Webinar: 4 HIPAA Violations that Occur When Dentists Communicate with Their Patients
Every day you could be exposing Protected Health Information (PHI), and placing your practice at risk for HIPAA fines and audits. Learn how to safeguard your dental practice against 4 common HIPAA violations that can occur when dentists communicate with their patients.
Join Dr. Lorne Lavine and Mr. Rohit Joshi, LL.B. as they discuss how to engage with your patients while being HIPAA compliant.
Included in the Webinar:
- HIPAA Guidelines for Sending Appointment Reminders
- New Omnibus Rules for Marketing to Your Patients
- Emailing Protected Health Information to Your Patients
- Communicating with Patients Inside Your Practice
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
Communicating with Patients Inside Your Dental Practice
- Only discuss PHI in private areas (inside the treatment room)
- Maintain patient privacy in waiting rooms
- Lock computer access inside the treatment room
- Keep patient files private and do NOT leave the files unattended e.g. hanging outside a treatment room
- A doctor may discuss a patient's treatment in front of the patient's friend if the patient asks that their friend come into the treatment room
Promoting Your Practice's Privacy Procedures
- Notice of Privacy Practice - Your practice is required to develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices.
- Patient Privacy Brochure - Promote your commitment to your patient's privacy and differentiate your practice
HIPAA Guidelines for Sending Appointment Reminders
According to HIPAA legislation it is okay to send your patients appointment reminders.
- Do not disclose Protected Health Information (PHI)
- Make sure your policies are part of your Notice of Privacy Practices (NPP)
Safeguarding Protected Health Information Using Secure-Mail™
- Email is NOT HIPAA Compliant
- Secure-Mail™ IS HIPAA Compliant
I heard that Google advertises to people based on PHI, is this true?
Yes. Recently the Interim Privacy Commissioner in Canada has lead an investigation into Google's advertising policies stating, "Most Canadians consider health information to be extremely sensitive. It is inappropriate for this type of information to be used in online behavioural advertising." For more information on the investigation please visit the recent news article.
How do we communicate with a specialist who we want to refer to without violating HIPAA?
Brightsquid Secure-Mail™ is the HIPAA compliant way to communicate with your specialists. Whether you are sending a patient referral or just following up on a treatment, Brightsquid allows you and your colleagues to safely communicate with specialised tools to facilitate the relationship. These tools include: secure messaging in a HIPAA compliant manner, Image Studio where you can view and manipulate photos including 3d images, dashboards to help you stay updated on treatment and a Treatment Sequencer where you can schedule patient care. For more information on communicating with your colleagues through Brightsquid please contact us.
Does the recipient of an email sent through Secure-Mail also need to be subscribed to Secure-Mail?
Yes. Your colleague will need to join the network, and this can be done in a number of different ways. We do this to maintain HIPAA compliance.
My 25 - With your Dentist subscription to Brightsquid you get the "My 25" package. This allows the account holder to choose up to 25 colleagues that they regularly communicate with on confidential matters. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered recipient is stored and archived on the system. Typically 25 colleagues are more than enough for most dental practices. In a typical scenario, we see a dental practice communicate with a maximum of 5 labs and 5-10 specialists. This still leaves 10 additional users to add to "My 25".
Free Accounts - if you are just sending the occasional email, your colleague can sign up for a free account on Brightsquid. With this free account communication is not stored on the system and will not be accessible after 14 days.
Your colleague can purchase their own account. This is the most common situation, as most dental professionals prefer their own account. With the low cost to get started with Secure-Mail™ we find this option very popular.
How does Secure- Mail recipient get a password to decrypt message?
Your colleague will set up their own password the first time they log onto Brightsquid Secure-Mail™. After your colleague sets up their password they simply have to use it next time they sign into the platform. Once they enter their password, the message will automatically decrypt. This is done to maintain HIPAA compliance; it also has the advantage that you do NOT have to maintain passwords for your colleagues. For more information on Secure-Mail™ please contact us.
