Since the pandemic, things have shifted in dentistry. Everything from infection control protocols to HIPAA laws has changed, and you need to keep up! To give you a preview of key upcoming compliance changes, Kirk Behrendt brings back Linda Harvey, founder of The Linda Harvey Group, to decode everything you need to know. Don’t be the practice paying a $50,000 fine! To learn more about how you can prepare, listen to Episode 612 of The Best Practices Show!
Episode Resources:
Links Mentioned in This Episode:
Learn more about the Dental Compliance Institute
Use HIPPA-compliant apps like Tiger Connect
Listen to The Compliance Divas podcast
Main Takeaways:
Be prepared for upcoming compliance law changes.
Always use apps that you have vetted as HIPAA-compliant.
An app with security features is not necessarily HIPAA-compliant.
Understand social media etiquette to keep patient information secure.
Don’t copy the policies and procedures from the practice down the street.
Build accountability into your team so your compliance efforts don’t get lost.
Quotes:
“Many offices have gone back to the way things were. And I would like to briefly say, on that note, things really shouldn’t be the way they were. Nothing has stayed the same in our world. Technology has changed the way we deliver dentistry and how we communicate with patients, and it’s changed the way we perform and carry out all of our infection control tasks as well. So, hopefully, all the offices listening are still keeping up their strong points when it comes to all the PPE and infection control protocols that they put in place back then. So, we don’t want to go backwards. We want to keep going forwards.” (3:00—3:31)
“Many dentists oftentimes feel like they’re smothered by all the regulations — federal, state, local — but that’s part of doing business. And when you think about HIPAA, they should think about everything that’s required in a security role, for example, as best practices to protect their data and their business — and along with that comes protecting patient information. We see so many different areas where there are ransomware breaches running amok, and we’re trying to stay one step behind these thieves and cyber crooks as they create ransomware, keep up with our antivirus, and so forth, and have good controls with having a good managed care services IT provider.” (5:23—6:02)
“One of the things that will change is that the release of records will change from 30 days down to 15 days. Currently, under the federal law, you’re allowed to have one extension. So, there is a 30-day extension under the current HIPAA Privacy Rule. But that typically violates most state dental practice acts. So, you have to look at two sets of laws and rules, if you will, to make sure you’re not in violation of privacy rules in your state or your state dental regulations. Well, they will drop down to 15 days, with a 15-day extension. But most of our clients that we work with tell us that they usually get their records out the door within just a couple of days, if not the same day, as the patient’s request. At that point, they’re able to get it off their plate and they know it’s done so it’s not stacking up. So, I don’t think that’s going to be a big challenge.” (6:49—7:33)
“Some of the other challenges include the fact that we have to be able to give the patient a copy of that record wherever and to whoever they want. So, if they want us to send a copy of their dental record to their personal health app, we have to be able to do that. If a patient comes in, not only do they have a right to request a copy of the records, but they can take a video and take pictures of their records. So, while we’ve been harping at offices for years, ‘Don’t allow any pictures in the back. Do so in a very controlled manner because you don’t want patients to accidentally get a picture of another patient in their photograph, or maybe a copy of your schedule in their photograph.’ But how many parents love to have that picture of their little one, the first time they visit, sitting in the chair? So, it’s something that has to be navigated throughout every practice. But if the patient wants to make an appointment, come in, go through it, get a copy, and do all that, that’s fine. So, we’ll have to make it work.” (7:33—8:25)
“Unlike COVID-19, where we had to do everything yesterday to try to figure out what we were doing, there will be a specific timeline under the federal law. That’s always the same any time a new law passes. When this gets published in the Federal Register, it will go into effect 30 days after that. And then, I believe there’s a six-month period of time before the enforcement date kicks in. So, offices will have a good six or seven months to update their policies and procedures, whether they’re working with a compliance company, a compliance consultant, or maybe a healthcare attorney, whatever the case might be. They’ll have a chance to get those updated, get everything implemented, and be ready. The main thing I’d like to stress is if you’re not working with a credible compliance consultant, please don’t copy policies and procedures from your friend down the street. Why? You cannot do that. You’re busted. You are so busted.” (9:13—10:06)
“There’s been a lot of dental fines last year. Dentistry has been under the microscope and had some big fines levied by the Office of Civil Rights. To share a couple of those to give our listeners an idea, it’s not that the Office of Civil Rights, who is the HIPAA enforcement agency, is targeting dentistry. It’s more that our patients are becoming savvy, and as a result they’re filing complaints with the Office of Civil Rights. Where there’s merit, thus follows the investigation. And after that, usually the fine and corrective action plan. So, it’s very complex.” (10:36—11:13)
