Liability
Vol. 3 2023
Protecting Patient Privacy
IN THIS ISSUE
Do you know where your patient data is?
Recording in the dental office 3 Preventing a cyberattack 8 Preventing identity theft 10 Attack! Seven steps to take 11
It’s ten o’clock. Do you know where your patient data is? You may have read this phrase in the somber intonations of a news anchor asking parents if they know the whereabouts of their children. While the line has been parodied in multiple ways, the original intent of the line was very serious. Mel Epstein, the director of on-air promotions at New York's WNEW-TV, coined the phrase during the summer of 1967 due to urban unrest and rioting. It was a reminder to parents to keep their children and teens off the streets. Today, the security of patient data and privacy warrants just as much concern. Keeping protected health 2
information safe and “off the streets” is an ongoing concern for practitioners and patients everywhere. • The HIPAA Journal reports that hacking is now the leading cause of health care data breaches. • The Identity Theft Resource Center reports that in 2022, health care history, health care insurance numbers and health care provider account/ record numbers were among the top 10 data breach attributes targeted for theft. • Enforcement actions against providers by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) are increasingly common. Health care providers have paid nearly $114 million in HIPAA fines since 2016.
Penalties for HIPAA violations can be severe, making HIPAA compliance both ethically and financially critical to dental practices. Ongoing vigilance is necessary to protect patients and your practice from privacy threats and violations in any form. In this issue of Liability Lifeline, The Dentist Insurance Company’s Risk Management experts offer guidance on preventing and responding to potential threats against patient and practice data. Learn about the risks of allowing patients to record consultations, what to do if your practice experiences a cyberattack and how to guard against medical identity theft.
Lifeline Liability
Recording in the dental office Mitigate risk by considering ethical and legal ramifications Analysts at TDIC have observed that dental professionals are faced with the challenges of patientrecorded conversations with increasing frequency. Many patients are now asking to record office visits with their health care providers, including dentists, and providers are unsure how to respond. Other patients are recording their visits without their provider’s knowledge, perhaps believing it is allowed due to the increasing popularity of videos posted online showing personal interactions. TDIC’s Risk Management Advice Line analysts have answered recent calls regarding patients who
want to record their treatment or conversations with the dental team using the audio/visual capabilities of their smartphones. Often, patients mistakenly believe their HIPAA-protected right to access records includes the right to record
conversations with their health care providers. While this action may seem innocent or even beneficial at first, the risks to dentists are many, including potential HIPAA violations, loss of control over the use of the recording and legal issues related to consent.
A case study on recording in health care settings
A patient and her husband came to a dentist’s office for an emergency after-hours visit. The visit started on rocky ground with the patient first calling the office and threatening to hold the dentist “responsible” if they were not seen by the dentist and “something happened.” When urged to go to a hospital emergency room for treatment, the patient refused, instead demanding that the dentist address what she called “the infection” and provide her with antibiotics. The patient also stated that she could not be seen during regular business hours due to her husband’s work schedule.
At the beginning of the appointment, the dentist suspected that the patient’s husband was covertly recording the conversation. This was confirmed when the patient later stated “I’m recording you” as further intimidation to ensure that the dentist treated her. The entire experience left the dentist shaken but also frustrated that he had come to the office after hours to provide emergency care for the patient due solely to her demands, yet she proceeded to question his recommendations by recording their interaction. The following day, after considering the interaction, the dentist contacted the Risk Management Advice Line seeking guidance. The analyst advised the dentist that he should have instructed the patient to stop recording while stating he neither authorized nor consented to being recorded. The analyst explained that most states
continued on page 4
3
continued from page 3
have privacy laws related to audio and video recording permissions. The dentist who called the Advice Line practices in a “two-party consent” state, meaning any audio recordings must be agreed upon by both parties; otherwise, the recordings are a violation of privacy. The dentist initially responded, “Well, I have nothing to hide. If she wants to record, let her.” The analyst pointed out that even if he did consent to allow the interaction to be recorded, he — and future listeners — would have no way of knowing if the patient manipulated or altered
Privacy concerns The potential violation of HIPAA privacy laws is one of the most significant risks associated with patients recording their conversations with health care providers. While most dentists and practice staff are aware of the significant limitations HIPAA places on their activities, they are less clear on how to react when a patient wants to record the dentist or themselves, potentially exposing protected health information of other patients. The recording of peripheral conversations in the dental office, such as those between staff members, can be a violation of HIPAA privacy laws. These conversations may inadvertently contain sensitive patient information, and their recording could result in a breach of patient confidentiality. Practices should always be aware that recordings may take place without their knowledge, so proper HIPAA precautions with patient interactions should be the norm through training and preparation. Under HIPAA, patients have the right to access their medical records, but they do not have the right to record 4
the recording in a manner that misrepresented the true interaction between provider and patient. Key information that the dentist discussed with her could be removed from the recording to falsely suggest he had not provided counsel on the necessary risks, benefits and alternatives during this interaction. Plus, the dentist would not receive a written transcript of the recording to verify the accuracy of the parties present, the date of the interaction or the integrity and accuracy of the content.