Why would I use your system over another HIPAA compliant service?
There are number of reasons that set Secure-Mail™ apart from any competitors in the market. The first being the commitment Secure-Mail™ has to HIPAA compliance and email security. We would recommend sending our Software Checklist to other vendors to make sure their service is meeting industry standards for HIPAA compliance. There are a number of different software providers that state "HIPAA Compliance", but as the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" it can be difficult to substantiate this claim. The second advantage Secure-Mail™ has is that it is developed exclusively for the dental community with large 500MB attachment sizes and image viewers for 3d STL files, DICOM studies and more. When you purchase your Secure-Mail™ account you are also getting a package which includes 5 unique user subscriptions and 25 sponsored/registered accounts that you can provide free to any of your colleagues. For more information on the features and benefits of Secure-Mail™ please contact our office.
Is sending sensitive patient information through e-mail against Canadian law?
In Canada, there are multiple legal regimes that cover privacy. PIPEDA laws govern all information that is collected, whether that be an airline, bank or dental office. In addition to that, many provinces have their own legislation that specifically applies additional measures to protect health information, such as Personal Health Information Protection Act - Ontario, 2004 (PHIPA). Further, most provinces also have professional bodies like the Royal College of Dental Surgeons of Ontario (RCDSO) which have very detailed requirements for the protection of patient information. In creating the Secure-Mail™ service, we have considered all of these regulatory bodies and have placed the most stringent requirements within the system. From the RCDSO's document entitled Electronic Records Management, published in March 2012 comes the following excerpt: "The use of e-mail in our society is commonplace. It is a convenient, inexpensive and quick means of communication. However, as a general rule, e-mail is not a secure means of communication, and maybe vulnerable to interception and hacking by unauthorized third parties. Accordingly, dentists should avoid using e-mail to communicate the personal health information of patients, unless they are employing a secure email service with strong encryption. The information and privacy commissioner of Ontario (IPC) has advised that even if patients are willing to accept the risk of unauthorized disclosure of their personal health information in exchange for the convenience of communication via email, this does not alleviate health information custodians of their duty to take steps that are reasonable in the circumstances to safeguard personal health information in their custody and control".
Is it a HIPAA violation to tell a patient that another patient also comes to the practice?
Yes, it could be considered a violation. HIPAA requires that you protect the privacy of your patient's health information. You should not discuss your patient with other patients; even simple information such as whether or not they are a patient could be considered a breach of information. If your patient has signed an agreement to be a reference/ provide a testimonial then it would be okay to let other patients know about that they do go to your practice.
What about a no cavities club with pictures on the wall?
We would recommend getting your patient consent to post the pictures. Most patients are happy to provide consent to the use of their photos.
Some people bring in their thumb drives with x-rays. Is this safe?
From a HIPAA standpoint there are no rules against putting CDs or USBs into your computer. We would recommend taking precautions as you could expose your computer to malware or viruses. It is much safer to send information through a service like Secure-Mail™. We have a number of customers who prefer Secure-Mail™ as they do not have to worry about sending USB drives back to the sender, as well as making sure the information is properly copied onto a CD or drive. Brightsquid Secure-Mail™ does a number of checks on the file to ensure that it does not contain viruses or malware.
Is a photograph of a patients teeth only considered PHI when it has no other identifier? Can this data be shared with a lab without violating HIPAA?
It would depend on the picture whether or not it would be considered identifiable or not. This would depend on any markings or unique characteristics of the image. The challenge usually is that without patient identifiers, how would the recipient know who the message was referring to? To reduce your liability it would be recommended sending the photos using Brightsquid Secure-Mail™. It is also important to send your lab high resolution photos which is not always possible using traditional email services. Brightsquid Secure-Mail™ not only provides a HIPAA compliant exchange of information, it also allows you to attach up to 500MB in every message. This way your lab will always receive high quality photos from you making it easier for your lab to produce the quality your patient desires.
