GDAction 0313.qxd
3/14/13
8:30 PM
Page 1
ACT ION
THE JOURNAL OF THE GEORGIA DENTAL ASSOCIATION
MARCH 2013
GDAction 0313.qxd
3/14/13
8:30 PM
Page 2
GDAction 0313.qxd
3/14/13
8:30 PM
Page 3
VOLUME 32, NUMBER 3 • MARCH 2013
ACTION
on the cover
ACT ION
THE JOURNAL OF THE GEORGIA DENTAL ASSOCIATION
GDA ACTION (ISSN 0273-5989) The official publication of the Georgia Dental Association (GDA) is published monthly. POSTMASTER: Send address changes to GDA Action at 7000 Peachtree Dunwoody Road N.E., Suite 200, Building 17, Atlanta, GA 30328. Phone numbers in state are (404) 636-7553 and (800) 432-4357. www.gadental.org. Closing date for copy: first of the month preceding publication month. Subscriptions: $17 of membership dues is for the newsletter; all others, $75 per year. Periodicals postage paid at Atlanta, GA. Dr. David Bradberry GDA Editor 1070 Woodlawn Dr NE Suite 250 Marietta, GA 30068
Delaine Hall GDA Managing Editor 7000 Peachtree Dunwoody Rd NE Suite 200, Building 17 Atlanta, GA 30328
2012-13 Georgia Dental Association Officers Sidney R. Tourial, DDS, President Marshall H. Mann, DDS, President Elect Douglas B. Torbush, DDS, Vice President James B. Hall III, DDS, Secretary / Treasurer R. David Bradberry, DMD, Editor
GDA/GDIS Executive Office Staff Members Martha S. Phillips, Executive Director Nelda Greene, MBA, Associate Executive Director Delaine Hall, Director of Communications Skip Jones, Director of Marketing (GDIS) Courtney Layfield, Director of Member Services Victoria LeMaire, Medical Accounts Manager Judy Lively, Administrative Assistant (PT) Melana Kopman McClatchey, General Counsel Denis Mucha, Director of Operations (GDIS) Margo Null, Property and Casualty Accounts Manager Meg Robinson, Director of Governmental Affairs Patrice Williams, Administrative Assistant Phyllis Willich, Administrative Assistant Pamela Yungk, Director of Membership & Finance GDA Action seeks to be an issues-driven journal focusing on current matters affecting Georgia dentists, patients, and their treatment, accomplished through disseminating information and providing a forum for member commentary. © Copyright 2013 by the Georgia Dental Association. All rights reserved. No part of this publication may be reproduced without written permission. Publication of any article or advertisement should not be deemed an endorsement of the opinions expressed or products advertised. The Association expressly reserves the right to refuse publication of any article, photograph, or advertisement.
MARCH 2013
As if the previous thousands of pages of Health Insurance Portability and Accountability Act (HIPAA) regulations weren’t enough, the long delayed HIPAA Omnibus rule, all 563 pages of it, was issued in January. The new rule makes significant changes to the existing rules and requires us to change our procedures once more, all in an effort to keep patient information safer. Dentists must comply with the new HIPAA rules by September 23, 2013. See page 12 to find out what actions your office must take.
other features
sections
11
New Credit Card Surcharge Allowance: What Dentists Must Know
4
Parting Shots
5
Editorial
Legally Naked in a Well-Dressed World: Do You Need an Attorney?
6
Letters to the Editor
7
News and Views
10
Calendar of Events
25
Classifieds
18 20
23
How to Determine if Your Practice Would Benefit from Cyber Liability Coverage Make GDA Annual Meeting Room Reservations for July
Member Publication American Association of Dental Editors
index of advertisers Note: Publication of an advertisement is not to be construed as an endorsement or approval by the GDA or any of its subsidiaries, committees, or task forces of the product or service offered in the AFTCO Transition Consultants . . . . . . . . . . . . .24 Atlanta Dental Imaging . . . . . . . . . . . . . . . . . . .13 Center for TMJ Therapy . . . . . . . . . . . . . . . . . .29 Craniofacial Pain Center of Georgia . . . . . . . .19 Dental Care Alliance . . . . . . . . . . . . . . . . . . . . . .8 Fidelity Bank . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Full Spectrum Seminars . . . . . . . . . . . . . . . . . . .9
advertisement unless the advertisement specifically includes an authorized statement that such approval or endorsement has been granted.
GDA Dental Recovery Network . . . . . . . . . . . .28 Georgia Dental Insurance Services . . . . . . . . .32 Georgia Denture & Implant Specialists . . . . . .17 Georgia Mission of Mercy . . . . . . . . . . . . . . . .31 Great Expressions Dental Centers . . . . . . . . . .27 Hospital Dentistry—Dr. Kurtzman . . . . . . . . . .14 Law Office of Stuart J. Oberman . . . . . . . . . . .15
National Practice Transitions, LLC . . . . . . . . . .26 Dr. Mark Padolsky—TMD Dentist . . . . . . . . . .27 Paragon Dental Practice Transitions . . . . . . . .30 Professional Practice Management . . . . . . . . .24 Southeast Transitions . . . . . . . . . . . . . . . . . . . .28 UBS Financial Services . . . . . . . . . . . . . . . . . . .2
GDAction 0313.qxd
4
3/14/13
8:30 PM
GDA ACTION MARCH 2013
Page 4
GDAction 0313.qxd
3/14/13
8:31 PM
Page 5
editorial perspective Ducks All in a Row
R. David Bradberry, DMD
One of the things I often like to do is watch different animals as they go about their daily lives. Because of my location I have the good fortune of watching ducks and geese on an almost daily basis. They both tend to be generally organized into their groups during daily tasks. They sleep, bathe, and go about gathering food daily. They instinctively know the what, when, and how of doing all this in a manner that reduces any danger to them but yields the most food, safety, and protection. What is interesting is that only some of them know when a real threat faces them and when something is just a nuisance. I say some since it appears about half the brood is wild. The other half seems to be “city-fied.” These waterfowl are the ones that do not prepare as much, live more day to day, and do not fly south for the winter. I’ve been told that this is due to the birds being “urbanized.” They don’t need to travel to survive winter; there are plenty of resources for them in suburban Atlanta due to the migration of people. Recently on a people level life has reminded me of the Scout motto “Be Prepared.” In many ways I have had to look at and answer this question: ‘Am I prepared?’ Now as I write, this brings to mind the question, ‘Are you prepared?’ As doctors our answers to this question can be divided into many parts. Do you have all of your “ducks” in a row in the insurance arena? Everyone usually has the various insurance policies completed and in place as needed. But do you have any instructions written out about the coverage and how to start the ball rolling on making the coverage work? Do you have a set of instructions for both home and office in the event you or your office become incapacitated in any way? I cannot recommend this enough. Our GDA insurance agency highly recommends this. Though no one can ever be really prepared for an emergency, having detailed instructions for others to follow greatly reduces stress at a time when most people have difficulty just thinking. Do you have a set of guidelines outlining who your family and staff can contact for help, and in what areas, should you become
incapacitated? Are there instructions for your employees that can help them keep day-to-day operations going? If you are a solo practitioner, are you part of a group that has agreed to help one another? Take the time to write out instructions and put agreements in place. Even if your incapacitation is a short-term disability, this will make a tremendous difference to the people trying to fill the vacuum your absence creates. What will guide your practice forward if you are not there to personally direct the ship? On a slightly less serious note, are you prepared if your office systems become incapacitated? A few years ago I had to move my office, so I decided to upgrade some of my equipment. Now, I’m an engineer by background so you can imagine that I’m a little hands-on when it comes to design and implementation. Even then, thanks to the complexity of modern electronics, I left gaps. And they showed up the first time bad weather rolled through. Electrical power surges, anyone? Our computers had basic protection but we still ended up with issues. Make sure that every electronic item in your office is at least double-surge protected including that very “in-expensive” pan machine. The engineer in me rapidly decided to implement multiple layers of surge protection, from where the phone and electrical lines come into the building all the way down to each individual unit. Since spikes in electricity are generally faster than protectors to stop ‘spikes’ from brown-outs I also placed voltage softeners on crucial equipment (like my server and pan x-ray). I was more than a little bothered post-storm when I remembered that my installation expert had not recommended this degree of planning. It took a lot of thunder and lightning for me to get my ducks in a row. Make your plan. Write down that plan. Make sure others know about the plan. You never know when a zap might come along. Be prepared and may your ducks line up.
GDA ACTION MARCH 2013
5
GDAction 0313.qxd
3/14/13
8:31 PM
Page 6
letters to editor Dr. Bradberry, Kudos to the GDA for seizing the opportunity to present definitive data refuting the purported dental manpower shortage in Georgia, and by inference other states as well. The inequity between dental manpower and patient utilization is a nationwide problem, and the actions of the GDA will be appreciated by dentists across the country. Hopefully this will lead to the demise of the completely superfluous mid-level provider. Because of practitioner / patient inequity, most young dentists are either struggling as start-up solo practitioners, “indentured� to corporate dentistry, or working as associates in established practices with no real path to partnership or ownership. As noted in the editorial perspective in the January 2013 GDA Action, we must make a more concerted effort to educate the public about the advantages of regular dental care, and we must educate ourselves in ways that allow us to more effectively serve our patients. But we must also be realistic. There is a limit to our potential for patient motivation. When we think of the considerable marketing efforts dentists already make, in conjunction with the robust advertising done by manufacturers of dental consumer products, we are likely near the limits of our abilities to motivate the public. A fundamental problem in my opinion, and one that seems to be largely unrecognized, is the reduction in per capita dental needs over the last few decades without a corresponding reduction in dental providers, increased population notwithstanding. (We are witnessing the remarkable impact of fluoride and prevention measures.) Those of us who practiced in the 1970s and 1980s have seen the problems caused by an excess of practitioners, and we are seeing the same problems now. I emphasize this issue in the hope that we will make efforts to curtail the manpower oversupply. However, because of the recent spate of new dental schools and / or class enlargements, our profession is going to be facing a surplus of practitioners for the foreseeable future.
Letters to the Editor are Welcome The Georgia Dental Association invites members to submit questions and comments for potential publication in GDA Action to Editor Dr. David Bradberry at drbradberry@bellsouth.net or
Managing
Editor
Delaine
Hall
at
hall@gadental.org. Please note that the GDA will not publish unsigned letters submitted to GDA Action, or letters submitted under a name the GDA office cannot verify. The GDA reserves the right to edit all letters for clarity and length. Unpublished letters will not be returned. Opinions presented in letters and
Dentistry is no different from other professions or businesses. We are all impacted by the realities of the marketplace.
commentaries are the authors’ opinions, and
Sincerely, Stephen D. Carter, DDS
do not necessarily reflect the adopted policies
Dr. Carter is a general practitioner in Snellville, Georgia.
6
GDA ACTION MARCH 2013
of the Georgia Dental Association.
GDAction 0313.qxd
3/14/13
8:31 PM
Page 7
general news NORTHERN DDD Foundation Congratulations to the DDD Foundation, Inc., on the January premiere of their fundraising video produced by Encyclomedia. The media firm selected the DDD Foundation, which provides dental care for patients with developmental disabilities through a clinic in Atlanta, as the winner of a competition for a professional video worth $50,000 to showcase their organization. “The video is inspiring, engaging, and it gives a behind the scenes view of a typical day at the clinic,” said Dr. Deidra Rondeno, the dentist who established the foundation in 1999 and opened the clinic space in 2002.
Dr. Deidra Rondeno working in her Atlanta practice that is made up nearly entirely of mentally challenged patients. The practice won a contest to have a professionally produced fundraising video made—this photo is a still from the shoot. Dr. Rondeno hopes the video will help the clinic win funds to support expansion.
Demand for the care that Dr. Rondeno and her staff provide has increased each year of the clinic’s existence. As a result, the dental clinic has outgrown its current space and is working to raise funds and secure grants in order to relocate to a larger facility. The Foundation has hosted
5K runs and golf tournaments as a way to bring in money, but the funds raised have thus far gone to meet current financial need with little left over to plan for expansion. So, as 2013 begins, the DDD Foundation will use the video to help secure greater community and corporate financial support. “It’s challenging work, yet we have found a way to provide the services necessary to address the needs of this underserved community and we want to help many more,” Dr. Rondeno told The Atlanta World. “It’s also very fulfilling work because we leave every day knowing we are making a difference in our patients’ lives. Not only are we improving their oral health, but we also help to reduce some of the stress in the lives of their families and caregivers who love them and want to keep them healthy.” To read more about the DDD Foundation, visit www.dddfoundation.org. You may view a trailer for the fundraising video at www.youtube.com/watch?v=P9DKtWREzZ8.
private offices, or at an event sponsored by a dental organization. The GDA honors your commitment to giving back.
NORTHERN
NORTHERN
Dr. Fisher
Dr. Goldstein
The Ben Massell Dental Clinic of Atlanta turned 100 years old in 2012. Clinic officials capped a year of remembering the thousands of indigent patients helped by clinic volunteers with a gala fundraiser in January 2013. The event placed a spotlight on the decades of service offered by Dr. Emile Fisher, the first specialist (he is a periodontist) to volunteer at the Clinic in 1956. The gala also celebrated all dentists who have volunteered to care for individuals with tremendous dental need and educate them about how to obtain optimal oral health. The GDA was one of two presenting sponsors for the fundraising event. Kudos to all dentists who volunteer to provide care for the less fortunate, whether it is at a large facility like The Ben Massell Dental Clinic, a clinic that is open one day a week in a church trailer, in their
The Georgia Academy of Dental Practice honored Dr. Ronald Goldstein of Atlanta with the chapter’s first Lifetime Achievement Award during its January 2013 meeting. He was also chosen as the chapter’s first Honored Lifetime Member. “We bestowed these honors on Dr. Goldstein to recognize his contributions to esthetic dentistry in Georgia as well as throughout the world,” said GADP President Dr. Joe Chafin. “Our January meeting speakers, Dr. Dennis Tarnow and Dr. Stephen Chu, have collaborated with Dr. Goldstein in the past, and Dr. Chu has a chapter in Dr. Goldstein’s newest book Esthetics in Dentistry. All of this made it
Ben Massell Dental Clinic volunteer dentists Dr. Stephen Bankston and Dr. Emile Fisher. Dr. Fisher was honored at a January gala celebrating the clinic’s 100th birthday for his 60+ years of service and dental philanthropic endeavors.
NEWS AND VIEWS Continued on page 8
GDA ACTION MARCH 2013
7
GDAction 0313.qxd
3/14/13
8:31 PM
Page 8
NEWS AND VIEWS Continued from page 7
the perfect time for the GADP to honor Dr. Goldstein.” Dr. Goldstein is known worldwide as a ‘teacher of teachers’ especially with regards to expanding the horizons of esthetic dentistry of already practicing clinicians. Dr. Goldstein is considered a pioneer in making dentists aware of their patients’ need for more attractive smiles in modern society. Dr. Goldstein and his family endowed the Georgia Regents University Ronald Goldstein Center for Esthetic and Implant Dentistry in order to educate future dentists on how esthetic teams can provide patients with optimum cosmetic and functional results. “Many colleagues and family members enjoyed the Lifetime Achievement Award presentation and reception the GADP held in Dr. Goldstein’s honor,” said Dr. Chafin. “It was a wonderful day for our GACD members to have such wonderful speakers, and to honor our good friend Ronald Goldstein.”
8
GDA ACTION MARCH 2013
Dr. Ronald Goldstein (fifth from right) was honored in January with the Georgia Academy of Dental Practice’s first Lifetime Achievement Award and as the chapter’s first Honored Lifetime Member. Shown are GADP board members Brian Lindke, Dr. Hugh Flax, Rhonda Mullins, Belinda Bryant, Dr. Joe Chafin, Dr. Chris Sholota, Dr. Jim Forester, Pinhas Adar, and Dr. Jim Merriman. Not pictured are board members Drs. Sarah Roberts and Jill Golsen.
GDA / ASDA Clinic Day Many of our MCG / GHSU dental school graduates may remember experiencing Table Clinic Day. The Georgia Dental Association has been a proud sponsor of
this event for nearly all of the 24 years it has been held, and two office staff members attended the Clinic Day this year in February to provide students with GDA and GDIS product and service information and giveaways. As a Platinum Sponsor, the GDA staff members were also able to network with students during a
GDAction 0313.qxd
3/14/13
8:31 PM
Page 9
cocktail party the evening before Table Clinic Day. “Having a GDA presence at this event is important to demonstrate Association support for the students,” said Pamela Yungk, GDA Director of Membership. “That helps make it easy for students to say yes when we ask them to join the GDA upon graduation. “We typically answer a lot of questions about practice insurance and legislative activities and a variety of other topics at our vendor area,” Mrs. Yungk continued. “What was nice this year was the number of students who were excited about taking part in the Georgia Mission of Mercy. We provided them with volunteer information for that event.” Mrs. Yungk was joined in Augusta for Clinic Day by Georgia Dental Insurance Services’ Director of Marketing Skip Jones. The staff members will be joined by Associate Executive Director Nelda Greene in May for Transition Day at the dental school, when senior students have the opportunity to transfer from ASDA to the ADA and GDA.
College of Dental Medicine students Jimmy Cassidy III and Wendy Cardenas at a reception preceding Clinic Day in Augusta.
Paul Trotter, Chris DeLeon, and Bart Wilson during Clinic Day at the College of Dental Medicine at GRU. They stopped to talk with GDA staff members Pamela Yungk and Skip Jones who were present for the event.
