A Course at the GYNDM 23
I recently attended the Greater New York Dental Meeting and took a course about dentistry and legal entities. Although the lecture was about LLCs, taxes for dentists and similar topics, the speaker mentioned HIPAA compliance and reminded us in the audience how critical it is to maintain appropriate HIPAA-related practices inside and outside the office. With this reminder in mind I wanted to talk about HIPAA as it relates to your dental or medical website, and the decisions that you need to make. Keep in mind that what I write below is based on my opinion as a practicing dentist for 20 years and a marketing agency owner for close to 16 years. I've also had extensive conversations with attorneys in the HIPAA field as I was doing research when I setup this company (PPC Dentist, LLC). The following is not legal advice, and I urge you to speak with your attorney for specific answers to specific questions, procedures and policies.
Important: I am not an attorney and this article is my personal opinion and does not constitute legal advice.
The Problem with HIPAA and PHI
The problem with HIPAA and PHI (Protected Health Information) is that almost every piece of data we come across can be considered PHI in one way or another. Thus, there is grey area in what information constitutes PHI, in what form the information counts as PHI, and what specifically counts as a violation.
Some Violations are Clear
Some HIPAA violations are clear. If you leave a printed copy of your patient database with all of their demographic information and SSN#'s clear for everyone to see on the backseat of your car, and your car is stolen, that's a violation. And if you're at a party and you tell a friend about a patient's medical condition, that's also a violation.
Other HIPAA Violations Aren't So Clear
Take this example: If you have a form on your website where people can enter their name and email to download your "Guide to Invisalign" - is the submitted information PHI? By definition, yes - someone's name and their email address is PHI. But we also have to look at the context. This person might not be a patient, or this person may be downloading the guide for a friend or colleague. So in this case you might shrug your shoulders and say that since it's "just a download", and since the patient communicated with us voluntarily, then we should be in the clear, yes?
I agree and I think we should be in the clear in this instance, but the problem is that it doesn't matter what you or I think. Nowhere in the current HIPAA guidelines does is specifically say that the above situation is "in the clear". And while it's unlikely that you'll be called out for doing what millions of healthcare providers do every single day on their website (allow people to give their information in exchange for a generic guide or download), do you want to be the first to test those waters?
What About a Checkbox for HIPAA-Compliant Forms Consent?
Let's change it up a bit. What if you were to put a checkbox on that same form that states something along the lines of, "by submitting your information you agree to be contacted by phone or email. You understand that this form is not secure and you should not submit any private health care information."' That sounds like a good idea -- but will it cover you legally? Once again, I don't know. Patients can't sign away their rights (they could sign a form that lets you perform an extraction with a pair of pliers from your garage, but you still can't do that - even though the patient said is was "ok") - so can they sign away an expectation of HIPAA protection?
And let's make it worse: what happens if on this form if we explicitly write, "do not submit any private health care information" in big, bold letters, and the potential patient ignores your instruction and writes this, "Hi. My name is Jane Doe and I want dental implants. But I have high blood pressure and I take medicine for my heart and I am on blood thinners so I don't know if I'm a candidate. Please call me."
Now we can all agree that the above information is PHI, but are we allowed to treat it in a non-HIPAA compliant manner because the patient volunteered the information? - against our explicit instructions not to do so? Of course once you have that information you'll treat it properly, but is there an issue because your non-HIPAA-compliant form allows someone to knowingly submit PHI. My guess would be that it's not an issue since the patient volunteered information when you explicitly told them not to - but I can't find anywhere in the HIPAA rules that state that all bets are off if someone volunteers PHI when they were told not to do so. Again, a HIPAA grey area.
