Let me start with a shout out and thank you to the TDA Perks Program and Mr. Lee Slaton of Smart Training, LLC. The TDA Perks Program recently published an article by Mr. Slaton whereby he outlined a recent HIPAA enforcement action involving a North Texas dentist. The article sent a small shockwave through the Texas dental community. If you have not read the article, here it is:
Let’s break this story down:
1. The action was brought about by a patient complaint to the Office for Civil Rights (OCR) as a violation of his privacy rights (most actions are brought about by either patient or employee complaints). From what I understand the patient was upset his Protected Health Information (PHI) (not specified exactly which information) was displayed on an operatory computer screen for what he believed to be an “inappropriate” amount of time. The patient filed his complaint to OCR and a two-day investigation ensued.
2. The dental office’s computer screen timed out at 5 minutes. By OCR’s lack of enforcement action on this (the complaint), it was clear that having PHI on the computer screen for 5 minutes was not an issue OCR was concerned with. After two days’ investigation, the dentist was issued a $500 fine for not having a Notice of Electronic Disclosure of PHI posted and for not having written HIPAA policies and procedures for which the dentist was fined $5000.
I am truly surprised, as heavy-handed and OCR is known to be, the dentist was given only $5,500 in fines. In my opinion, the dentist would have been wise to play the lottery the day he or she received that fine. According to the HIPAA Enforcement Rule and OCR’s heavy-handed history, it could have been much, MUCH worse.
HIPAA regulations do not specify any certain length of time before a computer must lock or auto log-off. However, the use of these functions is required under the HIPAA security rule. What is required is that the timeframe before computers lock or auto log-off must be reasonable and appropriate based on where the computer is located, how is it used, what information is accessible on it, and how it is supervised when not in use. So, a computer used at the pano machine (not easily seen at all time by a dental team member) should auto log-off or lock sooner than say a computer at the front desk or in the clinical bay which is under direct observation by one or more team members at all times.
What’s more, is HIPAA privacy and security rules were not intended to impede patient care (believe it or not). If the dentist is in surgery and needs to reference information on the computer in the operator (x-ray, prior clinical note, treatment plan, etc.) it should NOT lock or log off while the dentist or dental team member is present. However, if at ANY time the dentist and assistant leave the operatory, the computer MUST be locked or logged off from your dental software. Additionally, it is not acceptable for the practice staff to minimize the computer screen or rely on the use of a screensaver (unless this locks the computer and requires user authentication). Minimizing the screen does not prohibit a person’s ability to access information on the minimized screen. Failure to prevent unauthorized access to patient records is against the law.
Yes, patients have the right to access their own PHI, which we will discuss in a moment, but if the patient (not authorized to use the dental office’s computers) is not denied the ability to access their information on an unattended computer, then they also have the ability (maybe not the know-how or desire) to access other patients’ information whom they do not have the authorization to access; hence failure to secure the computer is a violation of HIPAA (federal law). If you leave your computer unsupervised and do not secure it, you fail to maintain the standard of care of patient privacy. Not only is it a violation of the law, but it is a qualitative failure much like performing bad dentistry or failing to protect patients against avoidable infections. Understand that these points cannot be overstated.
Yes, I know these are wildly unpopular, but it is what it is and dental professionals need to get with the program. This is the information age. Protecting information from improper use/disclosure is imperative to protecting the patient as well as the dental practice from harm caused by regulatory actions and even negative publicity.
Let’s discuss another recent enforcement action since we’re on the topic. OCR issued a recent press release announcing the first case settlement in the Right of Access Initiative, an initiative to ensure a patients’ rights to access their PHI from their healthcare providers.
I often hear how dental offices refuse (or at least fail) to forward requested x-rays to another dental office, or that dentists refuse to give patients their treatment plan because the patient is doctor shopping (the day is coming when healthcare providers will have to post their fees publicly; it’s about to happen with hospitals – don’t think dentistry isn’t soon to follow).
