Passwords. HIPAA password requirements. The legal ramifications of lax log-in and password protocol. Practice Mechanic Rick Garofolo dives deep on why these systems need to be locked up tight!
In case you haven’t noticed a theme in the past few Compliance Corner articles, I get a lot of what I write about from Facebook. I think Facebook is a fantastic place for dental professionals to discuss topics with each other. They can learn from others, and get help with things they are having issues with. For these reasons I love Facebook.It is also a place where trolls gather (I wish they would stay under their bridges), where people attack each other for their differences of opinion. It's also a place where anyone can become an expert.
The problem is that a TON of these people giving advice have no real idea what they are talking about, and people are listening to them and putting their incorrect advice in policy in their offices. For these reasons I hate Facebook. Now it seems it isn’t going anywhere, and Mark Z wont return my calls anymore, so we have to deal with it. So what is this month’s article actually about? Glad you asked!
The latest Facebook to grind my gears is about passwords. An office manager posted that her office was sold and her new employer demanded that every employee give this new owner their usernames and passwords to log in to the Practice Management Software. Of course, 47 replies later, 46 of which were, “It is her software, give them to her,” I had the opportunity to respond with a resounding, "DO NOT DO IT." This is for a few reasons.
One is that it's a violation of the HIPAA Security Rule for any person to know any other person’s password. The sharing of accounts, log-ins, and passwords is a violation of the Security Rule Access Control §164.312(a)(2)(i) (go ahead, type it in Google, I’ll wait). It specifically says that every covered entity MUST assign unique user IDs to access PHI. Do you use a shared Gmail for the office? That’s an issue because you can not track who was logged in when and sent which email, viewed what PHI or PII (if you don’t know what that is, we covered that in a previous article here).
Don’t share your passwords with anyone ... no one should know them
Now let’s take HIPAA out of the equation if we can. Let’s take a different more legal approach. A few years ago, I got a call from a potential new client in Seattle. He needed HIPAA compliance training for his team and found me online. When I asked why the sudden interest in compliance he shared a story that I will now share with you. This individual had fired a hygienist the year prior for using the computer in the op to view inappropriate adult websites. The computer got a virus from one of these websites and the entire network was affected. He terminated the employee. However, a few months later the hygienist filed a wrongful termination lawsuit. They cited the fact that the employer could not prove it was the hygienist accessing those websites. Why? Because everyone used the same log-ins on all the computers.
Side Note: "Op1" and "Smile" are not secure log in credentials!
The dentist's insurance company evaluated the merit of the case and decided to settle with the hygienist for six years' worth of income. At renewal time, they dropped the dentist (refused to renew). He was also forced to find a new policy at a MUCH higher premium since he had a claim and lawsuit settled. The lesson here is that if the employer had unique log-ins for each employee, where ONLY the employee knew the password, the lawsuit, settlement, and increased rates would never have occurred.
I have no clue what my employees' passwords are to their log-ins. I don’t need to. Microsoft lets me log in as an administrator and reset it, delete the user ID, change the password, and all sorts of other nifty features. I don’t need to know their passwords to Eaglesoft or Open Dental or any other PMS because as an Admin I can change it, reset it, block their log-in, disable their account, etc. So now the issue becomes using things like Gmail, Yahoo, reminder services, and any other place where a patients PII or PHI are located.
RevenueWell accounts offer individual log-ins for each employee (YOU NEED TO DO THAT IF MORE THAN ONE PERSON LOGS IN), as does its Enterprise option for multi-location practices. Don’t use a service that doesn’t offer it!
If you have unique log-ins and something happens under your username, you are the one that did it — even if you didn’t!
Get Office 365 from Microsoft for anywhere from $4 to $15 per month per user. Set each person up with their own email address. You can also add on encryption for around $5 a month! And, yes, you can still have info@ or contactus@, or frontdesk@ emails. They are just distribution groups, and super simple to set up.
For employees, don’t share your passwords with anyone else. No one should know them. If you have unique log-ins and something happens under your username, you are the one that did it – even if you didn’t! Employers, you don’t want to know your employees' passwords. If you do, and they do something wrong, it could have been you because you know their log-in. Stop sharing this info. And stop listening to the trolls and know-it-alls on Facebook who really don’t know what they’re talking about!
If you are not sure, ask a professional. You can always email or call me, just use #revenuewellrockstars as the subject line and I will respond SUPER quickly.
Learn firsthand about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.