Guest Post by: Jacqueline Tinker, COO Dental Compliance Specialists
I recently spoke with the wife of a healthcare provider about marketing and of course HIPAA was part of the conversation. I was attending a Certification Course for online business marketing and automation program. She was so excited to be working with this amazing product, and was talking about communicating with her husband’s patients using this system.
I dumped cold water on her plans….or tried to anyway. While this marketing solution is an exceptional tool for getting patients and automating the business, it is not HIPAA compliant. They won’t enter into a Business Associate Agreement with healthcare providers, which is required of healthcare providers and their business associates. Not to be talked out of her plan, she stated, “I know I can’t use marketing tools like this to market to new patients. But I our current patients’ permission to market to them via email. They signed that form, so I am off the hook. I can use whatever I want to use to communicate with them. The lawyer told me it was good.”
She crossed her arms and stared me down. I knew at this moment that nothing I said to her was going to matter. You see she threw down the “My lawyer said so” defense. Once someone says, “My lawyer said,” they think their lawyer is a magical fairy who will protect them from the big bad government. Because everyone knows all lawyers know EVERYTHING (there is a reason why lawyers are buried 12 feet deep instead of six, because they’re all good deep down)! *
I won’t spend much time on lawyer thing because Duane covers it very well in his ebook, “What to do when an Investigator Walks into your Dental Practice.” He covers what you really need to know about lawyers in that informative little book. Click here to get it!
Now about HIPAA…Have you figured out the problem in the wife’s logic? She actually had two HIPAA breaks in understanding. The first problem was she thought that she couldn’t use a marketing program to get new patients. HIPAA is not relevant to people who are not your patients. You don’t have any PHI (Protected Health Information) to protect on the prospects you are trying to entice to join your lovely practice. They are not your patients. You are not required to protect something you don’t have. So you can use a program like the ones I described to market to POTENTIAL new patients and develop relationships with them.
Once they become patients, you have their PHI in your possession and you have a duty to protect it.
Have you figured out the wife’s other big misunderstanding of HIPAA yet?
It’s the biggest misunderstanding of all and we see it frequently in Dental Practices. Here it is: Just because you can do something doesn’t mean it is in your best interest to do it (from a liability standpoint). HIPAA allows you to communicate with your patients via email…ONLY after you have completed your Risk Assessment and addressed the security of your email provider. Which as far as we are concerned includes encrypted email or some sort of secure encrypted (for which you have a BAA) portal.
Duane wanted me to address the issue of consent here as a well. An important key to informed consent is if the consent is not in writing, you don’t have it. Such information to comprise “informed consent” regarding HIPAA should include notice that:
· Email can be copied, circulated, forwarded, and stored in electronic files
· Email, whether accidentally or intentionally, can be broadcast worldwide immediately and received by many unintended recipients
· Email is easier to falsify than handwritten or signed documents
· Backup copies of email may exist even after the client has deleted his or her own copy
· Employers and online services may have a right to archive and inspect emails transmitted through their systems
· Passwords providing access to email can be stolen and misused, or host systems can be compromised, leading to unauthorized disclosure of personal information
· Email can be intercepted, altered, forwarded, or used without written authorization or detection
In my opinion, sending out a letter like this (above) makes you kind of look like a dope or at the very least unprofessional. You are basically telling telling your patients that you will send their information across an unencrypted platform and you don’t care enough about them to learn or acquire the technology to protect their PHI. Sorry…I forgot to warn you to put on your steel toed boots. This may sound harsh, but we have seen so many great Dentists ignore our pleas to get HIPAA compliant and then get nailed by OCR and they find themselves looking at HUGE fines for this. So my harshness is done out of love.
Back to my story….In this case, just because the wife and her provider husband have permission to market to their patients, doesn’t mean they can disregard HIPAA. If you are going to use a marketing program on your current patients and since the marketing program can access their patient’s contact information, which is used in context of past, present or future healthcare or mental health care (or payment for the same), the provider husband needs to obtain a BAA from those marketing programs. Good luck finding a robust mainstream marketing program that will sign a BAA. Most won’t. There are several options for marketing to your patients that is HIPAA compliant. We can talk about those another day.
The Main Point: There is no permission slip that allows them (healthcare provider) to ignore HIPAA regulations and put their patients’ PHI at risk.
The Business Associate Agreement (BAA) is necessary to clarify accountability between the Covered Entity (healthcare provider) and the Business Associate in the event of a breach and to clarify from the BA to the healthcare provider that the BA will obey HIPAA and notify the provider in the event of a breach.
So the moral of the story and the thing this woman missed when she refused to hear me out was: You can use great online marketing tools to market to potential patients, but once they become a patient, you must have a service that meets HIPAA requirements – no matter what piece of paper the patients have signed. They cannot sign away your obligation to protect their privacy and follow HIPAA requirements.
Has HIPAA got you unhinged? Want to become a HIPAA superstar?
We are hosting the first ever Dental HIPAA Compliance Officer Training in 2015! This course will prepare you to be the HIPAA Compliance Officer in your Dental Practice. You will graduate having a much stronger understanding of HIPAA and how to really protect your patients’ PHI. Learn the difference between HIPAA wives tales and the truth. Want to learn more? Click here to get the details as soon as we release them.
Legal Notice: The information presented in this article is not intended as legal advice and is presented as educational material only. For information relative to your unique situation you should consult your trusted legal advisor.
* Not all lawyers are good deep down. Conversely, some lawyers are outstanding. We have many friends who are lawyers and the comment was made for entertainment value.
Ready to Pull Your Head of the Sand? Join the HIPAA Compliance Challenge Now.
Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore!