For many dental practices HIPAA is a frustration. We know, trust us we know. But the reality of HIPAA for dental practices is that it’s part of your practice life. But it isn’t difficult to stay HIPAA compliant in your dental marketing. With a few tweaks here and a little training there, you’ll be clean as a whistle.

In this article we’ll discuss 5 of the most common dental HIPAA compliance faux pas and ways to stay compliant with your digital dental marketing.

Let’s get going. I know you got to get back to work, so I’ll make this succinct.

• Sharing Patient Photos Without Signed HIPAA Consent
• Responding to Patient Reviews Incorrectly
• Storing Patient Photos Without Encryption
• Transferring Patient Photos Without Encryption
• Devices With PHI Being Lost or Hacked
• Improper HIPAA Consent Documentation
• Conclusion
• FAQ

For better or worse social media has taken the world by storm. When social media is used correctly and in compliance with HIPAA regulations, it is a powerful tool that can improve patient quality of care and help grow a practice. But how a medical professional and the support staff interact with a patient online is a lot like walking a razor’s edge. 

Many patients want, and some expect to be able to communicate with medical professionals via social media tools, which is why it is vitally important to understand the nuances of HIPAA regulations when it comes to social media.

Sharing authentic, engaging social media content that features patients while staying 100% HIPAA-compliant isn’t as complicated as you may think.

HIPAA. Even just reading the word may cause dental professionals to feel a little stressed, and understandably so. Its guidelines are strict, but HIPAA is one of the most important protections patients have in place today.

However, in the age of the connected, savvy consumer brought about by the internet and social media, potential patients want a transparent look into what really goes on inside your practice before they make a decision about whether or not to give your practice a call. They want to see the experiences that real patients are having with you, and how you treat them.

Because of HIPAA, many dental professionals are scared away from sharing anything at all that involves patients, and they miss valuable opportunities to build reach and relationships with patients and ideal potential patients.

HIPAA doesn’t have to be a stumbling block for your dental practice on social media. Remember that the rules are there to protect patients, not create barriers. By adhering to a few common-sense safeguards and making sure your entire team is trained, you can confidently and comfortably share photos, videos, and other posts involving patients as part of your social media efforts.

1. Don’t post protected patient information or circumstantial details. This may seem obvious, but it can happen if team members aren’t thinking about it. Even if you don’t include a patient’s name, assume that a patient’s information can still be traced if you post about the circumstances.

2. Don’t assume information is private. If something is online, chances are that it will stay online in one form or another. Deleting a tweet or removing a Facebook post doesn’t guarantee that information is gone, so it’s essential that dental professionals catch HIPAA violations before they ever make it to social media.

3. Create a practice social media policy. Having a written policy and training your team on it ensures that everyone in the practice is on the same page and familiar with your approach to social media.

4. Make your practice’s “social media champion” someone that understands HIPAA. The fewer people that post to social media on behalf of your office, the better. It’s generally a good idea to only have one or two people in charge of social media for your dental practice. Choose team members that understand HIPAA’s rules and have dedicated time to check social media activity on your pages.

5. Get signed consent from patients first. There may be times where you want to share a patient testimonial or answer a question sent to you on social media. It’s important to have the patient’s signed consent before posting, and even after receiving consent, keep as much personal information private as possible.

Here is a link to download the HIPAA Compliance Form.

With My Social Practice, posting HIPAA-compliant patient photos is as easy as snap, send, share. Our state-of-the-art HIPAA mobile app features the easiest way to share photos that include patients—simply, securely, and in 100% compliance with regulations.

Unfortunately, the Internet is flooded with PHI disclosed by healthcare professionals of all sizes. It’s not uncommon, and is expected for dentists to respond to online reviews from their patients. Most commonly, patients review dental practices through Google Business Profiles, YELP, Healthgrades, and Facebook. What most dentists are not aware of is that responding to a patient review in the wrong way is a HIPAA policy violation.

Let’s unpack this. If a dentist responds to a patient’s online review using language that supports or confirms that they are a patient, the dentist violates HIPAA. 

For example,

Patient review: “I love being a patient of ABC Dental. They are always super kind and professional.” Sarah F.

HIPAA violation response: “Sarah, we are so grateful for you. You’re a wonderful patient of ours and we can’t wait to see you again.”

The practice confirms in their response that Sarah is a patient, which is a violation.

Non-HIPAA violation response: “We are so grateful and happy when we receive reviews like this. We strive to be the absolute best at what we do. Sarah, thank you so much for your review.” 

In the non-violation response, the practice thanks the reviewer for the review without confirming that Sarah is a patient. 

I know this seems strange when the patient publicly offers PHI willingly, but when a patient posts a review of their own volition, that does not mean they consent to a provider’s disclosure under HIPAA. 

If this sounds ridiculous, read about the recently settled case from the Office of Civil Rights, where something very close to this very situation happened. Hopefully, this case does not encourage unscrupulous persons to set traps for medical professionals who need to be made aware of the rules and regulations of HIPAA. Still, we should consider this type of behavior.

