plans that the Feds monitor.  While that means no fine, you'll still have the Feds hovering over you for a while.

Friday, 12 January 2018 09:00

Just Who Is a Business Associate?

Business Associate is a person or organization, other than an employee of a covered entity, who performs functions or provides services related to creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of your organization.

Remember!With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.

A written contract with your Business Associate must:

  • Detail the uses and disclosures of PHI the Business Associate may make

  • Require that the Business Associate safeguard PHI

In other words, if any one person or vendor has potential access to private health information, you need to hold them accountable to the same high standards as you are held accountable.

Thursday, 08 June 2017 12:23

Help Stop Hackers from Robbing Healthcare

By now, you know that international ransomware attackers have hit health systems in the United States. While it’s up to the techs within your organization to apply security measures, it’s everyone’s job to thwart thieves by recognizing and avoiding their traps - often hidden in seemingly harmless emails.

Keep in mind that hackers are smart, and it’s their business to fool even the most conscientious employees in close proximity to patient information. That’s why it’s important to know the warning signs of ransomware.

Let’s start with some basics pertaining to email:

  • Beware of any kind of attachments or links within emails that are unknown to you or unsolicited. Malicious links in emails can link you directly to a malicious website the attacker uses to infect a data system. Opening an attachment can have the same effect.
  • Know that attackers may impersonate someone you know. Be extremely cautious of emails you are not expecting or that seem a little off. When in doubt, go to your supervisor or a tech before doing anything.
  • Make it a practice NOT to click on links and attachments you are not expecting.
  • If you get an automated message to update your computer’s antivirus software, click to update it. While the IT people should make sure this is done automatically, that doesn’t always happen in reality.

Of course the goal is to avoid the schemes of hackers, who typically “kidnap” information with the promise of releasing it back to its rightful owner in exchange for money. A joint study conducted by several security firms estimates that creators of one form of ransomware -- called CryptoWall 3.0 - have extracted more than $325 million from victims since January 2015.

In the event you fall victim to a ransomware scheme, you should know the tell-tale signs of being hacked so that you can seek help right away. One common scenario is that you click on a link or open an attachment and immediately realize it is suspicious. Get help, even if you’re not 100 percent sure it’s a problem.

Other indicators of a ransomware include:

  • Unusual activity on your computer for no apparent reason, due to the ransomware searching for, encrypting and removing data files, or, An inability to access certain files as the ransomware encrypts, deletes and renames and/or re-locates data.
  • Recently, attackers have been scanning the Internet for devices equipped with remote access to patient information portals. Once connected, they can try to guess passwords, or look for backdoors to gain entry. Once they’re in, they can operate just like they are logged onto your system from a monitor and keyboard.


If you do not need remote access to a database containing patient information, disable the service on your computer. If you do need remote access, use it only as necessary. And make sure your password is next to impossible to figure out. By now you may wonder what the odds are that you may encounter a ransomware threat. Well, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a 300% increase over the 1,000 daily ransomware attacks reported in 2015!

That is why everyone needs to have an eagle eye out for the crooks.

Here are just a few other things to keep in mind:

  • Never allow a third-party to have remote access to your computer if the caller’s authenticity cannot be verified directly through your organization or a verified Business Associate.
  • Do not trust unsolicited phone calls, and don’t give out information.
  • Do not download or purchase any unknown software or online services.
  • Follow safe practices when browsing the web - and don’t click on ads from unknown sources.
  • If you see any unauthorized people accessing patient information (including fellow employees), report the activity to your supervisor or a compliance manager.

Simple safety practices on the part of all can thwart thieves so the can’t do their dirty work. That’s the goal -- and it takes a community of dedicated workers to achieve it.

Note: Information included in this post has been compiled from email alerts distributed by the U.S. Office for Civil Rights (OCR) from May 12 through May 16, in response to interational threats impacting healthcare. Reference material includes: February 2, 2016, and March 30, 2016 cyber awareness updates, and a February 2017 newsletter, all from OCR, and a Ransomware Fact Sheet from the U. S. Department of Health and Human Services.

About the author: Diane Evans is Publisher of MyHIPAA Guide, a news and information service that gives organizations a clear and human-centered process for HIPAA compliance. Diane travels around Ohio and beyond, speaking on HIPAA-related topics and leading workshops in an interactive curriculum developed by the MyHIPAA Guide team. You may reach Diane at This email address is being protected from spambots. You need JavaScript enabled to view it..

With the onset of federally mandated enforcement of patient privacy laws, it’s a good time to review lessons from HIPAA cases announced in 2016. Common themes clearly prevail.

In reviewing these lessons, keep in mind that the feds continue to clarify the stricter rules in place since 2013 under the Health Information Portability and Accountability Act (HIPAA). Since federal audits began only last year, gray areas continue to muddle the murky waters.

Here are some overriding messages from recent federal cases and news releases:

1. Risk Assessment

Make this a top priority, and include all remote facilities in your assessment. Also account for the security of mobile devices and databases in the homes and cars of employees, including telecommuters. Multiple settlements drive home this point. Also remember that you need proper policies and procedures in place as part of risk analysis and mitigation.

Example: The case of St. Joseph Health (SJH), which operates hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, Texas and New Mexico. SJH agreed to pay $2.14 million in a settlement with the U.S. Office for Civil Rights (OCR), relating to a report that files containing electronic protected health information (ePHI) became publicly accessible through internet search engines from 2011 until 2012. A server SJH purchased included a file sharing application, and the default setting allowed anyone with an internet connection to access the data, potentially breaching the privacy of nearly 32,000 patients.

The feds said: Although SJH hired a number of contractors to assess risks and vulnerabilities, evidence indicated a “patchwork” approach falling short of “enterprise-wide risk analysis.”

2. Business Association Agreements

Again, multiple cases reinforce this as a big priority. The point is that if any outside person or vendor can potentially access private information about your patients, then you need to hold those vendors or individuals to the same rules that apply to you. You need formal agreements with them. Also know that HIPAA audits extend to business associates.

Example: The Archdiocese of Philadelphia agreed to pay $650,000 to settle potential privacy violations relating to the theft of a mobile device containing protected health information for 412 nursing home residents. In this case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities. The potential breach happened as a result of a theft of a CHCS-issued employee iPhone, which was unencrypted and not password protected. The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

The feds said: CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

Click here to read more about what happened.

3. Smaller providers

You’re on hook, too. HIPAA-covered providers of all types and sizes are subject to audits. Last fall, OCR announced it is now working with its regional offices to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches.

4. Insider threats

In a recent newsletter, OCR discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

Keep in mind, whenever patient information reaches unauthorized ears and eyes, nothing stops it from getting on social media. And yes, that does happen, especially among patients who are most vulnerable and unsuspecting.

Click here for more about how to guard against insider threats, and recommendations for preventing abuses.

The feds have released a new fact sheet that explains how HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health activities conducted by public health agencies, as authorized by state or federal law. The facc sheet offers examples of instances where the sharing PHI supports public health policies.

You may find the new fact sheet on the federal government's website at:  https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf

Page 1 of 4

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    • Professionals' guide covering 2013 updates on communications.

    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access