I seriously got this rebuttal from a Doctor. Fortunately, it’s not the first time a Doctor has tried to claim they ‘only’ did paper charting, so I knew how to respond.
Upon further digging, I discovered that the paper included a copy of the insurance card, drivers license number, copies of consent forms and credit card payments prior to recent PCI requirements for limiting only the last 4 digits of a credit card number. Also, the ‘locked’ cabinets the office bragged about were never locked — ever. When attempted, the doors refused to close. There were also decades of inactive paper records with a vendor that is not contractually a Business Associate.
The practice did have a computer that was used for scheduling appointments and email communications. Scratching beneath the surface, I discovered that the email was free email with a basic password, of course, never changed, and in that email were hundreds of messages between practices containing hundreds of messages containing ePHI. As is common with most people, the email was used as a database.
Then I asked about who has access to this email and on what devices. Turns out the Dr. and Front Desk Employee have this email accessible on their personal (unencrypted) cell phones and probably at their home computers as well.
It turns out there were other technology vulnerabilities as well, such as incorrectly configured WIFI and minimal physical security, but it took someone with experience and a keen eye for both physical security and technology security to point out that there are in fact, many vulnerabilities in their practice.
Just because you have paper, doesn’t mean you are safer. You just have a different set of risks to look at than a digital practice or semi-digital practice.