Is the lab a business associate? Do we need to get a business agreement with our lab?
Typically laboratories are considered Covered Entities and not Business Associates. That being said there is nothing wrong with getting your lab to sign a Business Associates Agreement, and most labs are happy to do so. For more information on Business Associate and Covered Entities please visit the US. Department of Health and Human Services website.
Can we share patient information via fax (if not regular email) with an adequate cover letter?
For sending faxes it all depends on how it is being used. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes. On August 14, 2013 the U.S. Department of Health and Human Services (HHS) settled with health plan on a photocopier breach case. According to the HHS "This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent," said OCR Director Leon Rodriguez. "HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information." For more information on this case as well as the $1,215,780 fines please visit the HHS website.
In the NPP, should a regular private practice mention about research, even if they don't conduct any research nor have any plans to do so in the future?
No. If your practice does not conduct any research or plan to conduct any research then there is no reason to include it as part of your Notice of Privacy Practices (NPP). Your NPP should reflect your practice and its policies and be unique to your situation. The NPP that we provide is simply a guideline that was put together from the U. S. Department of Health and Human Services. Use this link to download a copy of the Notice of Privacy Practice.
What about remote access to the software? Is that ok to use?
You can use remote access to access your patients' Protected Health Information (PHI) while away from your computer. Please note that there are specific requirements regarding automatic log-off and logging which are required. Please check with your provider, such as "LogMeIn" for specific information regarding HIPAA. You can also send your vendor a copy of the HIPAA Compliance Software Checklist.
Does my patient have to sign the Notice of Privacy Practices?
According to the U.S. Department of Health and Human Services your practice should "make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained". For more information on the Notice of Privacy Practices please visit the U. S. Department of Health and Human Services' website.
Is UPS / FedEx a business associate?
No. As UPS/FedEx does not have direct access to Protected Health Information (PHI) they are not considered Business Associates. Be sure to keep PHI sealed inside your letters/packages and do not write PHI on postcards or packaging.
What are the HIPAA risks with LightHouse or other reminder companies?
Patient reminders tend to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out a recall post card, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. Secure-Mail™ works in conjunction with your patient reminder system so that you can continue to use your current patient reminder system when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.
What about reminding a patient to take their pre-meds?
It is best not to discuss medication in unsecure communication. If you need to make a note on medication, it is best to be as generic as possible e.g. "Please be sure to take your medication as recommended."
How HIPPA compliant it is to have patient's name written in their dentures?
It is HIPAA compliant to include your patient's name in a denture; this is also required in some states. As the denture is typically the property of the patient there is no HIPAA concern with including their name on the device.
Once you post the Notice of Privacy Practices in the office, do you still have to hand over the notice to each patient or only if they ask?
You should provide a copy of the Notice of Privacy Practices (NPP) during your patient's first visit to your practice, as well as providing them with a copy of your NPP when asked. Please be sure your NPP is posted in your office and on your website. We (Brightsquid) have developed a Patient Privacy Brochure that you can make available in your waiting rooms and/or at the front reception desk. Please note that unlike the NPP, the Patient Privacy Brochure is not required by HIPAA and should be used only as a tool to inform your patients of your commitment to their privacy while differentiating your practice (marketing material). To download a copy of the NPP or Patient Privacy Brochure please visit the Omnibus Guide page.
What kind of info can be sent in a postcard?
It is important NOT to include any Protected Health Information (PHI) in postcards, this is also an important principal that applies to any communication sent that can be easily intercepted such as unsecure email. PHI includes any information related to your patient's past, present or future health/medical records or payment history. Under HIPAA law there are 18 identifiers that are considered PHI: patient names, geographical identifiers (smaller than state), dates (other than year), phone numbers, fax numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate or licence numbers, vehicle identifiers, device identifiers, web addresses (URLs), internet protocol (IP) address numbers, biometric identifiers, photographs of patient's face as well as any other unique or identifying characteristic, code or number. For more information please visit the U.S. Department of Health & Human Services.
