Matters of the Heart…and HIPAA
Bright Smiles Dentistry: Episode One
“He what?”
Dana set her pen down slowly, her heart sinking as Sally stood in the doorway, nervously twisting the hem of her scrub top.
“Tom looked up a patient’s file to get her phone number to text her. Asked her out,” Sally whispered, leaning in as though the walls might be listening. “He told Carlos she seemed into it during her appointment.”
Dana’s stomach churned. This wasn’t just inappropriate—it was a blatant HIPAA violation.
“Thank you for letting me know,” Dana said, keeping her voice calm. “I’ll handle it.”
As Sally left, Dana stared at her desk, the weight of the situation settling in. She’d been with Bright Smiles Dentistry for nearly a decade, starting as a part-time receptionist back when it was just her, Dr. Chang, and a single hygienist juggling far more patients than they could handle. Over the years, the practice had grown—a new location, a full staff of hygienists and assistants, and a bustling front desk. But with growth came challenges.
Tom, for instance: A hygienist with stellar technical skills but a knack for pushing boundaries. Dana had spent years managing personalities like his, but this went beyond the usual workplace hiccups. She needed to address it decisively.
Reaching into her desk drawer, Dana pulled out the practice’s HIPAA Privacy and Breach Policies. When she put this document together using a template from CEDR HR Solutions, she had assumed it was a required resource but not one she’d actually use often. Dana knew having it was critical now. A violation like this couldn’t be brushed aside.
Dana logged into backstageHR, CEDR’s member portal, and navigated to the Training Center. The HIPAA breach training video was right where she’d remembered seeing it during onboarding. She hit play, grabbing her notebook. As the steps for managing a breach unfolded on the screen, she began to organize her approach.
Investigating the Incident
First, she needed to investigate and document the incident. Dana pulled Tom’s access logs from the practice management software. Sure enough, the patient’s file had been accessed outside of her appointment window. She made a note of the date and time, knowing this would be crucial for her HIPAA incident report.
Dana knew she had proof that Tom had accessed patient information outside the scope of his job duties. She now needed to decide what to do about it. She contacted the team of advisors at CEDR to talk it through with someone.
Dana and the CEDR team were on the same page. Accessing a patient file for personal reasons is a HIPAA violation in itself and Tom needs to be firmly counseled about it. If he actually did use the patient’s phone number to ask her out, that’s of course much worse. Dana has no reason to believe what was reported to her isn’t true, but CEDR and Dana made a plan for Dana to meet with Tom to find out what he has to say about it.
By the time she called Tom into her office later that afternoon, Dana had reviewed the entire HIPAA breach process twice. She had also finalized two documents that CEDR provided to her: A Final Written Warning and a Termination Letter. That let her be prepared to take whatever action seems most appropriate based on how things go with Tom.
Addressing the Violation of Privacy
Tom walked in with his usual air of confidence, but Dana wasn’t fazed. She gestured for him to sit, then laid out the facts.
“Tom, I’ve reviewed the access logs, and it’s clear you looked up a patient’s contact information when you had no reason to contact her about her treatment. Can you tell me why you were accessing her file?”
Tom shifted in his seat, his confident facade cracking slightly. “I didn’t think it was that big of a deal,” he said, his tone defensive. “We were chatting during her last appointment about movies, so I sent a message to her asking if she wanted to see a movie with me.”
Dana firmly stated, “Using her private information for personal reasons is a violation of HIPAA and our practice policies. It’s also a serious breach of trust, both for the patient and this office.”
Tom rolled his eyes and commented, “She seemed interested when she was here, so I don’t think it’s a problem.”
“It is a big problem,” Dana replied firmly. “Not only is it illegal, but it also puts the patient in an uncomfortable position and jeopardizes the trust they have in us. We cannot and will not tolerate this behavior.”
“Yeah, ok. I guess I should’ve just asked her out in person when she was here then. Sorry.” Tom smirked at Dana, clearly still not taking this seriously.
She was glad to have termination paperwork already prepared. Tom didn’t even acknowledge that what he did was a problem or respect the seriousness of the situation. She handed it to him: “Effective immediately, you are terminated for violating HIPAA regulations and breaching practice policies. This decision is final.”
Tom’s face fell, but he said nothing as he took the paper and left the office.
Dana felt a mixture of relief and exhaustion. Dana remembered that CEDR told her to take the time that’s needed to be in her emotions and let her mind settle down before jumping to the next thing. She didn’t enjoy firing people, but this was necessary to protect the practice and its reputation. She took a few minutes to collect these thoughts.
She contacted her IT company to ensure Tom’s access would be completely removed from all of their systems immediately.
Informing the Patient
Next, Dana contacted the patient. She practiced what she would say beforehand, her stomach tightening as she dialed the number.
“Hi, this is Dana from Bright Smiles Dentistry,” she began when the patient answered. “I’m calling because I need to inform you of an incident involving your contact information. One of our employees used it inappropriately to send a personal message.
The patient was polite but understandably uncomfortable. “I didn’t reply,” she said quickly. “It was weird, but I wasn’t sure if I should report it or what.”
“I completely understand,” Dana said, her voice steady but apologetic. “I want to assure you this is not something we take lightly. We’re addressing it internally and will take every step to ensure your information is safe moving forward. If you have any concerns or questions, please don’t hesitate to reach out to me directly.”
The patient thanked her, and Dana hung up, letting out a slow breath.
Finalizing the Documentation
Dana returned to her desk to finalize the documentation. She updated the incident log, noting the steps she’d taken to address the breach, and scheduled a refresher HIPAA training for the rest of the team.
Her mind wandered briefly as she typed. It hadn’t been easy convincing Dr. Chang to invest in a professional HR service like CEDR. For years, they’d relied on ad hoc solutions—a patchwork of policies borrowed from friends and Google. But after a near-miss with a compliance issue last year, the new custom handbook and ongoing HR support had proven invaluable. Without those resources, handling a situation like this would have been far more overwhelming.
By the time Dr. Chang arrived for their weekly check-in, Dana had a full report ready to share. “We’ve addressed the incident with Tom and taken steps to ensure this doesn’t happen again,” she told him, walking him through the documentation.
Dr. Chang nodded, visibly impressed. “Thanks, Dana. I know this wasn’t easy, but you handled it exactly how we needed.
As Dana returned to her desk, she allowed herself a brief moment of satisfaction. The situation wasn’t one she’d ever wanted to face, but with CEDR’s guidance, she had navigated it confidently. There would always be new challenges, but for now, the practice was back on steady ground.
In Next Month’s Edition:
A new hire brings fresh energy to Bright Smiles Dentistry, but not without complications. As Dana juggles onboarding and performance management, tensions within the team begin to bubble. Will she be able to keep everyone on track while maintaining her sanity? Find out in March’s chapter, “Spring into Wellness.”