NEWS AND VIEWS Continued on page 10
Vice President of the Georgia Regents University ASDA chapter Alena Reich fills out nametags for a pre-Clinic Day event.
GDA ACTION MARCH 2013
9
GDAction 0313.qxd
3/14/13
8:31 PM
Page 10
NEWS AND VIEWS Continued from page 9
DENTISTS In Memoriam The GDA extends sympathy to the family and colleagues of the following individuals. William Douglas Lyles, DDS, who died February 13, 2013, at the age of 70. Dr. Lyles was a member of the GDA through the Southwestern District. He was a 1967 University of Tennessee School of Dentistry graduate and a general dentist. He was an American Dental Association Life Member. Charles Hardy Roszel, DDS, who died February 12, 2013, at the age of 70. Dr. Roszel was a 1967 University of Michigan School of Dentistry graduate and a general dentist. He was instrumental in establishing the Floyd County Dental Clinic which provided care to thousands of indigent residents of Northwestern Georgia. Walter Dan Stinson Jr., DDS, who died February 6, 2013, at the age of 74. Dr. Stinson was a member of the GDA through the Northern District. He was a 1963 Emory University School of Dentistry graduate and a general dentist. He was an American Dental Association Life Member.
Need to consult a back issue of GDA Action? Find them at www.gadental.org. Select the “For Members” green button and then choose the “GDA Publications” link from the drop down menu. 10
GDA ACTION MARCH 2013
Upcoming GDA / Dental Events MARCH 2013 Sat, March 30: Dental Dash at Dawn 5K Run / Walk, Old Fourth Ward, Atlanta. 8AM. Benefits the DDD Foundation for the developmentally disabled. Visit www.dddfoundation.org for details.
APRIL 2013 Fri-Sat, Apr 5-6: ADA Conference on Recruitment & Retention, Chicago. Sat, Apr 6: GDA Board of Trustees Meeting, GDA Office. Fri, Apr 12: Georgia Association of Orthodontists Certification Course for Dental Assistants, Marietta, 9AM – Noon. Register at gaortho.org/assistants. Wed, Apr 17: Northern District CE, Villa Christina, Atlanta, 6:30 Dinner, 7 Lecture.
Fri, May 17: Southwestern District Membership Meeting, Tifton. Fri, May 17: Georgia Association of Orthodontists Certification Course for Dental Assistants, Columbus, 9AM – Noon. Register at gaortho.org/assistants. Sat, May 18: Special Smiles Dental Screenings, Emory Campus. Mon, May 27: GDA Office Closed for Memorial Day Holiday. Fri, May 31: GDA Finance Committee Meeting, GDA Office. Fri, May 31: GDIS, GDHC, GFOH board meetings, GDA Office.
JUNE 2013 Thurs-Sun, June 13-16: Georgia Mission of Mercy, North Atlanta Trade Center, Norcross.
Fri-Sat, Apr 19-20: GDA Presidents Elect Conference, Lake Lanier Islands.
Fri-Sat, June 14-15: GDA Expanded Duties Assistants Course, Athens. See www.gadental.org for registration details.
Wed, Apr 24: GDA Transition Day for Seniors, College of Dental Medicine, Augusta.
Fri, June 21: LEAP Course, GDA Office.
Fri, April 26: Rehoboth Life Care Ministries Dental Clinic Golf Invitational, Southern Hills Golf Club, Hawkinsville. 1PM. Visit www.careforlifeclinic.com or call (478) 953-7770 for details.
MAY 2013 Fri, May 3: GDA Officer Visit to Southeastern District Membership Meeting, Savannah. Mon, May 6: Northern District Executive Committee Meeting, GDA Office. Thu, May 9: Central District Executive Council Meeting, Macon. Mon-Wed, May 13-15: ADA Washington Leadership Conference, DC.
Sat, June 22: GDA Board of Trustees Meeting, GDA Office. Sat, June 22: Emile T. Fisher Foundation for Dental Education Board Meeting, GDA Office.
JULY 2013 Wed, July 4: GDA Office Closed for Independence Day Holiday. Thurs-Sun, July 25-28: GDA Annual Meeting, Hilton Head, South Carolina. See www.gadental.org for registration details.
AUGUST 2013 Sat, Aug 10: GDA Board of Trustees Meeting / Committee Orientation, GDA Office.
GDAction 0313.qxd
3/14/13
8:31 PM
Page 11
Credit Card Surcharges: What Dentists Must Know When Using and Accepting Cards Beginning January 27, 2013, merchants, including dentists who accept credit card payments, will have the option of imposing a surcharge of up to 3% on consumers when they use a credit card to pay for services. This surcharge is the result of what may be the largest anti-trust settlement in U.S. history. The litigation began in 2005 when a group of retailers claimed that MasterCard, Visa, and nine other companies conspired to fix the fees that stores pay to accept credit card purchases. After years of negotiations the credit card companies and banks settled the case by agreeing to pay $6 billion to the merchants who sued. What is important to businesses and consumers is that part of the settlement allows merchants to charge customers a fee equal to the cost of accepting cards, which was previously prohibited by the credit card companies. While merchants may charge consumers the additional fee, merchants are not required to assess the surcharge. Dentists should keep the following facts in mind both when using a credit card to pay for purchases and in considering whether to charge patients a surcharge. GDA members may call the GDA office at (800) 432-4357 with additional questions.
purchases, customers must be notified of the surcharge before they make the actual purchase. A sign must be conspicuously placed at the store or facility entrance and at the point of sale. If the purchase is occurring on-line, a sign must be on the first page that references credit card brands. Many of the credit card companies will have sample point-of entry and point-of sale language that retailers can use in their facilities and on their web sites. • Surcharges must be disclosed on every receipt, whether the purchase is in-store or on-line. This probably means that the receipt provided to a patient in a dental office must state that a surcharge was added to the bill should the dental office elect to apply the surcharge.
• It has long been illegal to charge a credit card surcharge in 10 states: California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma, and Texas. The surcharge will continue to be illegal in those states. The remaining 40 states, including Georgia, will allow the new “checkout” fee. However, if a buyer in one of the 10 states makes a purchase online and the company is in one of the 40 states which permit the surcharge, the purchaser may have to pay that additional charge. • Dentists may need to notify their credit card company representatives of their intent to charge the surcharge. To determine if this is required, dentists should simply contact the company to inquire.
• Before choosing to apply any surcharge, dentists may want to consider a number of factors, including what potential impact the surcharge may have on your patients’ experience in your office; whether others in the profession may apply the surcharge; and what information must be disclosed to your patients. • Retailers, including dentists, may not apply the surcharge to purchases made using a debit card or a prepaid card. • The surcharge applied to purchases may not exceed 3% even if the retailer is charged more than that by a credit card company. • Should a retailer, including a dentist, choose to impose a surcharge on credit card GDA ACTION MARCH 2013
11
GDAction 0313.qxd
3/14/13
8:31 PM
Page 12
New HIPAA Rules: Dentists to Face More Stringent Notification and Reporting Requirements Laney Kay, JD
As if the previous thousands of pages of Health Insurance Portability and Accountability Act (HIPAA) regulations weren’t enough, the long delayed HIPAA Omnibus rule, all 563 pages of it, was issued at the end of January. The new rule makes significant changes to the existing rules and requires us to change our procedures once more, all in an effort to keep patient information safer. Unfortunately, as with most government regulations, the end effect to those who are governed by the rule is that we have much more cost and liability. At the end of the day, who knows whether patient information will be any safer than it was before? Regardless, dentists must comply with the new HIPAA rules by September 23, 2013. And it is my opinion that we are all going to have to make some changes in the way we practice dentistry to comply.
Penalties for Violations Will Increase Dramatically Under these new rules, the penalty structure has changed significantly; in fact, a fine can now be as much as $1.5 million per violation. These fines are partially based on how much of an effort you’ve made to get your office into compliance and what actions you’ve taken to ensure that your patients’ information is safe. If you have not made a significant effort to take adequate precautions to protect your patients’ information, this can be construed as “willful neglect.” This means that you knew (or should have known) that you had a problem and failed to take steps to correct it. The more neglect, the bigger the fine, so making a significant effort is incredibly important. Regular risk assessments and regular, well-documented training demonstrates effort on your part and shows that you are serious about complying with the rules. These actions would hopefully minimize any potential HIPAA fines.
12
GDA ACTION MARCH 2013
HIPAA Breaches and Malpractice Coverage Most dental malpractice insurance carriers will pay for certain HIPAA violations, but there are exceptions. Check with your carrier to see how much coverage you have and what the terms are in the event of an issue. Additional HIPAA coverage can be acquired; however, be aware that if a violation is considered to be a result of willful neglect, oftentimes, your malpractice carrier will refuse to pay because it is considered to be an intentional act on your part, and therefore, is not covered by insurance.