Is it a HIPAA violation when you submit insurance claims by regular mail vs submitting them electronically?
No. You can still use regular mail (post) when you send Protected Health Information (PHI). When sending files electronically it is best to use Brightsquid Secure-Mail™ to safeguard your patient's PHI. In addition to being HIPAA compliant Secure-Mail™ is also more convenient than regular mail as you can send up to 500MB per email and view the files in our Image Studio. This way you always know that your colleague has received the information and can access it at any time to comment or modify it as needed.
What action are there to take if you have an HIPAA violation complaint?
The U.S. Department of Health and Human Services offers the following information about Breach Notification Requirements: "Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred". For more information please visit the U.S. Department of Health and Human Series
Can you or somebody comment on HIPAA compliance and turning a patient account over to a lawyer for collection?
The guiding principle is to provide the minimum amount of information necessary for your lawyer or debt collections agency to collect the debt. As this would be considered "payment" functions under HIPAA you do not need to get your patient's consent before sending their information to collections. As most collections agencies are considered Business Associates, please be sure to have them sign a Business Associate Agreement with your practice. For more information see:
How can I get my computer data encrypted? In terms of encryption, are there special considerations with Mac hardware?
Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant. Please contact him for more information and guidance on proper safeguards within your dental practice.
Are there offices using patient id numbers instead of names when sending images to other doctors or labs?
We have not come across many dental practices that are using patient id numbers. Typically labs prefer to have the patient name as opposed to an id number, but this will vary based on the lab you are using. You can check with your lab to see if they would use a number instead of a patient name. We often see labs use id numbers instead of patient names in their communication with milling centres, but this also might vary depending on the lab.
What about safeguarding Protected Health Information (PHI) in these open concept treatment areas? We have orthodontic clients that have chairs in an open room.
The open concept design is very popular in orthodontic practices. The best way to handle this type of situation will be training your staff on privacy etiquette i.e. appropriate sound levels when communicating sensitive information. You might also want to look into background music to muffle the sound from the treatment area. We would also recommend having at least one private room that could be used in special situations.
How do you handle a patient who is elderly and hard of hearing?
This would be a perfect situation to use a private room. If your patient is having a hard time hearing you or your staff, try bringing them to a private room where you can discuss their treatment. Your patient might also appreciate this gesture as it might be easier for them to hear without the background noise.
Please talk about forms that patients can sign giving office authorization to talk to another person about their PHI or treatment.
You should have your patient sign a written authorization form for the use or disclosure of Protected Health Information (PHI) not otherwise allowed by the Privacy Rule. The Privacy Rule allows for the use and disclosure of PHI for treatment, payment and health care operations, you may still obtain voluntary consent for these activities if you would like. You must get written consent from you patient for specific disclosures such as communicating with your patient in an unsecure manner (regular email), to conduct research, fund raise or market products or services to your patients. If you are looking to share your patient's information with other individuals (patient's family, friends etc.) be sure that you have identified who the patient would like the information shared with and their relationship. For more information please visit the U.S. Department of Health and Human Service's website.
Can a paper schedule be hung in the operatory?
Yes, as long as no unauthorized individuals and no patients have access to the area where the schedule is posted. In typical operatories, putting the schedule in a locked drawer would be the best solution. If it is only accessible to authorized individuals, then it is okay. To maintain the security of Protected Health Information (PHI) it is important to restrict access to patient names, including patient schedules.
Can names and addresses be on the outside of charts?
Yes, as long as the charts are stored in a secure manner. Make sure that they are located in a staff only area of your practice and that they are not left unattended in a public area such as a hallway or waiting room. Be sure not to have any special markings or labels on the charts that might expose Protected Health Information (PHI).