Dentists have an equal obligation to maintain privacy and security of their patients dental records, says Julia Hesse, a partner at Choate Hall & Stewart Health Care.
HIPAA is an acronym that dominates language within the medical community. But the same is not always true in dentistry—although the challenges and risks to oral practitioners are almost identical.
Julia Hesse, Choate Hall & Stewart Health Care partner, routinely works with dental industry clients as well as the healthcare industry across the board providing advice related to privacy and security issues. She says the privacy- and security-related risks and challenges dentists and physicians face are almost identical.
“Dentists have an equal obligation to maintain privacy and security of their patients’ dental records,” Hesse explains. “Each dentist is subject to HIPAA, and they’re also subject to state laws regarding confidentiality of personally identifiable information.”
But Hesse cautions that there is “wide variability among dental practices” regarding how they perceive themselves with regard to being HIPAA compliant.
Over reliance on vendors
Hesse says that many of the dentists she works with rely on their medical records software provider to ensure that they’re HIPAA compliant. But compliance with data privacy and security, she points out, goes beyond that one facet.
“They need to be notifying their patients about their HIPAA obligations,” Hesse says. “They need to be securing their claims records and other databases as well. I think generally speaking, dentists are becoming increasingly sensitized to their obligations under the data privacy and security laws, but I perceive them to be a little behind their medical counterparts here.”
For example, when it comes to sharing information, Hesse says there’s the question of practical risk versus legal risk. From the purely legal point of view, sharing patient records among providers features no innate legal risk. But practical risk is a different story.
“There’s a lot of variability within the dental community about how sophisticated a particular practice may be with regard to their patient records and security practices,” Hesse says. “If you, as the dentist, are less sure about whether your colleagues are securing their records, there’s practical vulnerability there.”
Consider the global interventions a patient may require during his or her course of care. That most certainly could require input from more than one provider—from the dentist to the orthodontist to the periodontist. That means trading often identifiable records among providers—especially where the goal is to use data and analytics to measure quality of care for reimbursement purposes.
“Any time you’re aggregating information from multiple sources and sending information outside the four walls of your firewall, there is potential risk there,” Hesse says. “Dentists should be focused on ensuring that the ways they connect with other entities are secure.”
Hesse says that while there’s an uptick on hacker activity to obtain patient records specifically intended to engage in medical fraud, hacker attacks within the dental community are focused more on personal financial information. For example, there may be an attempt to go through the dental records of the office portal in order to get at the financial or credit information dentists may have in order to provide credit to their patients.
“We’re seeing a trend where people fraudulently attempt to obtain access to the dentist’s medical and claims records in order to make fraudulent claims for credit,” Hesse says.
And the potential for fines, penalties and settlements is significant.
“Look at HIPAA’s recent settlements,” Hesse says. “It used to be that a million dollars was a large settlement. Now they’re trending much higher than a million dollars. And the Federal Department of Health and Human Services is making a point to impose fines and penalties on smaller providers, essentially as a wake-up call that they, too, are subject to these laws.”
Hesse works with clients to develop mitigation strategies for when a HIPAA violation has occurred. But she says that before development mitigation strategies, the more proactive approach is for dentists to conduct annual risk assessments with their IT or medical records provider.
“You can’t prevent everything, but there are some very low-intensity strategies dentists can take,” she says.
That can start with encrypting records, and requiring unique usernames and passwords on their systems. And if an annual risk assessment sounds too frequent, Hesse points out that in today’s age of rapidly changing technology, a lot can happen in one year.
Then, the first step in a mitigation strategy is to identify the person you’ll need to contact if you have an IT incident.
“Most small practices don’t have an IT guru in house, but dentists should be working with their EMR provider, or even the folks from whom they’re licensing their computers and getting their Internet service to help identify the problem,” Hesse says. “Because time is really of the essence in figuring out what the root cause of an incident is, so that way you can stop it.”