Passwords? We don’t need no stinkin’ passwords!

According to HIPAA Security Rule – Technical safeguards – procedures must be implemented for identification verification of entity or party requesting access to PHI. This means the identity of the person seeking information must be confirmed within the information system being utilized.

Does everyone in your dental office need to have his or her own password? The answer depends on a number of factors. For example, in large dental offices team members fill specific roles. Bearing in mind the minimum necessary requirement, that is the requirement that employees of a covered entity have only as much access to PHI as they need to properly perform their role or job function.

Do dentists (other than the owner-administrator) need access to patient financial data? Do receptionists need access to clinical data? If the answers are no, then they should not have access to this information.

In smaller offices, where team members may be cross-trained or serve multiple functions, this may not be a concern. However, small dental offices need to password protect their dental software.

I was in a dental office recently where they use Electronic Health Records (EHR). The office was closed that day I arrived to provide HIPAA training. Their computers were on and open, no password protection. Every burglar in town could have broken into their office and accessed their patients’ entire PHI.  I have seen this before and I have to wonder how commonly this scenario plays out in dental offices across the country?

·      Lock your computers

·      Ensure access to dental software (EHR) is password protected

·      Ensure the password is not a factory default, “password”, “12345”, a pet name, loved one’s birthday, or the office phone/ fax # (stepped on a few toes there, huh?)

We’ll talk again soon!