their conversations with their dentist without explicit consent. Usage and consent concerns The loss of control over the recording’s use is another risk associated with patients recording conversations with dentists.
Dentists must be aware that once a recording is made, they have little control over its use or dissemination. Patients may edit or tamper with the recording, or it may be used by third parties, such as social media or news outlets, without the dentist's consent. In some cases, artificial intelligence may be used to analyze the recording, potentially revealing sensitive patient information. It could also be used as intimidation or coercion. Dentists must be aware that once a recording is made, they have little control over its use or dissemination.
In addition to federal privacy laws, individual states may have their own laws regarding the recording of conversations. Some states, like California and Washington, require two-party consent. That means all parties, including dentists, staff and patients, must consent to the recording of a conversation in order for the recording to be legal. Failure to obtain consent can result in legal repercussions. All dentists, regardless of location, should take care to ensure that any recordings made in their office are done with the explicit consent of all parties. Actions that reduce risk So, what should a dentist or staff member do if a patient asks to record their conversation or if they discover a patient recording in the office? If a patient asks to record, dentists should first advise the patient that digital recordings by handheld devices such as smartphones are prohibited on the premises to protect the privacy of other patients and staff in compliance with federal and state privacy laws. If the patient is insistent, encourage them to take notes or to bring a trusted
Lifeline Liability
family member to appointments to take notes and help them remember the conversation. If a dentist discovers that a patient is recording without consent, they should immediately stop the recording and explain to the patient that it is a violation of privacy laws. If the recording contains any sensitive patient information, the dentist may be required to report the incident to the appropriate authorities. The patient should also be advised that any further violation may result in their dismissal from the practice once treatment is complete. (Contact the Advice Line for guidance prior to any dismissal.) As incidents of patients recording in health care settings rise, TDIC analysts recommend that dentists provide patients with a written copy of their privacy policy outlining patient rights and how their information will be protected. If a privacy policy does not have verbiage specific to audio or video recording, a statement similar to the following should be added: Recording any part of your visit to our office is strictly prohibited, as other patients’ protected health information (OHI) could potentially be captured. Responding to requests Some patients may leave the dentist's office either not understanding or forgetting the information provided. So if patients ask to record, dentists should consider those requests as opportunities to identify a patient who may need additional information or time to fully understand their condition and the recommended treatment. Asking some
thoughtful questions may also help the dentist understand what is motivating the patient’s request, and the patient could be encouraged to take notes to help them remember important information. The dentist should also remind the patient that pertinent treatment information is recorded within their own patient record and can be requested. Recorded conversations between dentists and patients can pose significant risks to dental professionals, including potential HIPAA violations, loss of control over the use of the
recording and legal issues related to consent. Dentists should take steps to protect patient privacy, including adding privacy policy verbiage prohibiting recording in the office and educating staff members on the potential risks associated with recorded conversations. Rather than reacting defensively when a patient asks permission to record, dentists should view the request as an opportunity to better understand that patient’s needs and to thoughtfully educate them about the nuances of privacy laws. 5
In doubt about how to navigate an issue? We’re here for you! The Dentists Insurance Company offers tools to navigate potential liabilities in the areas of documentation, employment, patient care, property and more. TDIC policyholders can tap into resources, guidance and education to mitigate the risks of practicing dentistry today. Time-saving Resources • Dentistry-specific reference guides • Multilingual informed consent forms • State-specific forms and templates One-on-One Guidance • No-cost Risk Management Advice Line • Dedicated analysts with unique expertise • Convenient online appointment scheduling Ongoing Education • C.E.- eligible live, expert-led seminars • Convenient on-demand eLearning options • Articles and insights on trending risk topics Plus, policyholders can earn C.E. and lock in discounts on professional liability premiums by completing a risk management seminar. Explore the benefits at tdicinsurance.com/RM.