Set Up and Maintain a HIPAA Program If you are not already doing so, now is the time to set up a HIPAA program in your practice and maintain the program regularly. Get a manual, choose a security officer in your office to oversee the HIPAA program, and then fill out the manual so you have written policies and procedures. The American Dental Association sells “The Practical Guide to HIPAA Training” for $202.50 as one possible option. You can also find information about policies and procedures at www.hhs.gov/ocr/privacy. Perform regular employee training on HIPAA issues, as needed, and document the training. Most importantly, you need to perform regular risk analyses and assessments to evaluate potential issues in your office regarding patient information, take action to fix any problems you find, and then document your actions. You can’t do this once and then say you’re done. The risk assessments must be done whenever necessary, and at least on a regularly scheduled basis. The schedule needs to be documented in your materials.
Posting of Policies and Patient Acknowledgements The new rules require us to make changes to our existing privacy policies. You do NOT have to distribute the
new policies to current patients or have them sign a new acknowledgement of receipt. However, you would have to post the new policies, have copies available for those patients who request them, and distribute these new policies to new patients and have them sign an acknowledgement. If a practice has a web site or social media presence, such as a Facebook page, and posts privacy notices there, common sense would dictate replacing all current notices with the new information. Including a statement that the practice has changed its privacy practices, and that patients should read the new information could show a good faith effort to ensure patients are aware of the updated practices. The new policies must state that a patient’s information cannot be sold or used for marketing or fundraising purposes without previous signed authorization by the patient, and that a patient will be informed if there are any financial conflicts of interest with the dentist and any products or services utilized within the practice or as part of treatment. The patient must also acknowledge this conflict of interest statement in writing. The policies must state that a patient will be notified of any breaches of information in a timely manner. The new rules also state that if a patient personally pays for a procedure and asks that information about that procedure NOT be disclosed to their insurance company, so long as the patient pays in full for the procedure in a timely manner, the practice cannot make the disclosure. If you use electronic health records, and patients want an electronic copy of their records, they should be able to get an electronic copy, if possible. If patient information is not maintained in an electronic format, then the information must be provided in a mutually agreed upon format. The rule specifically states that a health care provider doesn’t have to buy new software or change a current computer system in order to comply with this
GDAction 0313.qxd
3/14/13
8:31 PM
Page 13
requirement. If a patient requests, in writing, that a copy of his record be sent to a specific third party, the record must be sent, as directed.
Big Changes Coming in Business Associate Disclosures Some of the biggest changes we will see involve business associates. According to a presentation made in June 2012 by an attorney with the Department of Health and Human Services, more than 20% of all large breaches of private health information are caused by business associates.(1) With that sort of track record, business associates came under fierce scrutiny by federal regulators. The result is that under the new regulations business associates are now regulated by the HIPAA rules. They are subject to the same liability and the same fines and penalties, and they must adhere to the same policies and procedures and comply with all of the HIPAA requirements.
Many of your business associates may not be aware of these new rules, so before you renew any contracts with them, let them know that they will be subject to all HIPAA requirements and what that means. This is especially important if you deal with someone who, for example, shreds secure patient information as a side business, or performs work for your practice as a favor. If there is a breach and the HIPAA agencies start investigating all involved parties, the ramifications to both of you may be huge. I imagine that there are some companies that are going to stop working with health care providers altogether because they don’t consider it worth the hassle of dealing with HIPAA. In case you do not recall or know, a business associate is a business entity that requires access to your patients’ private health information on a routine basis as part of performing tasks. If the business creates, receives, maintains, or transmits data on your behalf, that entity is a business associate. Here are some examples of business associates in dentistry:
• Anyone who stores your patients’ information or converts, or transmits it, or transcribes it; • Anyone who works on your computer system and has access to your patients’ information; • A consultant, lawyer, or accountant with access to patients’ personal health information; • A clearing house that prepares electronic claims for filing with insurance companies; • A shredding company that takes patient charts offsite for disposal; • Your dental software company if they have remote access to your system;
HIPAA Continued on page 14
GDA ACTION MARCH 2013
13
GDAction 0313.qxd
3/14/13
8:31 PM
Page 14
HIPAA Continued from page 13
• Billing services, collection agencies, and any other entity that accesses your patients’ financial information. Please note that dental labs, insurance companies, other doctors, and pharmacies are not business associates and do not require an agreement. Does the liability of our business associates relieve us of our liability if they screw up? Of course not. The government is now allowed to fine everyone, but ultimately, we are still responsible for the acts of our business associates and anyone working for them on our behalf, and are responsible for ensuring that patients are properly notified and protected in the event of a breach. So how can we protect ourselves? The most important thing is to make
14
GDA ACTION MARCH 2013
sure that we have written agreements with our business associates that clearly designate each party’s responsibilities. The agreements need to have indemnification agreements that acknowledge that, in the event of a breach caused by the business associate, it will be responsible for all announcements and notifications, and will pay for any actions needed to mitigate damages, such as credit protection services. If your business associate has subcontractors, you do not have to have personal agreements with the subcontractors; that is your business associate’s responsibility. However, make sure that your contract includes a section that says that the business associate is also responsible for indemnification of any damages caused by subcontractors. Since you are still ultimately liable for the acts of your business associates and any subcontractors they hire, these agreements are very important to protect your interests in the event of a breach.
Big Changes on Way in Breach Definition and Reporting The new rules will also bring us significant changes in the definition and reporting of breaches. Basically, a breach is a use or disclosure of protected health information which compromises the security or privacy of a patient’s protected health information. What are examples of a breach? The most common example is when a computer gets hacked or gets a virus, but can also include situations in which a computer, smart phone, or backup device such as a thumb drive or external hard drive containing patient information is lost or stolen. It is also a breach if you mail or email one patient’s bill to another patient or you fax a patient’s information to the wrong fax number. Under the old rules, if a breach occurred, the business would need to evaluate the situation to see if the breach could result in a risk of significant risk of
GDAction 0313.qxd
3/14/13
8:31 PM
Page 15
harm to the person; if so, notification would have to be performed. Under the new law, if any situation occurs that could compromise patient information, it is presumed that a breach has occurred and notification is necessary unless a risk assessment shows that it is not likely that the information has been compromised. You can’t just say ‘it’s not a breach’ if an incident occurs. You must perform a risk assessment to determine if a breach occurred. Since the presumption is that a breach has occurred, unless you can demonstrate a low probability that the information was compromised, an assessment must be performed to see whether you need to go any further. Every risk assessment must be done thoroughly, completely, and in good faith and the conclusions have to be reasonable. A proper risk assessment considers four factors, and all four of these factors must be considered together in order to make a reasonable assessment of the situation.
1) First, evaluate what type of information was potentially compromised and how much was actually disclosed. If you have a situation where only patients’ names were disclosed, but no other information, that is much less of a problem than if the patients’ Social Security numbers and dates of birth were disclosed.
assessment, document your findings, and place a document in your HIPAA manual to show you properly evaluated the situation. On the other hand, if you accidently fax a patient’s medical record to his employer, that’s an entirely different situation and it is likely that notification would be necessary.
2) Second, consider who received the information. For example, consider a situation where you accidently faxed the wrong patient’s information to a specialist. They called and told your office that you sent the information to the wrong doctor but that they destroyed it as soon as they realized the mistake. Because they are a doctor you are familiar with and they are also a health care provider who is under HIPAA constraints, it is unlikely the information would be used improperly. In this case, it is likely that a completed risk assessment would show little likelihood that the information was compromised, so no breach notification would be necessary. In that case, you would finish the risk
3) Next, determine whether the information was actually acquired or viewed or if there was only the potential for those scenarios. For example, if you had a laptop stolen and the cops caught the guy coming out the back door before he had a chance to do anything with the machine, it is unlikely that a risk assessment would show that to be a reportable breach. If an EOB was mailed to the wrong patient, and it was returned to you unopened, a risk assessment would
HIPAA Continued on page 16
GDA ACTION MARCH 2013
15
GDAction 0313.qxd
3/14/13
8:31 PM
Page 16
HIPAA Continued from page 15
show that the information had not been compromised. If the patient received a document mailed to them in error, opened it, and called you to tell you they got the wrong bill, patient information has been compromised. 4) Finally, consider the extent to which the risk to the information has been mitigated. In some situations, it is possible to determine that there is little risk that the compromised information will be used improperly. For example, if the wrong type of patient information is sent to a business associate or practice employee and they assure you the information was immediately destroyed and will not be used, the likelihood that the information will be disclosed is minimal. Or, if information is sent to an unauthorized person, and they sign a confidentiality agreement assuring that the information will not be used or disclosed, depending on the situation that may be sufficient activity to prevent improper usage of the information. Once you determine a breach has occurred, the method of notification required by the HITECH rules are still in effect. (The Health Information Technology for Economic and Clinical Health Act was created in 2009 to promote widespread adoption of health information technology and forced the modification of HIPAA privacy, security, and enforcement rules.) First, whenever a patient’s information is breached, the patient has to be notified. If the breach involves fewer than 500 people in a single geographic area, then the breach has to be logged and reported to the U.S. Department of Health & Human Services (HHS) at “the end of the year in which the breach was discovered,” and patients have to be notified as soon as possible. If the breach involves more than 500 people in a single geographic area, you must notify HHS and your patients immediately, and absolutely within 60 days of the breach. You must then notify the local media. This could involve calling the local television station, or sending a press
16
GDA ACTION MARCH 2013
release for publication to a newspaper that serves the affected area. The media notification has to contain the same information as the information given to the patients, which is generally:
tion wasn’t viewed, or your front desk person hands the wrong EOB to a patient but immediately realizes it and retrieves it before the person has a chance to look at the information.
