3 minute read
Regulatory Compliance — Teledentistry and HIPAA
CDA Practice Support
Not long after the U.S. declared a national emergency due to COVID-19, the U.S. Department of Health and Human Services Office for Civil Rights announced it would exercise enforcement discretion and waive potential penalties for HIPAA violations against health care providers who serve patients through commonly used, nonpublic-facing communications technologies. [1] With shelter-in-place orders, many dentists found themselves conducting virtual limited evaluations and triage over such platforms as Apple FaceTime, Google Hangouts, Whatsapp, Skype or Zoom. OCR’s enforcement discretion allowed health care providers to immediately use these platforms without executing HIPAA business associate agreements or undertaking a risk assessment.
Advertisement
Some months after returning to practice, dentists continue to use virtual patient encounters for any number of reasons — infection control, patient convenience and consultations, for example. It appears that now a larger number of dentists are incorporating teledentistry into their practice than before the pandemic. Now is the time for these dental practices to ensure their information security policies and procedures have been updated to ensure they are in compliance with HIPAA requirements when the pandemic ends.
The first step is to obtain a HIPAA business associate agreement from any vendor that electronically transmits or stores patient information. The agreement must describe how the vendor is permitted or required to use or disclose patient information and the limits to those uses and disclosures. The agreement should make clear a vendor’s obligation to comply with the HIPAA security rule and certain provisions of the privacy rule. The dental practice should ensure breach notification procedures and vendor obligations in case of a breach are detailed in the agreement. If a vendor stores information, the agreement should include provisions related to the return or destruction of the dental practice’s information.
Next is a risk assessment, which should be documented. Consider every step in the teledentistry encounter. Identify the devices used and who controls those devices. If patient information, such as images, is stored on a device or managed using software, determine if the device or software uses encryption. If not, policies and procedures to reduce the risk of unauthorized access should be developed and implemented. If a device stores patient information temporarily, determine if secure communication is used to transfer the patient information to the permanent storage location, either the cloud or the dental practice system. Risk such as theft, loss and unauthorized access to the information should be addressed in the assessment.
Consider, for example, a dentist’s use of their cellphone to manage a patient of record who is having a weekend dental emergency. After speaking with the patient, the dentist instructs the patient to take photographs of the affected area and to send the photos to the dentist via email or text (choosing the most secure method). The dentist reviews the photographs, calls the patient and assures them the situation can be taken care of on Monday and no weekend visit is necessary. Upon completing the conversation, the dentist types notes into their cellphone and sends the notes and photos to their office email to be added to the patient record. The dentist uses secure email and texting software and an encrypted cellphone. Alternatively, the dentist can enter the information onto the patient’s record stored in the cloud by using a tablet or personal computer.
The above example is teledentistry in its simplest form. Another form of teledentistry, the virtual dental home described by Glassman et al., [2] involves allied dental professionals collecting information from patients, including radiographs, and sending it to one or more dentists at remote sites, then receiving instruction from the dentists. A cloud-based electronic health record system is used and live videoconferencing is more likely. With multiple users at different locations, the scope of the necessary risk assessment is greater than the example described above. More users and more technology present more risks to the security and privacy of patient information. Dental practice owners using teledentistry must ensure their policies and procedures adequately address these risks.
REFERENCES
1. OCR announces notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency, March 17, 2020. www.hhs.gov/about/news/2020/03/17/ocr-announcesnotification-of-enforcement-discretion-for-telehealth-remotecommunications-during-the-covid-19.html.
2. California Dental Association. Virtual Dental Home, July 2012. www.cda.org/Portals/0/journal/journal_072012.pdf.
Regulatory Compliance appears monthly and features resources about laws that impact dental practices. Visit cda.org/ practicesupport for more than 600 practice support resources, including practice management, employment practices, dental benefit plans and regulatory compliance.