Although the Health Insurance Portability and Accountability Act (HIPAA) is an established component of any dental practice, it requires continuous attention to ensure proper compliance. Under HIPAA, dental practices became responsible for developing and implementing policies to protect personal health information (PHI).1 With advances in digital practices, these policies expanded to include additional rules to protect electronic patient health information (ePHI). However, as the digital age changes with the introduction of more technology, HIPAA compliance continues to become more comprehensive and more confusing.
Protected access to patient information remains the objective of HIPAA policies and rules. Dental practices are thus required to ensure their ability to protect this information in both physical and digital formats. The HIPAA Privacy Rule, introduced in 2000, reinforced that all HIPAA-covered entities must implement safeguards to protect PHI, while the HIPAA Security Rule set standards for access, management, and storage of ePHI. This rule ensures that ePHI is maintained and security risk assessment utilized within the dental practice with confidentiality, integrity, and accessibility.
With the guidelines set by HIPAA, dental practices began implementing policies and procedures to protect ePHI. These policies vary across practices, but depend on staff to support and follow the guidelines. Additionally, the office staff is also required to ensure that patients are notified of the policies and procedures, including when mobile device use is appropriate and when consent forms are necessary.
“Although a dental practice may have mobile device policies in place, frequent violations can occur if patients take photos of themselves when the dentist and staff are out of the room, and the photos go viral,” says Bruce Seidberg, DDS, MScD, JD*, who maintains a private endodontic practice in Liverpool (Syracuse), New York and also serves as a dental-legal consultant. Dr. Seidberg has found that, “the danger of cell phone cameras are their ability to take quick photos without it being observed. Patients should be told to turn off cell phones in the office, and if they do not, they need to be told that photographs (including “selfies”) are not permitted.” If photographs are taken, they can place the practice and/or practitioner in violation of HIPAA when the photographs are published on public platforms and misused or abused, such as can occur with social media sites.
“The consequences resulting from HIPAA non-compliance depend on the agency hearing the allegations, as do the fines,” confirms Dr. Seidberg. “Without proper consent,” he adds, “the consequences can include, but are not limited to, action against the practitioner’s license in the form of suspension and/or stay of suspension for a period of time, and a monetary fine or other remedies available through the state licensing agent.” Due to the serious nature of these allegations, it is vital to ensure proper practice compliance with HIPAA standards for mobile devices, photographs, and photography content.
HIPPA Compliance and Mobile Devices
The Pew Research Center completed a survey in 2013, finding that 91% of American adults own a cell phone and 56% own a smartphone.2 With the prevalence of cell phone ownership, dental practices must have policies in place to ensure that personal mobile devices do not interfere with HIPAA compliance. Thus, the development and execution of policies are necessary for both staff and patients. Personal staff mobile devices should not be used near treatment or exam rooms, or with patients. In fact, staff should use personal devices only in designated break areas and never when working with patient care. Patients should be notified to turn off mobile devices in the office and that photographs are not allowed.
Within a practice, however, mobile device use can provide enhanced convenience, portability, and technology. They also allow clinicians to share information and photographs between colleagues, and improve communication with patients and between office staff. These devices can be used for taking photographs, simplifying chart documentation, and interoffice communication.3
With HIPAA laws in place to protect patient information, dental practices must navigate areas of digitalization within their practice. Many practices utilize electronic platforms to view and transfer patient data and dental records, providing quicker access to information and easier communication between professionals. This convenience, however, also may pose a risk for HIPAA violation, as the introduction of mobile devices into dental practices for communication presents as a possible obstacle in following HIPAA standards.
For example, complications with mobile device use in dentistry frequently occur because of failure to protect the patient information stored on these devices. Breaches in data can arise for a variety of reasons, although most frequently because the mobile device did not have users enter a password or provide biometric identification to access the information stored on the device.4 Additional compliance issues can result when non-dental specific mobile devices are used within the practice.
To avoid HIPAA noncompliance, it is important that dental practices create and enforce mobile device policies to protect themselves and their patients. Some safeguards for mobile devices that store ePHI include setting strong passwords, encryption, automatic log off, requiring user identification, enabling remote wipe, locking the device, registering the device, installing a firewall, and using a secure Wi-Fi connection.5 Utilizing dental-specific devices also ensures that the data stored on the devices remain in the locked dental practice and can always be accounted for.3 Security breaches from dental-specific or personal mobile devices can create serious legal problems, especially with digital photographs.
HIPPA Compliance and Photograph Consent
As dentistry evolves to include more digital photographs for treatment planning, case presentations, and marketing, HIPAA laws continue to guide the protocol and consent necessary to protect this patient information. “Compliance standards are set so that all photographs taken of any patient or part thereof require an appropriate consent form signed and dated,” says Dr. Seidberg. These photograph consent forms protect practices from legal action resulting from using the image(s), and must include the purpose, intended use, date, and signature of both provider and patient. An opt out clause for all or parts of the consent for anticipated use should also be included.
Consent forms are designed to ensure that the patient is made aware that their photographs may be used for a variety of purposes, including treatment planning, research, professional education, and marketing. As a component to dental records and clinical care, these forms verify that photographs taken of the patient may be shared with colleagues, staff, or dental students, and published for educational materials, scientific journals, or presentations.6,7 Whether plans to use the patient’s photographs are anticipated or the images are for routine care and treatment, it is necessary for the patient’s protection and interest that the appropriate consent is obtained.6
Dental practices must comply with HIPAA guidelines by implementing protocols and policies to ensure proper PHI and ePHI protection. This includes setting policies for patient mobile device and digital photograph use, and office policies for mobile devices and photography procedures. Obtaining proper photograph consent, ensuring mobile device security, and securely storing mobile devices and patient records are among the first steps to safeguarding dental practices. As mobile devices continue to enter the dental practice, whether through practice implementation or patient use, and an increasing number of patient photographs are required to execute treatment among clinicians, it remains essential to have the ideal policies and procedures in place to protect the patient and practitioner.
1. Summary of the HIPAA Privacy Rule. 1996. United States Department of Health and Human Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf.
2. Smith A. Pew Smartphone Ownership—2013 Update. 5 June 2013. Pew Internet. Retrieved from www.pewinternet.org/Reports/2013/Smartphone-Ownership-2013/Findings.aspx.
3. Pace Brinker S. HIPAA compliance and digital photography with personal mobile devices. Dental Products Report. 2015;48(1):76-80.
4. Lewis Dolan P. Doctors driving IT development with their mobile technology choices. 23 May 2011. American Medical News. Retrieved from http://www.ama-assn.org/amednews/2011/05/23/bisb0523.htm.