The HIPAA Privacy Rule is pretty clear, and many states have or are in the process of establishing state laws mandating that patients be provided access to their health information within a certain time frame. HIPAA specifies that upon request, patient access to or receipt of their health information be provided within 30 calendar days. State laws (Texas HB300) specify 15 business days. If your patient is a Medicaid recipient and you are a dentist, this is shortened by administrative rule to a mere 5 business days.
It is important you know and comply with the myriad of complex regulations that pertain to you and your dental practice and that you have access to competent compliance advisors and legal counsel. Trust but verify the information provided to you. The best advice will not replace your own due diligence.
Mr. Slaton and his team, I and my team, and many others out there know what we know and do what we do for our clients, so they (you) can address their (your) compliance risks efficiently and spend more time on what matters most to you – taking care of your patients. It would be wise for you to tap into our knowledge, skills, abilities, and experience, or find someone else you trust. But for goodness sake, it makes no sense to run a dental practice without expert compliance help.
Let’s review the lessons we outlined here:
1. Create/display a Notice of Electronic Disclosure of PHI form in your lobby
2. Ensure your server and workstations utilize the auto log-off function on every computer and that the time they are set to is evaluated and set appropriately for each computer. Further, make sure you and your staff lock all computers when you step away (it will take a little getting used to, but you can do it).
3. Make sure you have and can show your staff has been trained on your HIPAA privacy and security policies/procedures (and be sure they are specific to your practice/organization).
4. Ensure you and your staff follow your policies/procedures, especially the ones that specify ‘that’ and ‘how’ you protect PHI and how soon you provide access to patient records (including forwarding of requested information, such as x-rays, to other healthcare providers).
5. The basis of the complaint to OCR, in this case, was found to be without merit. However, the dentist (likely) suffered some discomfort while Uncle Sam spent 2 days inspecting his office’s HIPAA compliance program. It is clear to me this office had their affairs in order except for the issues the dentist was cited for, as OCR is not one to let stuff slide. Could the same be said for your office? Is your HIPAA compliance program up to date? Are you sure? Really?
6. The dentist likely endured some stress throughout the ordeal. I’ll bet he/she learned a lot, such as “I sure don’t want to go through that again”. How much do you think the ordeal impacted the efficient operation of the practice? Hindered their operation if only for a brief time?
7. Get help (before you get your butt in a jam, but after is fine too – it’s just more expensive for you after you’re in trouble). While you may get a lucky break, having ANY government agency root around in your practice for 2 days is dangerous to you, your license, and your dental practice because no dental practice is 100% compliant with any set of regulations. Most dentists I work with are shocked by how many compliance issues lurk in their practices. In case you didn’t know, I used to be a ‘g-man’. Today I work with clients to be proactive in identifying and addressing compliance and liability risks, so no one gets in trouble, and the office is made safer for everyone (even you Doctor). I’m not one to talk trash (and I’m not now), but I know I can expose a bunch of MAJOR compliance vulnerabilities in your practice in 30 minutes in a number of areas that would leave you feeling like you’re standing butt-naked with your pants around your ankles in the middle of Cowboy stadium at half-time (imagine that on the Jumbotron, on national TV even). Knowing about such concerns and then correcting them is what gives my clients peace of mind; it is not a burden, but rather a gift. I can help you just as well!
8. Know your rights and consider engaging legal counsel early in any government audit or investigative process and do not overlook the potential severity or impact of the situation. I don’t know whether this dentist sought legal counsel, but my experience tells me this is always wise to do – guilty or not.
I could give you a hundred other insights on HIPAA alone, but easy does it, so we will call it good for now.
By the way, if you want to know where/how you are vulnerable, so you can fix those concerns before they get exploited, reach out to Lee Slaton or myself. Lee has no idea I posted this, so if you talk with him, tell him I sent you (and I send my regards). Here’s our contact information:
Smart Training, LLC
Dental Compliance Specialists, LLC
If you are a client of Dental Compliance Specialists, we recently emailed you an updated Notice of Electronic Disclosure of PHI form in English and Spanish. Be sure to post it in your lobby.