Scan here:
@TDICinsurance | tdicinsurance.com | CA Lic # 2361-4
Terms and conditions may apply. Visit tdicinsurance.com/Seminars for additional details.
Earn C.E., plus a discount on professional liability insurance.
NEW TDIC SEMINAR
Communication, Care and Clear Protocols
Ensuring Safety for Patients of Every Age Through an engaging, self-guided course, learn how to sharpen your critical communication and documentation skills to lessen potential complaints, claims or lawsuits. Take all the course modules at once or study them as time allows, at your own pace from the comfort of your home or office. Upon course completion, earn 3.0 units ADA CERP C.E. and a 5% Professional Liability premium discount.* Learn more and register online at tdicinsurance.com/seminars.
SCAN HERE
*THIS COMMUNICATION IS FOR THE PURPOSE OF SOLICITING SALES OF INSURANCE PRODUCTS. Void where prohibited. Not available in all states. For full rules, visit tdicinsurance.com/RMdiscount. CA Lic #: 2361-4. The Dentists Insurance Company, 1201 K Street, 14th Floor, Sacramento, CA 95814
Preventing and responding to a cyberattack in your dental practice
Imagine arriving at your office ready to start the day, booting up your computer to check the schedule and then … nothing. There’s just a blank screen, or worse yet, a message stating that your system has been locked along with a demand for a payment to gain access. When a cyberattack hits, your dental practice could come to a screeching halt. A compromised system can mean no access to schedules, billing or patient records. From insurance carriers, retailers and financial institutions to the U.S. military, all organizations that have an online presence are subject to cyberrelated risks and the reputational damage and loss of consumer trust 8
The health care industry is especially vulnerable to cyberattacks. that follow. The health care industry is especially vulnerable to cyberattacks as hackers know they can access both protected health information and financial records for patients. Even if your practice does not own a website or make financial transactions online, you can still be at risk simply by using the internet and working in a digitally connected office.
Cybercriminals have been leveraging health care practice disruptions to launch ransomware attacks in skyrocketing numbers. One ransomware study reported that attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the PHI of almost 42 million patients. Another report found that small businesses are three times as likely to be targeted by cybercriminals, with malware emerging as the most common form of attack. Cybercrime in a dental office
In just one cyber case handled by TDIC, the total costs to conduct a
Lifeline Liability
forensic IT investigation, get systems back online and cover lost business neared $100,000. When the dentist could not access his files, it soon became clear that the system had been hacked and the practice was a victim of ransomware. Because patient data was stored in the cloud, the dentist didn’t believe that a data breach had occurred but was still paralyzed from doing business because his systems and files were locked.
Strengthen passwords. Make
sure each employee has a unique password that contains a combination of lowercase and uppercase letters, numbers and special characters to deter potential hackers from gaining access. Back up your data. You can back up your files and data on a networkattached storage device, portable hard drive, USB flash drive or online through sites like Google Drive,
By the time a forensic IT firm was engaged to regain access to the system, get it back online and unlock the data, the dentist had already paid a $25,000 ransom demand. The insurance claim reflected more than $70,000 in costs due to the amount of time the practice operations were down plus the expertise needed to investigate and reconcile the records and data. In cases like this, recovering data and reimbursement for the associated financial loss is crucial to practice sustainability. But investigating how the system was accessed can be priceless in helping to support and train the practice team in mitigating future crises. In today’s high-risk climate, everyone on the team should understand the potential implications of clicking on an attachment from an untrusted source or opening a malicious email. Protecting your practice from cyberattack
While cybercriminals are becoming more aggressive and infecting more computer systems, simple human error and misplaced trust are still leading factors in many data breaches. Fortunately, you can take steps to help protect yourself and your practice from cyber risks.
Dropbox and Mozy. It’s a good idea to back up files daily, which will make recovering data easier in the case of cyberattacks or computer system damage. “Dentists with up-to-date backups can be back to work within a few days,” notes Brad Reager, TDIC vice president of claims and risk management. “Those without can spend weeks trying to get up and running again.” Use safety features. Install antivirus and antimalware software for all your devices and update when available. Use an encrypted virtual private network when connecting to an unfamiliar Wi-Fi network to ensure
a secure connection. These measures will help prevent your data from being compromised. Initiate cyber safety protocols.
Educate your staff on the latest cyberthreats and include your practice’s cybersecurity policies and training protocols in your employee manual. Employ a multi-user system for the release of sensitive information. For example, make it a policy that two employees must sign off before providing anyone with secure information, such as passwords or file access, to prevent falling victim to a cyber scam and jeopardizing your computer system. Invest in cyber liability insurance. A proactive approach to preventing cyberattacks means having the right type and amount of insurance coverage in place. To keep pace with today’s evolving risks, owners — regardless of practice size — need insurance that goes beyond data breach. Look for a policy that covers the costs of breach of information, unauthorized intrusion or interference with computer systems, damage to data and systems from computer attacks and related litigation. TDIC’s Cyber Suite Liability policy provides this robust coverage. Focusing solely on the protection of dentists, the policy is designed to serve the unique needs of dental practice owners.
Preventing cyberattacks is the first step in protecting your practice. The second step is to be prepared. Stay informed of cybercrime trends and reach out to the experts at TDIC for guidance on establishing prevention plans to reduce the risk of future incidents.
9
Preventing medical identity theft A dental professional can treat dozens of patients each day. Patients present, provide their information, get checked in and proceed with treatment. Do you ever stop to wonder whether your patients are who they say they are?
A case study in medical identity theft This case illustrates the unfortunate reality that medical identity theft has made its way into the dental office. And just as dental offices have an obligation to prevent financial identity theft by protecting patients’ personal data, they also have an obligation to prevent medical identity theft. A rising threat In a case reported to TDIC’s Risk Management Advice Line, a patient presented for a root canal treatment. The patient provided a name, date of birth, phone number, insurance information and Social Security number. The dentist completed the treatment without incident, and the office submitted a claim to the insurance company to receive payment for services rendered. The office staff realized they had been given false information when they received a call from the individual whose Social Security number and insurance information were used to obtain treatment. The caller questioned why his insurance was billed when he was not even a patient at that practice. The office tried calling the individual who was treated, but the woman who answered stated there was no one there by that name. Once the office realized they did not know the true identity of the individual who was treated, they contacted the Advice Line for guidance. The Risk Management analyst advised the dentist not to release any information about the mystery patient to the individual whose identity was stolen. The analyst also recommended that the dentist file a police report and report the incident to the dental benefit plan provider.
10
Medical identity theft is a growing menace. The Federal Trade Commission informed consumers that medical ID theft reports increased from 6,800 in 2017 to nearly 43,000 in 2021. On average, patients spent $13,500 to resolve a case of stolen medical identity. But the nonmonetary costs are even greater. Patients report a lack of trust in their medical providers for failing to protect their private data. Medical identity theft stems from several scenarios, according to the FTC. The most common scenarios are data breaches within medical care providers, where thieves gain access to medical data systems, and “friendly fraud,” where a person’s identity is assumed by someone they know. Credit bureau Experian notes that about half of all medical identity theft happens among family members, with 24% of medical identity theft victims reporting that a family member used their medical credentials without permission. Another 23% of those affected said they willingly shared their health care information to help a family member or friend obtain medical care. Another scenario is when a thief targets unsuspecting individuals by posing as an employee of an insurance company, pharmacy or medical or dental office and
continued on page 13
Lifeline Liability
Under Attack! Seven steps to take if you experience a cyber breach
7 While every incident is different, use this sound guidance for support: 1. D on’t pay a ransomware demand until you consult a professional. 2. C ontact your IT provider right away for assistance. Let an expert assess the situation. 3. Document without clicking on links or deleting information. Take a picture of the screen and note what it said at the time of the incident. Capture when the incident happened and how it occurred, if known. 4. Save network security logs that indicate the date, time and device used. Collect facts and gather information from your staff and IT provider. 5. Disconnect the affected device from the internet to prevent further unauthorized access.
