When HIPAA, the Healthcare Insurance Portability and Accountability Act, was enacted way back in 1996, it was all about Privacy and paperwork to support that Privacy. Now, almost 30 years later, we’ve added digital data and cybersecurity, but the basic tenants of privacy have been forgotten or ignored.
Office for Civil Rights has received well over 300,000 complaints, resulting in over 1,000 investigations, with only 126 of those investigations resulting in fines or penalties. By the numbers alone, you may assume the numbers are in your favor; you would be mistaken. Since 2019, six dentists have had the unfortunate experience of paying a fine after an investigation from Office for Civil Rights. While fines are rare, it’s important to understand that there are costs associated with investigations outside of the fine itself. In fact, if you’ve gotten to the point that you have earned yourself a fine, you have already incurred a lot of expenses, and the fine is the least of your worries!
Despite the rarity of HIPAA fines, there has been a recent uptick in dental practices being looked at closer than ever before. This means now is a perfect time to understand the current requirements, as they apply to dental practices.
Data breaches that result in investigations can happen in several different ways. Physical theft, employee error or maliciousness, improper disposal, business associates or hackers/malware can all lead to a data breach that would result in an in-depth investigation. The biggest category that is currently on the radar of the Office for Civil Rights is a patient’s Right of Access, and for good reason. Patients have been repeatedly denied access to their own healthcare information simply because the practice doesn’t fully understand the rules outlined by HIPAA.
Chances are, you’ve probably never read your own Notice of Privacy Practices. It’s likely a document shoved in your new patient packet and ignored. Hopefully it’s current and doesn’t have another practitioner’s name on it! Frustratingly, I’ve seen that – more than once. HHS.gov has a model Notice of Privacy Practices if you need an update: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html. Take a moment to read it. There is a clear outline as to what requirements and expectations are for both patients and practitioners.
Sadly, the misunderstanding persists. A dental consultant reached out to me recently asking about the requirements for obtaining a signature to release X-rays. The practice this consultant works with had several other dental practices in the area refusing to release a copy of recent X-rays to this practice, citing that HIPAA requires written consent. While it is a good idea to get written consent, especially in areas that have additional state laws or are particularly litigious (I live in California, so everyone is lawsuit happy here), HIPAA, as a federal law, does not require written consent to transmit records to another provider. It is highly recommended to document some kind of approval as part of the legal medical record to prove the request to transfer records was made.
Back to this consultant and their client, the practice would reach out to the previous practice and ask politely for them to send the X-rays. This is an acceptable request. The appropriate response from the previous practice should be, “Not a problem. Give me some time to contact the patient and verify this request and I’d be happy to make this happen. What email address would you like these sent to?”
This request to the patient can absolutely be verbal – as long as you document it in the chart. What this doesn’t mean is you wait until the patient is in the chair and then call the previous practice demanding the records. Lack of planning on your part should never constitute an emergency for someone else. Plus, it’s rude and we already have enough of that in the world.
There are a few things you should know about patient records. You may not withhold records if the patient owes a balance. You may only charge a reasonable fee for labor and supplies for sending records. You may only send an electronic copy if your information is digital or are otherwise instructed by the patient. You must provide records in a timely manner; OCR says 30 days or less, but with digital data, 24 hours is the expectation. You must provide ALL the records requested, not just the last set of x-rays taken.
Fun, right? This is why patients and practitioners alike despise HIPAA and HIPAA educators. The fact remains that this is our reality, and it can be done easily, and correctly, with a few easy tips.
In this example, the practice has a few options: 1. Keep asking politely, 2. Have a document requesting the X-rays they have the patient sign (which should be accepted by all other practices,) 3. Educate the other practice as to what the current rules are, 4. Hire an amazing dental HIPAA consultant (ahem, right here) to help clarify the confusion, and 5. Educate the patients on what their rights are.
Much of the drudgery of access to records has been solved in mainstream medical and in a few dental cloud practice management systems with self-service portals. Unfortunately, most of dental is behind in this technology, despite its requirement as part of the 21st Century Cures Act. Much of the confusion, complaints, investigations, mitigation costs and fines will persist until these vendors get current. In the meantime, get good training for the whole team and ensure you harden your defenses.
As for the other investigations that resulted in fines…. stay tuned. We’ll be going through those in the next issue of The Profitable Dentist.