“Back in 2019, the Office of Civil Rights started a program called the Right of Access Initiative. This Right of Access was really focusing on the patient’s rights to get access to the records within the required scheduled timeline. And so, as complaints came in from patients and they got investigated by the OCR, there’s been a lot of big fines — in dental, and across all of healthcare — for not releasing them in a timely fashion. Here are a couple. For example, a corporate group in Georgia got fined $80,000 because they wanted to charge the patient $170 for a copying fee. Slightly different topic but same category, so to speak, within that release of records. The Office of Civil Rights looks at that as being excessive, and they don’t allow those types of fees. So, they get fined $80,000. In Chicago, there was a dentist. They didn’t release the records within the required timeframe as well. Received a $30,000 fine. Nevada, same thing. Release of records — not releasing records, I should say, in the required timeframe. That office was fined $25,000. In Pennsylvania, a $30,000 fine to another dentist. Those are a few of the situations.” (11:19—12:36)
“I mentioned the corrective action plan. So, not only do you have to fork over this money within 30 days to the Office of Civil Rights — there’s no payment plan for $30,000 and $80,000 — but you also have to fall under what’s called a corrective action plan, a CAP. Usually, that lasts anywhere between a year or two, and there are a lot of stipulations put in place about what the office is going to do with having new policies, new procedures, training, disbursing the policies to their staff, all the different things they have to do, and also report back as if you’re under probation. And so, it’s very similar to having a disciplinary action against your license with the dental board with this kind of corrective action plan. So, it’s very serious. And you’ve got OCR watching you for the next couple of years. Now, granted, unlike the DEA or maybe a state agency, they don’t have the ability to shut down your practice. But they can still make life pretty difficult.” (12:45—13:44)
“Social [media] is a challenge for everybody, and it’s such a gray area. What can we post? What can we not post? What can we say to respond to a patient who’s thanking us for their care and saying that they’re happy to be in our practice? Because when we say too much, now, we’re actually divulging they’re a patient of the practice. And there have been a few times where healthcare providers — including dentists — have gotten in trouble for that. So, it’s really a fine line.” (13:58—14:20)
“What’s the etiquette of replying [to patients’ comments], and what’s the etiquette of not divulging information? I think the etiquette of replying has always been to use that plain, vanilla approach, ‘Thank you for your kind remarks,’ or, ‘We love hearing those wonderful comments or feedbacks,’ something generic in nature, if you will. But what happened to these offices last year — actually, there were two that I can remember last year, and one from 2016. All these offices, what they had in common is they responded to a negative review. How many times does the dentist and the staff look at a negative review, and the hairs go up in the back of their neck? It’s a very personal attack when someone is saying something negative about your practice, especially if their patient memory or the facts aren’t correct. And then, the office wants to take it upon themselves to correct the record, and they do so in a public forum. It’s sort of like airing your dirty laundry. And when they do, they end up getting fined and punished for doing so.” (14:20—15:30)
“One office, the one from 2016, was in Texas. They were only fined $10,000. But part of the news story that came out was the fact that they had no policies and procedures. They had no HIPAA privacy officer named, and they hadn’t had training. So, even in 2016, although the privacy rules have been in effect since 2003, they weren’t compliant. Maybe the office is newer, so we can grant them that. But they weren’t compliant. Then, there was an office in North Carolina that did the same thing. This patient had posted an anonymous negative review, to which they responded and divulged the patient’s name, parts of treatment, information about their insurance. They were fined $50,000. Pretty big chunk. But I’ve got one that’s going to top that. This one comes from California. We can’t top the $50,000, but part of the corrective action plan was the fact that they had to go back all the way to 2014 and remove all of their social media postings that had any patient information in it to the current date. So, when I saw that, it made me think about the fact that the OCR is stepping up their punitive portion and really making a difference. They’re making a statement about what’s going on on social media.” (15:53—17:13)
“What [dentists] get wrong is in today’s environment with money being so tight, there’s not any money in the budget for compliance right off the bat. So, everybody realizes they need to get an OSHA manual. They might buy one that’s fill-in-the blank or get something quick. But they don’t really know what to do with HIPAA because there’s a lot more. A fill-in-the-blank manual that you don’t know how to fill in does not make you compliant. So, that’s where they miss the mark.” (18:17—18:39)
