The Linda Harvey Group blog is your practice information source for comprehensive risk management information covering topics such as, patient safety, identity theft, employment law compliance, disciplinary sanctions, OSHA/infection control, and documentation/recordkeeping. Leverage our expertise and regain confidence and joy in your practice!

An unencrypted USB drive has ended up costing one dermatology practice $150K in fines. The device, containing ePHI relating to Mohs surgery on approximately 2,200 patients, was stolen from a staff member’s car on September 14, 2011. The drive was never recovered.

The practice notified patients of the breach within 30 days of its discovery, and also notified the media, which is required by the Breach Notification Rule. However, upon investigation, the Office of Civil Rights concluded that the practice was non-compliant in three areas:

(1) The practice did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012, more than a year after the theft.

(2) The practice did not fully comply with the administrative requirements of the Breach Notification Rule in that it did not have on hand written policies and procedures on Breach Notification; nor did it train members of its workforce regarding the Breach Notification requirements until February 7, 2012.

(3) On September 14, 2011, the practice impermissibly disclosed the ePHI by allowing an unauthorized individual access to it for a purpose not permitted by the Privacy Rule. In other words, the practice did not reasonably safeguard an unencrypted flash drive that was stolen from the unattended vehicle of a staff member.

What this means for your practice:  The Privacy and Security Rules have been in effect since 2003 and 2005, respectively. Because it had had several years to implement the requirements and failed to do so, the practice was deemed willfully negligent, which carries stiffer fines. The moral of this story is not that you should avoid the required reporting if you have a breach (any of the 2200 patients could also have filed a complaint). Rather, this is a good time to ask yourself if you have been conducting the required risk assessments and identifying and implementing safeguards to protect patient data. Updating a patient’s health history is an ongoing process; likewise so is analyzing where and how your data is stored. In the early 2000s most offices were filing claims electronically, but few offices were utilizing digital x-rays, electronic patient records or other types of technology that store patient data. Today, almost all offices use these technologies. Also, in recent years it has come to light that patient data, along with other confidential business information, is stored in non-secured memory on your fax and copier machines.

While you might not have any unencrypted flash drives lying around, take note of where your data is stored and how it moves through your system.

To read the Final Settlement and Corrective Action Plan, click here.

Additional Reading: Healthcare IT News


Regulatory compliance and patient care were the cornerstones of Dr J’s practice. He couldn’t believe the allegations made by a former employee to the licensing board. His billing practices, delegation of duties and ethics were being scrutinized. After thousands of dollars in defense costs, he faces severe sanctions.

The onslaught of new regulations, healthcare initiatives and practice management challenges can easily confuse the most astute practitioner. It’s no wonder that dentists with exemplary records of patient care may find their practice in the regulatory spotlight.

Practice managers and dentists agree that it takes the “right team” to run a successful practice.  More than a clinical team, it takes seasoned risk management and compliance professionals to help dentists avoid getting themselves into trouble with the regulatory agencies.

Traditionally, dental risk management has focused on patient care—patient safety, informed consent and good documentation.  But now, like any other corporate enterprise, dental offices must have access to a full spectrum of experts, including risk management and compliance, infection prevention, human resources and others.

Dentistry needs a fresh approach to risk management, and we are providing it!  We are excited to announce the launch of Risk Academy II this September.  The time is now to start elevating your risk management expertise.

If you are ready to worry less about regulatory issues, embrace risk management from a new perspective and enjoy dentistry more, I invite you to give me a call at (904) 573-2232.


Flagrant infection control breach in Tulsa: Will it spark more oversight for dentistry?

April 30, 2013

Weigh In…We want to hear your thoughts! Does this infection control breach strike a chord with you?  Let us know by clicking here. Last month the news broke that Tulsa oral surgeon Scott Harrington, DDS, had treated patients under unsanitary and unsafe conditions for as long as six years.  As a result, letters were sent […]

Read the full article →

Affordable legal advice is here!

January 18, 2013

Working Americans and their families face a myriad of legal issues almost daily, and legal problems know no economic boundaries. All income levels experience legal issues or events at about the same rate.  But a recent Legal Needs Study showed that, although 57 million full-time working Americans experienced at least one significant legal event in […]

Read the full article →

When is it permissable to release patient information without permission?

January 18, 2013

Sometimes it is permissible to release patient information without permission.  But when?  This recent letter from the HHS provides some helpful answers: “I wanted to take this opportunity to ensure that you are aware that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not prevent your ability to disclose necessary information about […]

Read the full article →

What Not to Say to a HIPAA Auditor

September 24, 2012

Here are Linda’s top three responses to avoid when a HIPAA auditor shows up at your doorstep: We’re closed for lunch. Can you come back tomorrow? We paid our fines last year. We have nothing in place; we are so glad to see you because we need your help. There is no time like the […]

Read the full article →

Risk Academy Success!

September 16, 2012

Thanks to everyone who helped make the inaugural Risk Academy a huge success this summer.  Here’s what two VIPs from the Risk Management academy had to say about this premier event: “It was one of the best classes!  I learned how to be more organized using the Van Write Mind Mapping Technique.  We also discussed […]

Read the full article →

Nine Tips for Creating and Using Good Passwords

April 2, 2012

By Linda Harvey, RDH, MS We have become so comfortable with using passwords that we sometimes cut corners when creating or using them.  But it is important to remember that, when we use passwords and User IDs to log into computers or websites, we must use the same care in safeguarding our patients’ privacy as […]

Read the full article →

When HIPAA Comes Knocking

April 2, 2012

By Linda Harvey, RDH, MS Knock, Knock Who’s there? OCR OCR, who? Oh see, are your HIPAA Policies up to date? According to the 2011 Second Annual Benchmark Study on Patient Privacy & Data Security by The Ponemon Institute, data breaches are on the rise—and most of them are caused by employee mishaps.  Recently, I […]

Read the full article →

Go Team! Utilizing a Team Approach for Patient Safety

January 21, 2012

By Linda Harvey, RDH, MS Just as it takes a team to win a football game, it takes a concerted approach to provide consistent quality care in the dental office. Risk management and patient safety can be thought of as a football team: every team consists of offensive and defensive players; each player possessing a […]

Read the full article →