Take Your HIPAA Faux Pas Seriously

Read Time:1 Minute, 56 Second

Recently, I receive a frantic email from an orthodontic client. A team member had emailed a patient’s diagnostic letter to the referring dentist. But the patient had specifically stated she did not want any of her information emailed unless it was encrypted.

To make matters worse, the unencrypted email was discovered by another employee. Despite annual HIPAA training, the noncompliant employee had not voluntarily admitted her error.

If you were this doctor what would you do next? Ignore the situation? Tell the patient? Wait for the patient to mention it?

Risk management implications

Under the Privacy Rule, patients have a right to request confidential communications and in this case the doctor agreed. This is not an unreasonable request, especially when unencrypted email is used — as was the case for this office.

The protected health information was shared for treatment purposes, which is permissible under the Rule, as long as appropriate safeguards are used to protect the patient’s privacy. Remember, email travels through cyberspace completely in the open – all of it is readable by anyone who can monitor network traffic or access email accounts. The only safe harbor the Department of Health and Human Services recognizes is encryption.

However, that leaves the issue of whether or not to tell the patient.

The doctor and I agreed that the patient needed to be informed and an apology was in order. A letter was sent, followed by a phone call. Surprisingly, after listening to the dentist explain the situation, the patient stated she already knew this had occurred and that she appreciated the doctor’s honesty.

What if the doctor had gambled and didn’t tell the patient? Consider an alternate ending to this incident:

After learning from the receptionist at her general dentist’s office that her information had been emailed, the patient becomes angry and exercises her right to file a complaint with the Office of Civil Rights (OCR). Suddenly the doctor is being investigated by the OCR, with the possibility of steep fines and damage to his business reputation.

Which ending did you choose? In the end, there are two morals in this situation. First, knowledge — and implementation — of the Privacy Rule is imperative. Second, honesty is the best policy. It promotes your philosophy of care and will save you headaches in the long run.

About Post Author

Linda Harvey

As a nationally recognized healthcare risk manager and compliance expert, Linda Harvey teaches dentists and teams how to effectively integrate regulatory compliance into their practices. Linda draws from real-world experience, having worked with clients who have undergone HIPAA, OSHA and Dental Board audits. <a href="http://www.lindaharvey.net/">Linda speaks and consults</a> in the areas of risk management, regulatory compliance, remediation courses and dental record audits. In addition to active membership in the National Speakers Association, Academy of Dental Management Consultants and American Society of Healthcare Risk Management, Linda is also a Distinguished Fellow in the American Society of Healthcare Risk Management.

Risk management implications

Linda Harvey

Don’t Lose Focus: Your Hygiene Team Needs Attention

Success in the Cloud: Benefits for Multilocation Practices

Office Managers: A Glowing Review

Set the Tone: How to be a Positive Leader for Your Dental Practice

Eaglesoft: 7 Reasons Why It’s Essential for Managing a Dental Practice

Influence Your Boss: 4 Tips for Dental Office Managers