Do Passwords Protect the Identity of Patients?

Essay on eDR and eHR Data Integrity

By D. Kellus Pruitt DDS

“ADA Tip: Password protection is the responsibility of each workforce member. Strong alphanumeric passwords provide a strong defense against unauthorized electronic system intrusion. Passwords that cannot be guessed, that are not publicly posted, and that are changed on a regular basis will help your practice avoid the occurrence of security incidents.”

– 2010 ADA Practical Guide to HIPAA Compliance, Chapter 4, page 26.

Not So Fast, ADA 

I read a recent article on titled “How to Break into a Windows PC (And Prevent It from Happening to You).” The unnamed author tells a different story.

Running on Windows®  

Apparently, if a healthcare provider’s office computer runs on Windows and it is not encrypted, password protection is worse than ineffective security. Passwords are false security. If is correct, all a dishonest employee needs to download thousands of patient identities to sell for a few hundred bucks is a Linux CD and 10 minutes of snuggle-time with an office terminal.

What’s more, it is unlikely that if the thief will ever be caught if he or she sports common sense. Months or years following the silent heist, the doctor could learn of a rash of neighborhood identity thefts from a federal investigator with a badge – waiting in the reception room for the doc’s next break between patients. Please remember this gaping hole in security the next time a HIT stakeholder like the ADA assures Americans that HIPAA is swell protection from identity theft. HIPAA empowers identity theft. The amendments to the 1996 Rule in 2002 gave too much away to campaign contributors, in my opinion.

About De-identification 

Now then; since you’ve made it this far, is anyone ready to consider a different path to the benefits of electronic dental records? It’s called de-identification. My goal has always been to stimulate open discussion of de-identifying dental records because it is so common sense to remove fuses from bombs. In 5 years, I’ve had very little success attracting sincere discussion about de-identification other than privately. Nevertheless, over the years I entertained an adequate amount of ridicule that stopped a few months ago. Like Charlie Brown and his persevering faith in the Great Pumpkin, I’m resolute.

HIPPA Data-Breach Liability 

Physicians might not be able to get away with sidestepping HIPAA and data-breach liability using de-identification because it is so easy to re-identify owners of medical records. And insurance company CEOs who don’t know the difference between cost control and quality control will fight de-identification of dental records before giving up the exclusive right to bend proprietary algorithms toward bonuses.

Here Comes the Pitch!  

Is America interested in better dental care through a transparent 2.0 platform that incentivizes value-based competition for dental patients instead of paid ads? I have a better solution than HIPAA: Drop the PHI identifiers from dental records and store volatile health histories on one or two well-guarded flash drives. It’s that simple. Want to see miracle discoveries in dentistry? Offer the boring but safe raw, de-identified dental data to anyone who cares to perform Evidence-Based Dental research. Interoperability will still be incredibly tedious and expensive, but at least the effort won’t be doomed by dangerous and expensive HIPAA regulations.


So how about it? Imagine the incentives for self-improvement if dentists could privately compare their treatment results with competitors’ – without risk of harming their patients or practices – on an “opt-in” basis rather than a mandated fantasy of a “pay-for-performance” [P4P] model run by stakeholders with investors to answer to. If our grandchildren are to benefit from unbiased Evidence-Based Dental research mined from facts rather than manicured dental claims, passwords won’t allow them a return on ARRA investment and encryption is just one more layer of expensive and futile complication.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:



Product DetailsProduct DetailsProduct Details

   Product Details 

%d bloggers like this: