The Linda Harvey Group

Nine Tips for Creating and Using Good Passwords

linda — Mon, 02 Apr 2012 20:21:26 +0000

By Linda Harvey, RDH, MS

We have become so comfortable with using passwords that we sometimes cut corners when creating or using them. But it is important to remember that, when we use passwords and User IDs to log into computers or websites, we must use the same care in safeguarding our patients’ privacy as we use in caring for the patients themselves.

By using secure, “unhackable” passwords we protect ourselves and our practice from security breaches—and the resultant HIPAA or HITECH fines.

Don’t use your telephone number, social security number or date of birth.
Don’t use a word found in the dictionary, even if it is only part of the password. Hackers have special programs for breaking such passwords. Instead, use the first letters of each word of a phrase: adhfl, for instance, which is the first letter of each word of the phrase “all dogs have four legs”. Or use the title of your favorite song.
Use a mix of upper-case and lower-case letters: adHfL
Include numbers, but don’t repeat a number, or use numbers in sequence. (12334578 is never acceptable!) adH2f9L7.
If the site will allow it, intermix special characters: $adH>2f9L7
Don’t use the same password for different sites. If a hacker can figure out your password for one site, he has them for all the sites where you’ve used that password.
Store passwords in a secure place away from the computer.
Change your password frequently, and avoid re-using passwords.
Never send a password—or any other private information—in an email. Email is not secure.

When HIPAA Comes Knocking

linda — Mon, 02 Apr 2012 20:14:40 +0000

By Linda Harvey, RDH, MS

Knock, Knock
Who’s there?
OCR
OCR, who?
Oh see, are your HIPAA Policies up to date?

According to the 2011 Second Annual Benchmark Study on Patient Privacy & Data Security by The Ponemon Institute, data breaches are on the rise—and most of them are caused by employee mishaps. Recently, I worked with an office that was under informal investigation by the Office of Civil Rights (OCR) for a privacy violation. It’s a situation everyone wants to avoid, yet in today’s regulatory world, it’s a very real possibility.

We’ll call him Dr. Smith. One of his assistants burned a copy of Mrs. Jones’ X-rays onto a CD and personally handed it to Mrs. Jones. When Mrs. Jones discovered that the information on the CD was someone else’s, she filed a complaint with the US Department of Health and Human Services (DHHS).

Dr. Smith was stunned when he received the complaint from OCR (the civil and health privacy rights law enforcement agency of the DHHS). After all, his staff did their best to handle Mrs. Jones’ concern. The specific violations cited included:

The Privacy Rules states that a covered entity may not use or disclose protected healthcare information except as permitted or required by the Privacy Rule.
45 C.F.R § 164.502 (a).
The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical and physical safeguards to protect the health information.
45 C.F.R. § 164.530 (o)(1).
A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by Privacy Rule.
45 C.F.R. §164.502 (d)(1).

The OCR required a long list of documents from Dr. Smith, including statements about his policies and procedures on impermissible uses and disclosure, safeguards for preventing such disclosure, his privacy complaint process, documentation of staff training including training materials, and signed acknowledgements from trainees. Now Dr. Smith is playing catch-up, since his HIPAA manual and staff training are not current.

What can you do to prevent this from happening in your practice?

There are several steps you can take to avert an OCR investigation:

Privacy awareness and training must be an ongoing priority. Train all staff to recognize and report privacy complaints, and to stay alert for privacy breaches.
Implement a checklist for copying data that includes having another staff member recheck the data before it’s released to the patient.
If patients have privacy concerns offer them an in-office complaint form (this form should already be part of your HIPAA manual) and suggest they meet with your Privacy Officer.
Develop scripts or tips staff can use when handling privacy complaints.
Be sure your manual covers all the above procedures in detail.

Conclusion

The repercussions from this incident may be wide-spread and long-lasting. Dr. Smith needs legal representation, which may not be covered by his insurance. He and his staff are being diverted from their normal duties in order to update and collect the documents requested by the OCR. To further complicate the situation, the complaint may be released to the public under the Freedom of Information Act—which could mean that other patients in his practice may hear of it, resulting in a possible loss of reputation, patients and revenue.

It’s easy to become complacent or frustrated with the myriad of regulations that must be followed, but in the long run compliance is much more cost-effective.

Go Team! Utilizing a Team Approach for Patient Safety

admin — Sat, 21 Jan 2012 03:44:28 +0000

By Linda Harvey, RDH, MS

Just as it takes a team to win a football game, it takes a concerted approach to provide consistent quality care in the dental office.

Risk management and patient safety can be thought of as a football team: every team consists of offensive and defensive players; each player possessing a unique set of skills practiced and honed throughout the season. A recent seminar attendee described his office manager as his team’s quarterback, “Nothing happens around here without her—she keeps the schedules, calls the plays, and helps us have a winning day.”

Here are five strategies you can use to improve your quality and safety initiatives (and score big points with your patients):

Recruit the Right Players

Hire Smart. Anyone can look good on paper or on a resume, but this is not necessarily indicative of their skills or ability to work well with others. Besides validating references, take it a step further by verifying licensure credentials by checking with the state licensing board. There have been documented cases of identity theft involving imposters who posed as dental professionals.