6. Call your professional insurance provider or log in to your account to report the incident as soon as possible and initiate a claim. 7. Report a data breach to appropriate agencies. • For ransomware: Federal (FBI) and state law enforcement agencies. • The internet crime complaint center (IC3). • Security breach notifications required by law in your state. • For data breaches: Department of Health & Human Services.
For more detailed guidance, utilize TIDC’s Cyber Event Checklist. 11
Red Flags! Spotting potential medical ID theft
Look for these red flags when training your staff to spot possible fraudulent patient activities: • Questionable or altered documents or signatures. • Inconsistencies or discrepancies with information previously collected. • Suspicious behavior, such as an inability to quickly answer basic questions. • Refusing to present identification or provide identifying information when requested. • Forms of identification that don’t match the description of the patient presenting them. • An accompanying individual addressing the patient by a different name. • Suspicious requests for medications/specific medications or prescriptions.
12
• Multiple appointments under different identities (an exception would be a name change due to gender identity). • A staff member using patient information for their own family member. • An individual alerting the practice that their benefits have been used fraudulently.
Team members should alert authorities when they spot a red flag. Risk Management analysts advise against refusing treatment; instead, inform the patient that discrepancies have been discovered that need to be investigated and then make other arrangements for payment until the issue is resolved.
Lifeline Liability
continued from page 10
asking for personal information, including plan numbers or Social Security numbers. Commonly, these thieves will make false offers of free or discounted care to encourage their targets to share protected information. Another source of medical identity theft is a dishonest employee who either steals patients’ private data to sell on the black market or allows uninsured friends or family members to use stolen identity to obtain free dental care. Steps to thwart identity theft It’s crucial that dentists know and trust their staff, says Taiba Solaiman, senior risk management analyst at The Dentists Insurance Company. Conducting comprehensive background screenings and random audits of charts and billing activity for any friends or family members who have been seen in the office can go a long way to catching and thwarting illegal activity. Preventing fraud begins at the front desk. Therefore, it is imperative that employees ask for photo identification when patients arrive for their appointment. This is not a violation of HIPAA nor is it required but asking patients for photo ID is highly recommended. Most patients are already familiar with this practice when visiting their medical care providers.
Some offices take photos of their patients, making it easier to identify patients when they arrive. Many dental software programs have built-in features to capture photos. If patients are hesitant to have their picture taken, reassure them the photo will only be used internally and will not be posted on social media or used for any marketing purposes. Let them know of your commitment to protect their personal information and prevent fraud. In addition, ensure that your practice team is trained to educate patients on best practices for keeping their private data private. For example, patients should be informed that your staff will never ask for Social Security numbers or dental benefit plan numbers over the phone. So if they receive an unsolicited call from someone requesting this information, they should hang up immediately. Remind patients to carefully review statements from insurance companies to look for suspicious or unauthorized treatments or payments. Medical identity theft is a multifaceted, complex crime, and halting its progress takes the diligence of all players — medical and dental professionals, patients, insurance providers and law enforcement. While dentists aren’t expected to take on the role of crime fighter, they can take simple steps to ensure their patients and their practice remain free from fraud.
13
Lifeline Liability
Liability Lifeline is published by: The Dentists Insurance Company 1201 K Street, 14th Floor Sacramento, California 95814
©2023, The Dentists Insurance Company
Endorsed by: Alaska Dental Society California Dental Association Hawaii Dental Association Idaho State Dental Association Illinois State Dental Society Nevada Dental Association New Jersey Dental Association Oregon Dental Association Washington State Dental Association Also in: Arizona, Minnesota, Montana, North Dakota, Pennsylvania and Tennessee
TDIC reports information from sources considered reliable but cannot guarantee its accuracy.
Need one-on-one risk management guidance? • Get answers to your critical questions through a confidential phone consultation with an experienced TDIC risk management analyst. • Request a consultation at a time that’s convenient for you at tdicinsurance.com/RMconsult or by calling 877.269.8844.
Protecting dentists. It’s all we do.
®
Risk Management Advice Line | 877.269.8844 | tdicinsurance.com
@TDICinsurance