• A brief description of what happened;
How Dental Offices Can Avoid a Breach
• Description of the type of information involved; • The steps involved individuals should take to prevent further harm; • Information on what your office is doing to investigate, mitigate harm, and prevent future breaches; and • Phone numbers and addresses (including a toll free number) that patients can use to contact the office with any questions. You also have to try to mitigate the situation as much as possible. When BlueCross BlueShield suffered a breach, they offered credit monitoring to 2.5 million patients for a year. Credit monitoring costs at least $10 a month per patient. Do the math. Add in notification costs, negative publicity costs, the hassle and stress of HIPAA coming in your office to investigate the breach, AND possible fines, and you are looking at an unbelievably expensive problem.
Some Exceptions to the Breach Rule There are specific exceptions to the breach rule that do not necessitate notification or evaluation. If a person who is supposed to have access to patient information accidently accesses information that she should not have access to, but no further disclosure happens, that’s not a breach. This isn’t usually relevant in dental facilities, but an example would be if an insurance processor in a large dental practice accidently goes into the clinical record and that is not the information she’s normally supposed to access. Another exception would be a situation in which a disclosure is made to an unauthorized person, but the unauthorized person couldn’t access or retain the information. Examples of this situation would be if you mailed a bill to the wrong patient, but the mail was returned unopened meaning the informa-
The HHS HIPAA web site www.hhs.gov/ocr/privacy lists of all the entities that have suffered breaches involving 500 or more patients. If you look at all of the small health care providers on the list, almost every single breach was related to a stolen device, either a computer or an unencrypted smart phone with full access to patient information. Occasionally, the list notes that a computer was hacked or a backup was lost, but most of the incidents were related to stolen or compromised technological devices. The best way to deal with a breach is to avoid a breach. What is the single most important thing we can do to protect our patients’ information and avoid potential breaches? Encrypt your hard drive. There are only two methods of making patients’ information unusable: shredding it, or encrypting it. If the information on your hard drive is encrypted and the hard drive is stolen, or lost, or someone hacks into it, the information is not usable. If the information isn’t usable, a risk assessment will show that a breach has not occurred and the breach notification process is avoided. As we’ve discussed, that’s a huge deal. Talk to your computer support person about encryption. There can be problems, especially if you have an older system. Encryption can slow down a computer to the point that it’s almost unusable. In that case, you may have to weigh the costs and benefits of upgrading your system versus risking a breach. My personal opinion is that it’s cheaper to upgrade your system than deal with a breach, so consider your decision carefully. Some computer experts have argued that using encrypted passwords is sufficient and will comply with all of HIPAA’s requirements of how to protect information from unauthorized access. That is absolutely true. Encrypted passwords are perfectly adequate
GDAction 0313.qxd
3/14/13
8:31 PM
Page 17
protection from someone being able to easily access your equipment and will absolutely satisfy what is required by HIPAA. However, if someone breaks into your office and steals your computers, or takes your snazzy smart phone that has access to your system, or hacks into your system, that is a breach. If they can get past the passwords, the information is fully accessible to them because it’s not encrypted and is therefore usable. That’s a breach, and notification is necessary. If it’s encrypted, a risk assessment will show there’s no breach. That’s an enormous difference.
What Do We Need To Do Now? Bottom line, here are four of the most important things you can do to protect yourself and your patients’ information under this new rule:
(1) Set up a HIPAA program and maintain it regularly; (2) Encrypt your hard drive to protect your patients’ information; (3) Understand the concept of business associates and the related liability issues and make sure you have business associate agreements that protect you and your patients’ information; (4) Always disclose the minimum amount of information necessary when dealing with patients’ information. There is plenty of information out there to help you get your office into compliance. Good luck!
References 1- Slide 9, “Breach Notification for HIPAA Covered Entities and Business Associates,” June 7, 2012. http://csrc.nist.gov/news_events/hiipaa_ju ne2012/day2/day2-4_dholtzman_ocrhitech-breach-notifcation-rule.pdf. Laney Kay, JD, of Entertaining Training, LLC, has been writing and speaking on technical and regulatory topics and women’s issues since 1989. Her expertise is in taking very complex and / or incredibly boring topics and making them fun and informative. She has written many articles for state and national journals and has taught courses at multiple Hinman Dental Society and American Dental Association meetings as well as at many other national, state, and district meetings, study clubs, and individual offices all over the country.
GDA ACTION MARCH 2013
17
GDAction 0313.qxd
3/14/13
8:31 PM
Page 18
Legally Naked in a Well-Dressed World:
The Unrecognized Pitfalls of Signing Legal Documents Without Counsel Andrew Shaul, Esq.
I am not an alarmist, so please understand that this article is not intended to create fear or anxiety. After practicing law for over 29 years, I consider myself a realist. That is why I find it markedly troubling to regularly meet with clients who find themselves in financial or legal trouble after signing binding contracts or agreements without having had an attorney review them beforehand. This category of documents typically relates to Commercial Leases, Asset Purchase Agreements, Employment / Independent Contractor Agreements, and construction contracts. The importance of having these binding agreements reviewed by counsel cannot be overstated. Signing them without an attorney’s advice is exposing yourself to hidden perils and obligations for significant events in your professional life. Most clients who present with this issue voice the same reasoning: “I used an agent for my lease (or a broker for buying / selling my practice), and I thought they were looking out for me.” Now, let me be absolutely clear: It is never my intent to disrespect or criticize these professionals. I work with dozens of them, and have found most to be very qualified and honorable people, and am not suggesting that you eliminate them from being involved. They provide a very valuable service, and know the opportunities and pricing for the marketplace. However, they are not attorneys and often times do not recognize the legal issues involved with these documents, especially some specific concerns for health care professionals.
Commercial Leases Aren’t Simply all Location, Location, Location The attorneys for a landlord customarily draft lease documents. Typically they are wordy and lengthy, sometimes up to 75
18
GDA ACTION MARCH 2013
pages, and are intentionally worded to protect the landlord’s interests. Tenant brokers are utilized to negotiate the business terms, and some are more familiar than others with the legal issues related to the health care professions. Good brokers suggest having the client’s attorney review the letter of intent and lease before they are executed. Unfortunately, some others do not recognize the specific areas of critical importance to dentists and physicians. For instance, one of the biggest pitfalls that often times is unaddressed by brokers and tenants in the negotiation of commercial leases involves the tenant’s right to “assign” the lease upon the sale of their practice. I have been retained on numerous occasions to assist when the tenant wishes to sell his or her practice, and the landlord either refuses to consent to the assignment or demands that the existing tenant remain responsible until the end of the lease. This ridiculous scenario is the same as selling your house and having the new mortgage company demand that you guarantee the future mortgage payments by the buyer. How unfair is that? Similarly, the typical commercial lease requires that the tenant be responsible for the replacement of the major components related to the HVAC system, as opposed to the maintenance, even though the units are owned by the landlord and may be near the end of their life before you take possession of the premises. Having an operational HVAC system in place is a necessity for the property, so the landlord would have it whether or not you were there. You are renting the space for a fixed period of time and have no ownership interest in the property. This obligation could cost you thousands of dollars and could essentially allow the landlord to
have a new system installed, at your cost, long after you move out of the premises. The final point on this topic for this article, though definitely not the last concern, relates to the tenant’s obligation for additional expenses known as “Common Area Maintenance (CAM)” charges or landlord’s “Operating Expenses.” When not reviewed to assure otherwise, commercial leases make this category incredibly broad and at times oppressive for the tenant, basically ensuring that the landlord is reimbursed for every single operating expense it incurs. Clearly defined parameters must be incorporated into the lease to identify exactly which expenses qualify for reimbursement and which are excluded from the tenant’s responsibility.
What You Are Actually Buying in the Asset Purchase Agreement Buying a practice is usually either the most expensive or second most expensive venture undertaken by a dentist or physician. I work with the majority of the brokers active in the Georgia market and find among them a wide array of philosophies on the issue of retaining legal counsel. Some are receptive and encouraging, recognizing that having the purchaser do so also protects the broker from liability. Unfortunately, others aggressively discourage the purchaser from having counsel involved to review the documents, despite the fact that virtually every agreement of this type includes a front page disclaimer stating that it is a legal document which should be reviewed by each party’s financial and legal professional. There is absolutely never a sound reason for entering into a practice transaction without having your accountant and attorney involved in the process. Attorneys exist to assist with the comple-
GDAction 0313.qxd
3/14/13
8:31 PM
Page 19
tion of the deal while protecting client interests, not to sabotage the process or undermine the broker, and certainly never to have a client incur unnecessary costs. All “Asset Purchase Agreements” or “Purchase Sale Agreements” should include the proper warranties and representations from both the purchaser and seller, which should not be ambiguous or conflict with other provisions. The purchaser should be protected from false or misleading claims about the practice, and both parties should have recourse if things go wrong. You should involve an attorney to protect your interests. I have personally handled several dozen breach-of-contract claims over the years related to Asset Purchase Agreements which involved blatant lies and omissions about the true condition of the practice being purchased. I have found that the inclusion of the proper language in these documents provides for accountability and allows an aggrieved party the contractual support to pursue the appropriate legal recourse.
Employment and Independent Contractor Agreements: A Job for Your Attorney In Employment / Independent Contractor agreements the focus is frequently on how much you will be paid. Fair enough, as that is naturally of major importance to us all. However, it pays to give appropriate attention to the other provisions of the agreement. For example: • Are you really being offered a set term of one or two years, or does the termination section allow either side to end the relationship with 30 or 60 days notice? If so, are you recognizing that you only have employment for this period of time? • If the contract is terminated within the initial 30, 60, or 90 days, are you contractually bound by the restrictive covenants? If you are changing jobs or moving to a particular city, please recognize that you may be barred from working at another desired location if the covenants are excessive.
• Does the agreement truly say that you’ll be able to buy-in at a designated time, or does it say that discussions about the buy-in will begin? • How are patients being assigned to you? If you are being compensated through a percentage of collections, you are not going to be very happy if most of your day involves checking hygiene! • Are you entitled to your percentage of collections for any period of time after you leave or are terminated without cause? If not, you may be leaving thousands of dollars on the table. • As an employer, are you protecting your patient records and other proprietary information from being copied by a departing associate?
LEGAL DOCUMENTS Continued on page 29
GDA ACTION MARCH 2013
19
GDAction 0313.qxd
3/14/13
8:31 PM
Page 20
How to Decide Whether Cyber Liability Coverage is the Answer to the Threat of Data Breach in the Dental Office Advances in technology have brought about valuable ways that dentists can keep track of patient information electronically. Unfortunately, along with the technological advances have come waves of new regulations to control how electronic information is stored and transmitted. This is in addition to regulations already on the books regarding control of paper records. As you will read elsewhere in this issue, a new Health Insurance Portability and Accountability Act (HIPAA) rule is making significant changes to existing rules regarding patient information in a dental office and what dentists must do in the event of a breach of that information. Dentists will likely be required to make significant changes to their office procedures in order to keep patient information safe. As the September 23, 2013, date for complying with the new HIPAA law approaches, the GDA expects dentists to be bombarded with offers for compliance materials. One phrase dentists are likely to hear is “cyber liability.” GDA subsidiary Georgia Dental Insurance Services (GDIS), along with GDIS insurance provider The Hartford, offers this guide to data breaches, patient information security, and how cyber liability insurance may provide an option to dental offices who want assistance with protecting their practices. After reading the guide, GDA members are welcome to call a GDIS representative at (800) 432-4357 or (404) 636-7553 to find out more on the coverage, its costs, and its value.
Q: What is considered a data breach? A: A data breach is considered as the loss, theft, accidental release, or accidental publication of Personally Identifiable Information (PII) and Protected Health Information (PHI). This information can include Social Security numbers, bank account numbers, credit or debit card numbers, driver’s license numbers, email address, and a patient’s history and medications.
20
GDA ACTION MARCH 2013
Q: What are the most common causes of breaches? A: Mostly, it is us—humans who commit human errors. Consider these reports: According to The Hartford publication “Data Breach: Just the Facts,” common causes of breaches are theft or release due to unauthorized access (such as by former employees or vendors); stolen or lost paper and electronic files; stolen or lost laptop, smart phone, tablet, or computer disks; stolen credit card information; hacking; and employee error or oversight. A study entitled “The Post Breach Boom” published by the Ponemon Institute© in February 2013 identified employee or contractor negligence and system error or malfunctions as the two primary types of data and security breach incidents. Malicious insiders and external attacks were less prevalent. The study found that an organization’s failure to thoroughly wipe or erase a device containing sensitive or confidential data and an employee or contractor losing a device containing sensitive or confidential data were prominent reasons that a breach occurred. The Ponemon study went on to note that 34 percent of their study respondents discovered a non-malicious breach only by accident after an average of 49 days. Human errors are the most common threats to exposing a person’s personal information to data breaches according to an analysis of reported data breaches by Rapid7, a security intelligence company. Rapid7 compiled the data breach information for the analysis based on the number of reported public information data breaches from January 2009 to May 2012 in the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group. A 2012 news story from the credit reporting agency Experian noted that the biggest factor responsible for the largest number of breaches of data was unintended
disclosure due to negligence and clerical errors. The second most responsible factor was the loss of a portable data storage device. Hacking was relatively low on the list.
Q: I already have a Business Owners Property coverage plan. Aren’t I set in the case of a breach? A: Cyber liability or security coverage is typically not offered as part of standard Business Owners’ coverage. These plans were created to cover standard risks, like fire or theft, and honestly, advances in technology and their attendant risks have somewhat outpaced what insurers consider as risks. Businesses must consider every day whether to purchase special coverage depending on their degree of risk. For example, a business owner with a facility near a river may decide to purchase flood coverage. A large retailer with numerous employees might carry coverage for employee dishonesty, which covers loss of business property due to embezzlement, fraud, or another criminal act. Any business, small or large, that handles or stores any private business, customer, patient, or employee data is at risk from a data breach. This includes dental practices. So, the purchase of cyber liability coverage could mitigate that concern for a dental practice and provide peace of mind. Q: If I decide to purchase an insurance endorsement for data breaches, what is my cost? A: The cost of coverage varies according to practice size and other factors, such as the sensitivity of your data, the controls you already have in place to protect your information, the limits of coverage that you select, and policy features you choose, such as third party legal defense. Policies may range from $300 to $2,000 per year. A GDIS representative can help you determine your true cost.
GDAction 0313.qxd
3/14/13
8:31 PM
Page 21
Q: What sorts of breaches can dental offices experience? A: A review of recent data breaches experienced by dental offices brings up several scenarios. A 2012 incident in California resulted when a vendor visiting a dental office to help upgrade the practice’s imaging and management software downloaded patient files, including Social Security numbers, onto an unencrypted USB device. The vendor then placed the UBS device in an envelope and sent it in
the regular mail to the vendor headquarters. The envelope arrived torn and without the device. What likely happened is that the device was ripped from the envelope by post office processing equipment. Nevertheless, the incident was considered a breach, and the practice had to notify patients and the state. Other recent incidents include thefts of office laptop and desktop computers, and several instances where dental offices improperly discarded patient records due to be shredded in public trash receptacles.
Q: I am never going to throw any records in the trash. I have a firewall on my practice computer system. Why might I need cyber liability coverage? A: The cost of the coverage is relatively low in comparison to what could be in store for a dental practice should a breach CYBER LIABILITY COVERAGE Continued on page 30
The Hartford Provides Tips to Help Reduce Your Risk of a Data Breach 1. Lock and Secure Sensitive Information Stored in Paper Files and on Removable Storage Devices. Theft or loss, and the subsequent unauthorized release, of sensitive data, or Personally Identifiable Information (for example, Social Security number, credit / debit card information, medical records / charts), stored in paper files and / or a removable storage device may constitute a data breach. Never leave sensitive information unattended. Store it in a locked drawer, cabinet, safe, or other secure container when not in use. Also consider installing an alarm system that alerts law enforcement if you have a break-in on your premises.
computer. Install encryption onto all laptops, mobile devices, flash drives, and back-up tapes, and encrypt emails that contain sensitive information.
2. Restrict Access to Data. Restrict access to sensitive data, whether physical or electronic, to those who have a “need to know.” Most employees do not need unrestricted access to your company’s entire network. Remember to limit network access on computer stations located in public spaces, such as the reception area.
8. Keep Software and Operating Systems Current. Keeping your software and operating systems current by installing software and security updates is your first line of defense against hackers, who often take advantage of unprotected systems to gain access to sensitive data stored on a computer. You should also have a firewall and up-to-date antivirus programs. A firewall helps to prevent your system from being attacked, while anti-virus software inspects the files and programs on your system to ensure they are not infected. Both are critical in helping to protect sensitive information stored electronically. To maintain the most upto-date protection, download recently issued system and security updates and antivirus and anti-malware updates to help protect you against the newest forms of viruses, Trojan horses and other malicious software.
