When it comes to HIPAA compliance, dentists are getting a much-needed wake-up call.
For a while now the dental industry has flown under the radar when it comes to using HIPAA-compliant email and texting systems. Hospitals, clinics, and physician practices have more traditionally been under scrutiny. But experts say that’s changing.
“There are more violations being cited and penalties being doled out,” says Arnold Rosen, DDS, MBA, founder and CEO of Awrel, a Boston-based firm that recently the first HIPAA-compliant texting application for secure dental communication. “Those are realities now. It’s high on everybody’s chart for awareness.”
Well, maybe not everybody. When asked how lax dentists are when it comes to ensuring HIPAA compliance in their communication, on a scale of 1 to 10, with 10 being the most lax, Rosen didn’t bat an eyelash.
“I’d say 9.”
And the financial penalties and negative consequences are significant.
Lack of Clarity
Rosen explains that the government constructed HIPAA regulations with multiple goals in mind: provide flexibility and simplicity for healthcare entities; to protect patients; and to protect healthcare information. But the reality, he says, is that there’s a lot of uncharted territory. The regulations are not necessarily flexible and simple.
“We rely on consultants to give us clarity,” he says. “But the reality is that there is nothing that can’t be hacked.”
The key issue, Rosen explains, is not whether a dentist violated one of the HIPAA privacy regulations. The issue is were the proper procedures in place and documentation available to demonstrate that the practice did everything it could to comply. In other words, there’s a big difference between saying, “I don’t care, and I don’t do anything to address compliance,” and “Here are our processes and documentation.”
What is clear is the penalty for non-compliance. Rosen points to a New York-based academic medical center that, in 2014, paid a fine of $4.8 million after the records of 6,800 people became accessible on Google. That has drawn attention.
“You can’t go to a dental convention or any dental meeting without [non-compliance] being part of everyone’s conversation,” he says.
High Volume of Sharing
The potential for widespread penalties exists, at least in part, because patient information is regularly shared among practitioners within the dental industry. Rosen explains that the sharing of patient information is especially important to any specialty practice.
“They have to refer on that work,” he says. “And not only are they receiving information on every patient that’s been referred to them, they have an obligation to provide information back to the referring dentist so that they are properly documented on the status of the patient.”
Rosen says that when it comes to implant dentistry in particular, a multidisciplinary approach is required to complete the procedure effectively and efficiently. That means two or more practitioners, including labs and representatives from medical device companies, are often working together from the standpoint of planning, surgery, restoration and laboratory work.
“There’s a huge amount of collaboration,” he says. “The majority of it happens on cellphones.”
But the potential for liability is not limited to dental practices. Rosen explains that the communication culture in dental schools today is such that students who are often doing implant and prosthetic work can regularly be seen using their phones to share patient images—whether with labs, or just to demonstrate the work they’ve done.
“It’s a very significant problem,” Rosen says. “What the student does goes to the administration. They’re responsible to make sure that the school is compliant. The concerns are very substantial now.”
Rosen says the first step to ensuring compliance is making certain everyone in your practice is trained, and that policies and procedures are in place to demonstrate that, if a breach takes place, measures are in place to address the situation. And the most effective way to go about that is to work with a knowledgeable consultant.
“We work with someone who comes to our office, and they address the many different issues that need to be taken care of,” Rosen says. “They come back each year to update the training, because the laws are always changing, and there’s a lot of uncharted territory. There’s even a requirement that someone in the practice be a HIPAA officer to ensure the proper procedures are followed.”
But there’s still no guarantee. And part of the challenge, Rosen says, is that some email systems that claim to be HIPAA compliant are not. Or they’re awkward to use. And the culture today, the spontaneity connected with smart phone use, can be a challenging mindset to change.
“You can have everything place, and people still have their phones,” Rosen says. “Creating compliance, therefore, becomes very difficult.”