We are going through unprecedented times with the current COVID-19 pandemic and many dental practices have been forced to resort to working remotely as an option to keep their practices financially sustainable and, most importantly, to keep their patients and team members at home and practicing good social distancing to combat the spread of the virus.
This essentially means that some or all of your dental office team members— schedulers, clinical staff, billing and administrative staff, etc.—may be working from home and transmitting and receiving sensitive patient information remotely via telephones, smartphones, video conferencing platforms, texting and chatting platforms, and other remote communication tools.
Taking a few minutes to figure out how you can ensure that your dental team has the tools and information needed to easily transition to working from home is the best way to sustain your dental practice and ensure that you stay HIPAA compliant.
On March 17, 2020, the Office of Civil Rights (OCR) announced that, in order to facilitate remote communication in the furtherance of social distancing, the enforcement of HIPAA compliance will be relaxed for the duration of the COVID-19 crisis to allow health care providers to do the following things:
While the use of public-facing platforms such as Facebook, Twitter, Tik Tok, and Twitch is still prohibited, the use of non-public facing platforms that are not fully HIPAA compliant, such Apple FaceTime, Facebook Messenger, Google Hangouts, and Skype will be permitted for the duration of the crisis.
This "exercise of enforcement discretion", as the ORC calls it, does not circumvent any relevant state laws and regulations. Therefore, dental practices must still take into consideration the applicable state laws governing the transmissions of sensitive patient information over telecommunication channels.
State laws vary from state to state. So, check with your local state agency for more information. You can also visit the Center for Connected Health's website to find information on state regulations that have been updated during the COVID-19 pandemic.
The Health Insurance Portability and Accountability Act (HIPAA) establishes rules and regulations to protect against the unauthorized disclosure of a patient's protected health information (PHI). In addition, HIPAA establishes a set of national security standards for the protection of PHI that is stored or transferred in an electronic form (ePHI).
PHI is any information that is individual to your patient with regard to their past, present, or future care and/or their physical or mental health. This includes documentation of visits to your dental practice, charts, and notes made by dentists or other dental team members. It also includes payment information, coordination of dental benefits, and information regarding the status of a claim, regardless of whether that information is transmitted orally or stored in paper or electronic form.
It is your responsibility as a dental practice to ensure that the privacy and security of PHI is maintained in remote work environments. It is also your responsibility to properly prepare your team for the transition to working remotely in a HIPAA compliant manner.
HIPAA covers PHI in any electronic format, including that which is stored on mobile devices such as smartphones, tablets, and laptops, all of which may also be used to transmit ePHI, but only when the necessary safeguards are in place.
This essentially means that ePHI must be shared or transmitted via an encrypted platform. In other words, you can’t just send someone a text message containing ePHI using standard texting platforms. This is because these platforms have very little encryption and are not HIPAA compliant.
Furthermore, email platforms such as Hotmail, Gmail, Yahoo Mail, and AOL are not HIPAA compliant. Therefore, you should only send PHI by email if you are using a paid service like Microsoft Office 365 or Google G Suite. This is because these providers will sign a business association agreement (BAA) confirming that they will take the necessary steps to ensure the safety and privacy of the PHI you send through their platform.
Sending PHI by fax is a HIPAA compliant way to do so. That being said, always remember to use a cover sheet when faxing PHI. Also remember that if you mistakenly send PHI by fax, you are required to contact the party you sent it to and request that they destroy the information. Likewise, if you receive PHI by mistake, you are required to notify the person who mistakenly sent it to you and destroy the information.
HIPAA compliance requires a lot of due diligence, even more, when you have dental team members who are working from home. With penalties reaching in the millions of dollars, it is critical for your dental practice to ensure that your remote team members don't make mistakes that could result in HIPAA violations.
Here are several steps you must take to protect your patients' PHI and set your remote team up for success, while ensuring that they remain HIPAA compliant:
Create remote work policies and procedures that, among other things, define expectations for the printing of protected health information, its destruction, and how documents containing PHI must be saved and secured.
Your policies should also specify that:
Require each of your remote team members to conduct a router test and provide you with the results. A router test can be performed using a number of free online tools such as the one found at f-secure.com, routersecurity.org, and routercheck.com.
Require all remote team members to use a VPN. A VPN (Virtual Private Network) is a service that allows information to be transmitted securely and protected from being accessed by others.
Even though the use of non-public facing platforms that are not fully HIPAA compliant, such Apple FaceTime, Facebook Messenger, Google Hangouts, and Skype will be permitted for the duration of the crisis, you should use those that are fully HIPAA compliant, such as Skype for Business, Vsee, Zoom for Health Care, and Doxy.me, wherever possible.
Constantly remind your remote team that they must:
Currently, business is far from business as usual. The COVID-19 pandemic has forced us to quickly transition to a new world that is a lot different than it was when the year began.
At the beginning of the year, our dental practices were buzzing with people and we were meeting with our patients face-to-face in close proximity. Now, however, we are meeting via Zoom and Microsoft Team, talking more on the telephone, and using technology to do business remotely.
Not only is this new for many of us as dentists, but it is new for our patients as well. On top of all of this, we still have an obligation to ensure that our patients feel comfortable with receiving care in this environment and to comply with HIPAA regulations for the protection of sensitive patient information.
Therefore as your trusted dental lawyer we hope that this information will be of value to you as you are possibly creating a first-time remote work environment for your dental practice. For more information or assistance, contact Ali Oromchian at Dental and Medical Counsel at 925-999-8200, or click below to contact us by email or to schedule a consultation.
For COVID-19 resources for employers, visit our resources page here.
Stay updated with industry news!
111 Deerwood Road, Suite 340
San Ramon, CA 94583
Phone: 925-999-8200
Fax: 925-884-1725
frontdesk@dmcounsel.com
Monday | 8:00AM - 6:00PM |
Tuesday | 8:00AM - 6:00PM |
Wednesday | 8:00AM - 6:00PM |
Thursday | 8:00AM - 6:00PM |
Friday | 8:00AM - 6:00PM |
Saturday | Closed |
Sunday | Closed |