3. Properly Dispose of Sensitive Data When No Longer Needed or Required. Shred documents containing sensitive data prior to recycling. Remove all data from computers and electronic storage devices—including those on copy machines—prior to disposing of them. 4. Record and Regularly Review Data Practices. Distribute and explain data protection practices to all employees. Review and revise these practices on a regular basis—at least annually. Make sure to retrain staff as changes to your data practices are made. 5. Password Protect Systems. Password protection helps to prevent unauthorized access to sensitive information, protect security of personal information, and prevent unauthorized access to user and email accounts. All users should be assigned unique user names and strong passwords for access to systems—changed at least quarterly. Conduct a password audit on a regular basis. 6. Encrypt Data. Encryption helps protect the security and privacy of files as they are transmitted or while on your
7. Ensure That Remote Access to Your Network is Secure. Remote access to your network should be made through appropriately enabled Virtual Private Network (VPN) connections and multi-factor authentication (e.g. soft tokens or fingerprints in addition to passwords). Passwords should be changed on a regular schedule and meet minimum complexity and length requirements.
NOTE: If your network security functions are outsourced to a Third Party, obtain documentation to understand how your company’s data is protected, and, when appropriate, perform on-site due diligence. It’s also important to have contract language that specifies privacy and data security expectations and grants you the right to audit the Third Party. While these data protection policies, procedures, and training can help reduce the likelihood of a data breach, no company can be completely certain that its customer, patient, or employee data could never be at risk. To learn more, visit www.hartforddatabreach.com.
GDA ACTION MARCH 2013
21
GDAction 0313.qxd
22
3/14/13
8:32 PM
GDA ACTION MARCH 2013
Page 22
GDAction 0313.qxd
3/14/13
8:32 PM
Page 23
GDA ACTION MARCH 2013
23
GDAction 0313.qxd
24
3/14/13
8:32 PM
GDA ACTION MARCH 2013
Page 24
GDAction 0313.qxd
3/14/13
8:32 PM
Page 25
classified ads How GDA members can place classified ads AD FORM: Submit all ads on a GDA Classified Advertisement Form. To obtain a form, call Skip Jones at (800) 432-4357 or (404) 636-7553, or email jones@gadental.org. (Note: The GDA may accept or reject any ad for any reason and in its sole discretion.)
AD DEADLINE: Ads and ad check payments are due by the first of the month before the publication month (i.e., Dec. 1 for January).
AD RATES: ADA member dentists pay $75.00 per 60-word ad per month. There is a 25 cents per-word charge for each word over 60. Non-dentist-owned companies (real estate firms, etc.) pay $195 per 60-word ad per month (additional word charges as above). Non-member dentists may not place ads.
LATE FEE: Ads for which full prepayment is not received by the first day of the ad’s publication month (i.e.; Nov. 1 for a November ad) will incur a $25 late fee in addition to the ad rate.
FORMS OF PAYMENT: Submit a check or money order with the ad form. (Make checks payable to GDA.) Credit cards are not accepted as payment.
WEB SITE PLACEMENT: Prepaid ads will appear on the GDA Web site www.gadental.org for the month the ad appears in print. Non-prepaid ads will NOT be placed online.
Dental Equipment for Sale
Positions Available
For Sale: Panoramic machine, PC-1000 Panoramic Corporation and developer. Schick Intra Oral sensors with USB connectors (2/4) 3. Ader 3045 Perception Units (2). Apollo Suction 1.5 HP. Call (404) 2292998 or email: ljmseaside@gmail.com.
Dental Related Services
Full & Part time positions available for General Dentist, Endodontist, and Pediatric Dentist for Fulton, Henry, Clayton, Cobb, & Gwinnett counties. Medicaid Provider number is a plus. Please call Angie at (770) 968-4602 or fax resume to (770) 692-0452. Or please email agunnels@scp-jobs.com.
Hands On Extraction Class. Saturday August 31, 2013. Myrtle Beach, South Carolina. Eight hour AGD approved CE class. Taught by Drs.’ Fletcher and Murph. Participants will learn about crane picks, 301 elevators, extraction techniques, elevating flaps, and suturing. For more information call Dr. Murph at (843) 488-4357 or email drtommymurph@yahoo.com. Also offering 40-hour Hands on Classes in Guatemala.
Dental Consultant Position: Responsible for the review and determination of claims and preauthorization sent in by dental specialists and other providers. Works closely with DeltaCare Operations Department in Alpharetta and is expected to abide by DeltaCare USA processing policies. A DDS or DMD degree from an accredited dental school. A minimum of 5 years of private practice dentistry and 2 plus years of training. Email inquiries to kcrisamore@deltadentalpa.org.
Dentists Available for Locum Tenens
Associate—Atlanta: Lucrative opportunity for an experienced general dentist. Large patient base, well-established practice, high income area. Extensive crown and bridge, CAD / CAM, implant restorative, composite operative, esthetic dentistry including DaVinci Veneers. Ability to perform rotary endo a plus. Excellent compensation package. Please email resumes to 1careerinfo@gmail.com or fax to (770) 926-8483.
Dentist available daily for illness, CE, etc. to check hygiene and emergencies. Buckhead, Sandy Springs, Dunwoody, all of North Fulton, Cobb County. Reasonable daily rate. Call PETE TRAGER (404) 3031204 or (404) 226-6457. Dentist will fill in for illness, vacation, or continuing education. Licensed, insured, DEA #. Call (404) 786-0229 or email breighard@gmail.com. DENTIST: Need Part Time Fill In? Vacation, Illness, Maternity? GENERAL DENTIST SOLD LONG ESTABLISHED PRACTICE. GA & DEA LICENSED. (Available Expanded Atlanta Area.) Cell: (404) 219-4097. Home: (404) 842-1196. Jesse Hader, DDS. Dentist available during emergencies, vacation, CDE courses. I have a current license, DEA certificate, and insurance. Contact me at (706) 291-2254 or cell (706) 802-7760. I hope I can be of service to you. Patrick A. Parrino, DDS, MAGD.
SAVANNAH: General dentist with a caring, patient focused approach wanted to join busy practice. Associate and / or buy-in opportunities are available. Please contact Nick Cease, (502) 254-8514, ncease@mfdc.net.
CLASSIFIEDS Continued on page 26 GDA ACTION MARCH 2013
25
GDAction 0313.qxd
3/14/13
8:32 PM
Page 26
CLASSIFIEDS Continued from page 25
Coast Dental is one of the largest providers of general and specialty dental care in the United States with practices in California, Florida, Georgia, Nevada, and Texas. Coast Dental is currently looking for General Dentists and Specialists to practice in the greater Atlanta area. We have full and part-time opportunities available for experienced dentists to practice where contributions are valued and the sky is the limit on opportunities to grow. Coast Dental offers competitive wages with sign-on bonuses available for select locations, a great benefits package, and a chance to work with advanced technology and devoted people who take a visionary approach to making every patients smile a work of art. If you are interested in an opportunity in one of our practices, please email psherberg@coastdental.com or apply online at http://www.coastdental.com/careers/dentists.
26
GDA ACTION MARCH 2013
Savannah, Georgia: Take advantage of this awesome opportunity! Cutting edge dental practice in Coastal Georgia seeking highly motivated dentist. Our dentists have outstanding clinical skills and a chair side manner that makes every patient feel comfortable. Our dentists are leaders in the office working to develop and foster a team environment so their practice can grow and mature, achieving financial success. Our operating model provides you with great earning potential. In addition, our office offers an outstanding opportunity for growth and the support to make it all happen. Minimum Education and Experience: * Must hold degree from accredited dental school. * General practice residency experience preferred but not required. * Experience with implant placement, surgical procedures, and / or endodontic procedures strongly desired. * IV sedation certification strongly desired. Contact: rachaeldering@yahoo.com. Please email your resume to the above address in .doc or .pdf format.
NORTH ATLANTA #8902—Associate needed for Norcross general practice. Prefer experienced dentist capable of most skills. Practice is fee for service. For more information, call Dr. Earl Douglas (770) 664-1982 or email earl@adssouth.com. Pediatric Dentist Needed: We have an outstanding full time opportunity for a Pediatric Dentist / General Dentist (would require a minimum of at least 2 years’ experience in pediatric dentistry) in our successful, well-respected, quality-oriented private pediatric dental practice for the right candidate. We are seeking a special, motivated, personable individual to join our success. We are a booming practice with tremendous growth and earning potential. We offer in office sedation. We offer excellent compensation and benefits. For more information, please contact Amanda Rentschler at amanda@kidshappyteeth.com or (678) 352-1090 / (678) 429-9931
GDAction 0313.qxd
3/14/13
8:32 PM
Page 27
SAVANNAH: ASSOCIATE NEEDED— AWESOME OPPORTUNITY #8903. STOCKBRIDGE: ASSOCIATE NEEDED #8894. Call Dr. Earl Douglas (770) 664-1982 or email earl@adssouth.com. ATLANTA / DUNWOODY AREA ASSOCIATE: #8887—Board certified / eligible OMS NEEDED IMMEDIATELY. For more information, call Dr. Earl Douglas (770) 664-1982 or email earl@adssouth.com. Charleston, South Carolina—Join a pediatric practice with multiple offices. Join a fun, well-respected, paperless pediatric practice and live in a great city on the beach. The position is for someone looking for a great place to work in a friendly and comfortable working environment, competitive salary & benefits. Email CV drisabel@ coastalkidsdental.com or call (843) 816KIDS (5437). Visit coastalkidsdental.com.