“Also, [dentists] miss the mark with not being able to afford proper IT services up front from the security role side. In other words, you need to have — and you must have, to be compliant — managed services, meaning that your IT company is watching the henhouse 24/7 for any types of threats and vulnerabilities and attacks on your network. One group I know puts canary files on the client server. I believe it’s on the server. At that point, those get attacked first. So, when the canary files get attacked, then they’re alerted that something is going on. So, there are all different strategies that the IT companies can use. I think sometimes offices don’t appreciate that because they can’t afford it right off the bat. They can find some free training somewhere. Whether or not it meets the needs of their practice, they can always check that box. But as you said in the beginning, it’s all compliance — not just OSHA and HIPAA, but everything. HR, corporate compliance — everything. DEA compliance. It’s so much more than checking a box.” (18:39—19:36)
“You can have apps and so forth like WhatsApp. There’s another one — I’m drawing a blank on the name of it right now — that is compliant from the security section. But are they going to sign a business associate agreement? That doesn’t mean that they’re HIPAA-compliant. A true HIPAA-compliant company follows the security rule to whatever degree that’s required by business associates. They sign a business associate agreement, and they provide training for their team about security, and so forth. So, while it’s secure — yes, it’s got a lot of security features to it, I would still be very careful about what you’re putting in any of those apps related to patient information.” (20:29—21:01)
“Another thing that ended with the end of the public health emergency was using these non-HIPAA-compliant apps and teledentistry programs for patient information. So, this is where doctors will want to split hairs, ‘What if I just put the patient’s initials? Can I just put the last name? Can I just put the first name?’ As a consultant, I can’t say yes or no. But I can say you should be using HIPAA-compliant apps. Tiger [Connect] is one that comes to my mind off the top of my head, and there are plenty of others.” (21:03—21:32)
“Build in accountability into the office and the team, because with the turnovers that your clients and our clients are experiencing, and the shortage of team members, and hiring folks with no dental experience to come in, you need to build in accountability so that your compliance efforts don’t get lost. And I’m using a term now that I’m trademarking called compliance memory. Don’t lose your compliance memory. So, while we’re talking about some specifics with HIPAA, social media, and release of records — yes, we can talk about those all day long. But the bigger picture is, put compliance and safety into your team meeting agendas. Spend three to five minutes there. Make sure that you are laying eyes on those waterline tests, on the sterilizer tests. You’re checking out what records requests do we have this past month. Everybody knows when there’s an autoclave failure, or something big, or a big patient complaint. But show that you are following up with that. That way, your team is staying on top of those duties, and that way you’re transferring the duties to new team members as they come on board and getting them trained as well.” (22:12—23:12)
Snippets:
0:00 Introduction.
2:22 Linda’s background.
3:34 Things to be aware of.
6:39 New changes that are coming.
9:06 Timelines for implementing new changes.
10:06 Don’t copy/paste policies and procedures.
10:34 Examples of practices that were fined.
12:38 The corrective action plan, explained.
13:46 Social media etiquette, explained.
18:07 What dentists get wrong.
20:00 Always use HIPAA-compliant apps.
22:02 Last thoughts on regulatory compliance.
23:37 How Linda can help you and how to get in touch.
24:24 The Compliance Divas podcast.
Linda Harvey, RDH, MS Bio:
As president and founder of The Linda Harvey Group, Linda M. Harvey, RDH, MS, LHRM, DFASHRM leverages her unique credentials and expertise to help you and your staff significantly reduce risk and legal liability in your practice. Linda’s services complement practice management consultants whose clients need a specialist in risk management. Along with that, she teaches dentists and physicians how to protect their million-dollar practices through effective risk management and patient safety. Linda’s practical guidance effectively integrates regulatory statutes into your practice to close deficiency gaps in your policies, procedures, and workflow.
Linda brings more than 30 years of experience in providing quality/safety perspectives for healthcare professionals as well as state licensing boards. She is a featured writer in trade journals, publications, and newsletters such as Contact, RDH, and Resource Connections. Her training products have been featured in Medical Economics, RDH, and Dental Materials and Equipment. As an active member of the National Speakers Association, she presents content-rich courses sprinkled with real-life stories of medical errors and many practical, easy-to-implement solutions.
Linda authored Helping Hands for Dental Hygienists: 101 Timeless Treasures for a Successful Career, plus four risk management and patient safety professional development courses. Clients internationally utilize her risk prevention training systems so they can focus on what they do best—providing exceptional patient care and services. She works with licensees in multiple states who have been sanctioned by the licensing board and assists in their compliance. As a result, she understands the quality/safety perspectives of both healthcare professionals as well as state licensing boards. Many clients frequently express how they wish they had called her before the subpoena arrived.