Thus, when I talk to my clients about whether or not to use HIPAA-compliant forms and HIPAA-compliant call tracking, I liken the situation to stop signs:
"Every driver is probably going to roll through a stop-sign at least once in their lives, and it's all well and good until YOU are the one that gets pulled over and gets a hefty ticket. Similarly, the web is loaded with healthcare providers who don't always adhere to HIPAA guidelines - or are ignorant of them - and most of them will probably never have a HIPAA issue one way or another. But do YOU want to be the practice that is the exception? Do you want to be the office they make an example of?"
Dr. David Wank, Founder and CEO PPCDentist,LLC and Short Hills Design, LLC
Let's change the example just a bit. What if it were a guide for HIV treatment or STDs -- would you change your mind about it being "just a download"? Why or why not? Is it because the aforementioned conditions are often scrutinized more than Invisalign? It's the same concept -- yet for some reason many of us feel that HIV and STD inquires should be "more private" than inquiries about getting straighter teeth.
What About Existing Patients?
We can all agree that you need to keep existing patient information secure and protected, and that even seemingly trivial data such as a name and email address should not be such a big deal. Everyone goes to the dentist, right? But we'd be wrong. ANY part of the patient record is PHI. Thus, going back to our example above, what if an existing patient submits a request to download that Invisalign guide on a non-HIPAA compliant form. Is that now a violation because it's an existing patient? In truth, I don't know. Welcome back once again to the grey area of HIPAA law.
What Are the Fines for Violating HIPAA Laws?
It depends. At the lecture we were told that it's $15,000 (not a typo) per violation. I've also seen the number $50,000 thrown around. From everything I've read it seems that the government is not going after small practices for grey area violations for downloading a guide to dental implant options. Rather, HHS is going after big fish such as large healthcare organizations and hospital centers.
If you look at the top 20 worst cases of HIPAA fines per the website Upguard, you'll see that all of the entities are large corporations. Thus, you don't see many reports of small practices being hit with fines for HIPAA violations. But that doesn't mean it can't - or won't happen to any one of us.
What Does HHS Want?
I'll preface this section by saying that what I'm about to tell you is 100% anecdotal. From everything I've seen it is my understanding that HHS want to make sure that HIPPA rules are followed, and that compliance efforts are being made. I don't want to say that HHS understands that "things happen" and won't fine organizations that violate the rules, but there does seem to be an indication that showing that you are making the effort in HIPAA compliance can go a long way. Its as if HHS wants more to see that proper remedies are being made to protect PHI, than to generate millions of dollars in revenue by hitting smaller healthcare providers with fees.
What Can you Do Proactively to Stay Out of the HIPAA Grey Area?
They say that "the only guarantees in life are death and taxes" and while that saying still holds true, my advice re: HIPPA compliance is to make the best effort you can to be compliant. On the web there are a few things that you can do to help protect your practice:
- If you are using any type of contact or appointment form on your website, consider using a HIPAA-compliant form. You will need to have a BAA with the service provider and install the form on your website in a way that encrypts the data and follows HIPAA protocols. At PPC Dentist we offer HIPAA-compliant forms and we provide the BAA so you don't have to deal with the paperwork.
- If you are using any type of call tracking for marketing such as Google Ads, Facebook Ads or Google My Business call tracking, consider using a HIPAA-compliant call tracking service. Even if you aren't recording the calls, the fact that you are creating and storing caller IDs and tying them to a patient name can be a problem.
How Much Risk are You Willing to Take?
At the end of the day, the question you have to ask yourself (and of your lawyer) is "what is the risk/reward" of using HIPAA-compliant forms and call tracking vs. not doing so. The odds that you'd get fined are likely small. But if you do wind up in HHS' crosshairs, the potential fines are considerably large.
Because the cost of doing it the right way is orders of magnitude less expensive than getting fined by the government, I would venture to say that using a HIPAA- compliant form on your website should be your go to approach.
If you'd like to learn more about our HIPAA-compliant website forms and our HIPAA-compliant call tracking, feel free to get in touch.
Dr. David Wank is the CEO of PPC Dentist, LLC and Short Hills Design, LLC. He is also a practicing general dentist in New York City.