Practices / Office Space Available Dental Space Available! Duluth, GA. Already built-out and plumbed with dental equipment! Convenient location off Sugarloaf Parkway near I-85. Built in 2007, 3-6 operatories, sterilization, consultation room, kitchen. Front office and private doctor office. Split design dental space, perfect for new dentist or specialist satellite office. Upscale building in a high growth area with excellent demographics. Move in ready! Contact Suellyn at (770) 623-4840. South Georgia: Excellent Net Income $850,000 gross. 4 ops, turnkey influenced practice, 40% FFS 60% Insurance, High quality life, 2 1/2 hours to Atlanta and GA Coast. Call Dr. John Wagner (636) 517-1136. Practices for Sale: AUGUSTA #8747— Gross collections $1.26M; COLUMBUS AREA #8824—Gross Collections $389K. For more information, call Dr. Earl Douglas (770) 664-1982 or email earl@adssouth.com.
CLASSIFIEDS Continued on page 28 GDA ACTION MARCH 2013
27
GDAction 0313.qxd
3/14/13
8:32 PM
Page 28
CLASSIFIEDS Continued from page 27 *NEW* DALTON. If you would like to make some money this is the practice for you. Average annual collections are more than $2 million. 5 total operatories equipped with Adec and all of the best technology. Excellent location! The selling doctor would like to stay for 3 years. Asking price $1.6 million, must be preapproved with a bank. The real estate is also for sale. Please call or email for details using reference #GA1025. For more information call (678) 482-7305, email amanda@southeasttransitions.com. *NEW* GWINNETT COUNTY. This is the type of practice every dentist dreams of! Excellent location, all FFS practice with very high quality dentistry, 7 operatories, collected $1.3M+ in 2012 with a strong hygiene department. Please call or email for details using reference #GA1028. For more information call (678) 482-7305, email amanda@southeasttransitions.com.
28
GDA ACTION MARCH 2013
*NEW* PAULDING COUNTY. Well established practice with room to grow! All FFS patients. The practice collected $300K in 2011 with 50% overhead. There are 3 ops with an additional room plumbed. Seller is ready to retire. Please call or email for details using reference # GA1008. For more information call (678) 482-7305, email amanda@southeasttransitions.com. Available: CANTON: Beautiful office grossing $393,000, 4 operatories. LAKE OCONEE AREA: Exceptional opportunity, grossing $823K. NORTH ATLANTA: Gorgeous new facility with 6 operatories, grossing $1.4M with high volume of cosmetics and implants. WOODSTOCK: Beautiful 5 operatory office grossing $400K. Richane Swedenburg, New South Dental Transitions: (770) 630-0436, info@newsouthdental.com. Check new listings at www.newsouthdental.com.
GDAction 0313.qxd
3/14/13
8:32 PM
Page 29
LEGAL DOCUMENTS Continued from page 19
Poorly-Constructed Construction Contracts are a Future Built on Quicksand There are several well-respected companies in Georgia that focus on building-out and renovating dental and medical practices. Please understand that I am not taking shots at builders. I simply want to emphasize that all items and aspects of the project need to be addressed and included in the contract with the necessary amount of specificity for the health care industry. Many builders use templates for their contracts, which at first glance appear to be short and concise. In this case, brevity is not a positive, as there are many moving parts to a project, all of which need to be addressed. Builders have a huge advantage in that they can file liens against the property, which can prevent final funding for the project.
So, make sure the document is comprehensive. The first and most obvious factor is the cost. Are you getting a firm bid? Does the quote include accurate and realistic allowances, which could otherwise significantly increase the final amount as you select the finishes? The contract must also clearly spell out what this project will cost you beyond the actual dollar figure. This is called the scope of the project. • Does it include a detailed recitation of what will be done and the materials being used? • Does it contain a firm timeframe so you can logistically coordinate the start and finish dates for your practice? For a new practice this last variable is incredibly important, as you need to be able to schedule new patients for the opening and not being able to rely on the date or have any recourse can result in a tremendous loss of goodwill when you have to cancel the patients since the space is not ready!
• How are disputes resolved? Is there binding arbitration, mediation, or does the contract state that a representative of the builder has the final say?
Conclusion I acknowledge that the legal profession has many flaws and that attorneys have an approval rating that is barely above the pathetic ratings of Congress. Among other colorful and shocking monikers, attorneys are called obstructionists and obsessive fear-mongers, and are labeled paranoid and overly-contentious. Notwithstanding these unflattering generalizations, developing a relationship with trusted legal and financial advisors is an absolute necessity in the business world, especially when you are committing and guaranteeing your personal assets for tens or hundreds of thousands of dollars. There is never a legitimate justification for committing yourself to a legal obligation without having the benefit of counsel. Attorneys exist to assist and protect, not to duplicate or replace the work of the other professionals involved in a transaction. Yes, working with an attorney is an investment, but otherwise you are going naked in a well-dressed world. Andrew Shaul is the founder and President of The Shaul Law Firm, PC, and has been practicing since graduating from Emory University School of Law in 1983. His firm provides dentists and physicians with legal representation for the negotiating and drafting of Asset Purchase Agreements (practice transitions), contracts, commercial leases, shareholder buy-ins, and employment agreements, as well as litigation for any health care related disputes. Mr. Shaul has also served as General Counsel and Chief Operating Officer for a multi-location medical facility in Metro Atlanta. As well as being a featured presenter for several dental study clubs, Mr. Shaul speaks before the graduating classes of dentists at Georgia Regents University on matters related to employment contracts, restrictive covenants, and partnership opportunities.
GDA ACTION MARCH 2013
29
GDAction 0313.qxd
3/14/13
8:32 PM
Page 30
CYBER LIABILITY COVERAGE Continued from page 21 occur. The Hartford encourages dentists to visit https://databreachcalculator.com/ GetStarted.aspx to get a taste of the cost to a dental practice in the case of an information breach. The calculator asks questions such as: • What are the most common causes of data breaches, • If a business has a privacy and data protection security policy in place, • What sorts of data do business employees handle, • If the business stores sensitive data on a laptop or removable storage, • If a business allows access to sensitive data remotely (for example, with a smart phone), and • Does the business encrypt sensitive information. A GDA staff run-through on the quiz answering the questions as a solo dentist produced an estimation that the average
30
GDA ACTION MARCH 2013
cost per record may be $200 and an average cost per breach could be $600,667. Of course, your personal answers may vary. Consider the case of a Missouri dental practice that suffered the theft of a desktop computer containing sensitive information in 2010. The estimated number of individuals affected was 9,309. The Ponemon Institute estimated that it would cost the practice $50 per patient to perform the required notifications, so in notification costs alone the practice was facing a charge of nearly $500,000. The practice closed not long after the theft and subsequent activity.
Q: What does the GDIS data breach insurance provide? A: The coverage has several parts, including: • Services that can assess whether a breach occurred and assist with regulatory compliance if it is determined that a breach occurred. • The ability to notify impacted patients and employees and associated expenses such as letter preparation and mailing costs.
• Assistance in informing your patients that a breach has occurred • Advertising services to organize and create a media response if required. • Monitoring services to pay for credit, fraud, public records or other monitoring alerts, if warranted. Available limits are $10,000; $25,000; $50,000; and $100,000 with per claim deductibles of $1,000 for $10,000 and $25,000 limits, and $2,500 for $50,000 and $100,000 limits. The coverage also includes access to a data breach web site that provides tips and resources to help you minimize the chance for a breach and safeguard PII and PHI, information on how to create a data breach incident response plan, legal requirements by state, guidance on what needs to be done if a breach occurs, and access to a team to assist you with questions. A GDIS representative is happy to discuss the coverage with you and see if such coverage can help you in your practice.
GDAction 0313.qxd
3/14/13
8:33 PM
Page 31
GDAction 0313.qxd
3/14/13
8:33 PM
Page 32
Inside This Issue • New HIPAA Rules Place Stringent Requirements on Dentists • New Credit Card Surcharge Option: What Dentists Need to Know DATED MATERIAL PLEASE DELIVER AS SOON AS POSSIBLE
ACTION
Suite 200, Building 17, 7000 Peachtree Dunwoody Road Atlanta, Georgia 30328-1655 www.gadental.org