Conditioning/Learning from Others

Once you have the right players in place, continue to learn new plays and strategies. Take into account patient safety and risk management expertise outside the field of dentistry. This body of knowledge can help you condition your team and identify areas for improvement. For example, results of a study conducted in 2000 by the American Academy of Family Practitioners showed 44% of errors in physician offices were attributed to communication and discontinuity of care. These types of errors can easily occur in a dental office. Why not consider implementing a blame-free environment that encourages staff to report errors and near misses.

Practice/Training

Train your team well. Training shortcuts will quickly become evident once your team shows up on the field. Often training is done in a ‘trial by fire’ method—new staff members are shown the ropes while seeing patients. Of course, the new staff member can’t absorb everything thoroughly much less understand the mission, vision and philosophy of the practice through this haphazard method.

Hygienists, assistants and business staff make up more than 3⁄4 of the dental industry, and these staff members are doing most of the interacting with patients. With a thorough training and orientation program your staff will become good spokespeople on your behalf, ready to provide quality care in a safe manner once the game begins.

Game On!

The excitement is in the air! Our game is on when the patient is sitting in the chair. Just like a football team, we have an offense and a defense; however we have to play both roles (no wonder our feet hurt so much!). While patient safety and risk management are on the same team; patient safety can be likened to an offensive strategy, whereas risk management is more defensive in nature. Here is a brief snapshot of how the roles play out:

Offense (Patient Safety): The foundation of all dental care is patient safety, so naturally this is your offense. While dental procedures don’t typically involve life and death surgery, we are performing procedures and/or administering medications that affect a patient’s total body health and safety. As compared to risk management, the dental patient safety movement is still in its infancy. Currently, most patient safety information is from the hospital environment, although the body of knowledge about patient safety in other settings like dental offices is growing steadily.

Defense (Risk Management): Risk management has always been a concern for dental practices and with our litigious society the hazards increase every year. Even if a practitioner is never involved in a lawsuit, the number of complaints filed with the dental boards is on the rise. An investigation by the dental board that results in probable cause and subsequent sanctions can easily cost $10,000 or more. Tangible losses include lost production and legal expenses as well as fines and penalties paid to the board. On-going, up-to-date risk prevention practices are the best approach.

Stats/Recordkeeping

While most of us don’t have a JumbotronTM in the office to track every play, we can set benchmarks for recordkeeping success. Remember, the quality of your work is judged by your written word (patient chart), which is all dental boards have to rely on in disciplinary cases. Here are three quick tips to make sure your stats are reliable:

Stay alert to recordkeeping techniques whether electronic or paper. Remember if you are frequently making corrections, it may be a sign that you aren’t mentally engaged with the process at hand. Follow a logical sequence (e.g. SOAP) when documenting to keep you mentally on task and minimize opportunities for forgetting key information.
Focus on your choice of words and intent before putting it to paper or computer. Poorly phrased entries will be interpreted quite differently by an attorney or peer review panel.
Read and re-read what you wrote. This doesn’t sound like a short-cut but it saves time from making corrections and finding problematic errors down the road that could make you appear negligent.

Don’t wait to document. Do it during or at the end of each patient appointment as needed. In disciplinary cases dentists are commonly charged with simple documentation errors, such as failing to document an adequate medical history. Contemporaneous documentation ensures that critical patient care information is not omitted.

Follow these tips to ensure your team always has a winning season.

The Many Faces of Safety

admin — Sat, 21 Jan 2012 03:42:25 +0000

by Linda Harvey, RDH, MS, Licensed Healthcare Risk Manager

June marked the celebration of the National Safety Council’s (NSC) National Safety Month. Chartered in 1913, the NSC is a not-for-profit organization that promotes safety of Americans at home, on the roads, and at work. The NSC dedicates each week in June to a different aspect of safety, particularly reminding us to review workplace, driving, emergency preparedness and home and community this year.

Being safe in today’s world has taken on a new meaning, as home security systems, monitored parking garages, and personal cell phones are the norm. This raises the question, “What does personal safety mean to you?” What measures can you take to improve your personal safety?

When applied to healthcare, the word “safe” also has an important meaning—free from risk or injury. Newspapers, TV and magazines are full of heartbreaking stories about untoward patient incidents. As a result of patient-related mishaps and medical errors, safety in healthcare has become a national priority. The same questions we ask about our own safety can be asked about the safety of the patients we care for. What does patient safety mean to me? What can I do to improve patient safety in my practice?

One organization dedicated to patient safety is the American Society of Healthcare Risk Management (ASHRM). In addition to promoting effective and innovative risk management strategies, ASHRM also focuses on developing and implementing safe and effective patient care strategies. Each year, ASHRM celebrates Healthcare Risk Management Week in June. This year’s theme was “Make Your Mark.”

How can you make your mark? There are numerous opportunities and resources available to strengthen safety in our personal lives as well as in the lives of our patients. First, pause to become more aware of safety; next identify strategies for improving safety; and, finally, make a commitment to continually improve safety at home and at work. Safety is a universal issue.