"Paper Charts Mean I'm Safe From A Data Breach" No, not really

"Paper Charts Mean I'm Safe From A Data Breach" No, not really

Posted by Amy Wood on Aug 20 2017, 09:33 PM

"Paper Charts Mean I'm Safe From A Data Breach" No, not really

I seriously got this rebuttal from a Doctor.  Fortunately, it's not the first time a Doctor has tried to claim they 'only' did paper charting, so I knew how to respond.

Upon further digging, I discovered that the paper included a copy of the insurance card, drivers license number, copies of consent forms and credit card payments prior to recent PCI requirements for limiting only the last 4 digits of a credit card number.  Also, the 'locked' cabinets the office bragged about were never locked -- ever.  When attempted, the doors refused to close.  There were also decades of inactive paper records with a vendor that is not contractually a Business Associate.

The practice did have a computer that was used for scheduling appointments and email communications.  Scratching beneath the surface, I discovered that the email was free email with a basic password, of course, never changed, and in that email were hundreds of messages between practices containing hundreds of messages containing ePHI.  As is common with most people, the email was used as a database.  

Then I asked about who has access to this email and on what devices.  Turns out the Dr. and Front Desk Employee have this email accessible on their personal (unencrypted) cell phones and probably at their home computers as well.

It turns out there were other technology vulnerabilities as well, such as incorrectly configured WIFI and minimal physical security, but it took someone with experience and a keen eye for both physical security and technology security to point out that there are in fact, many vulnerabilities in their practice.  

Just because you have paper, doesn't mean you are safer.  You just have a different set of risks to look at than a digital practice or semi-digital practice.


Share On

Leave A Reply

Please fill all the fields.

Talk to our experts

Start your journey to compliance by directly interacting with our experts. With extensive years of experience in making dental practices HIPAA Compliant, we provide everything from start to finish to make you compliant, safe, secure, and confident against data breach. Look no further, begin your training today by scheduling a class with our experts!