Many dentists will take a picture of a patient without the intent of sharing it online or using it for marketing purposes because documentation improves quality of care. Keeping track of a patient’s progress is helpful for everyone involved, but unless the photo is being stored with an encrypted device, a violation has occurred.

PHI is specifically not allowed to leave the medical practice without consent. So here’s the scenario. You take a photo of the dentist working on a patient to keep for your records. You upload the photo to your patient management system or some other encrypted server. The day ends and you leave the office with the photo still on your phone. You’ve just committed a violation of the HIPAA Privacy Rule.

Team members that take photos in the office that have PHI are required to erase the PHI before they leave the office. But let’s be honest with ourselves, mistakes are going to be made. Cell phones with photo PHI leave the office all the time and if they are lost or stolen the images are accessible and violate HIPAA. There is just way too much going on in the office to always remember to delete all PHI from your cell phone.

Because of this there are very specific instructions in HIPAA for the storage of PHI, and with photography it must be encrypted with 256 AES encryption standards.

The best way to keep your nose clean is to use an encrypted cloud based photography application. When you use a photography encryption app to take a photo it uploads the photo to a server cloud based encrypted server that is HIPAA compliant. The image is never saved to your personal device so you won’t be at risk.

Dentists are allowed to share PHI via digital transfer but there are specific encryption rules for emailing, texting, and sharing.

When it comes to file sharing the rule is to limit the number of copies that you have of the image. When evaluating your violation risk use an exponential factor. For example, if you have two copies of one image your risk is that you’re four times as likely to have a disclosure that violates the HIPAA privacy rule. If you have three copies of an image then your risk increases to nine.

When this rule is applied to digital PHI sharing, things can get out of hand quickly. For example, if you take a photo on your cell phone and text it to someone not using an encrypted system, you have two copies of the image now. If that person shares the image, you have three copies. And on and on and on. You get the point?

Because of the simplicity of sharing digital PHI, encryption standards have been put in place. When you encrypt an image the image is saved in a secure cloud based server and when shared with someone the image can be shared without duplicating the image, which in the long run reduces your disclosure risk. It is a best practices model that every medical professional should implement.

For you dental geeks the encryption standards are 256 AES when PHI is at rest and TLS 1.2 when in transit. Both of these are the bit encryption rates in order to protect PHI from being hacked.

It was only a few weeks ago that our Facebook page was hacked. The hackers got into the page through my personal Facebook page. Once the got in it was mayhem. It took more than a month to get control of the account.

Hackers are incentivized in many ways. You shouldn’t be terrified of being hacked but you should take reasonable measures to reduce your risk of being hacked.

The biggest HIPAA disclosure risk is if you or one of your team members loses their phone and the phone contains PHI. Hacking into a phone is not easy but it happens all of the time. Having your cell phone hacked when lost or stolen is one of the reasons why you should use a photo encryption app when taking patient photos. When you use an encryption app the image is not stored on the phone. The original file is located on a secure server that it up to date with encryption standards that HIPAA has set.

After talking to dentists for the last 13 years I’ve found that it’s the wild wild west out there when it comes to dental HIPAA form compliance and marketing. Almost all dentists that I’ve spoken with are aware of the risks and want to do their absolute best to protect PHI, but many do not understand the specificity and requirements.

A signed patient HIPAA consent form for each photo taken is the best course of action. A HIPAA consent form must include the following:

MUST BE IN WRITING: For the consent to be verifiable, it must be in writing.

WHO IS INVOLVED: The covered entity is identified, which is the name of your practice or the dentist’s name. The covered entity is the party who is receiving the PHI. 

FOR WHAT PURPOSE:  The form must clearly define how the PHI is used and for how long.

SIGNED CONSENT: There should be a date stamp and a patient’s signature. The guardian must sign the form if the patient is a minor or special needs patient.

WHEN CONSENT EXPIRES: Consent should be given for a specific time period.

REVOCATION: There must be an understanding that the patient can revoke consent at any time. It must also include simple steps on how the revocation process can happen.

BENEFITS ARE NOT CONDITIONAL: The patient must understand that oral health care benefits are not conditional on their consent.

Please keep in mind that we are not HIPAA attorneys. We don’t even play attorneys on television. But we do work with some fantastic attorneys who consult on our HIPAA compliance and provide excellent service to dental practices looking to reduce social media HIPAA risks.

My Social Practice does not provide legal advice and the information in this blog post are suggestions on how to improve your practice HIPAA compliance. If you have further questions you should consult your attorney or reach out to The HIPAA E-Tool.

We know that in everything you do in your practice, patient safety and comfort come first. Here at My Social Practice, we believe that same level of responsibility and patient care is vital in social media and digital marketing as well.

People like to do business with people they know, and the My Social Practice provides the best way to share content that showcases the people and culture of your practice, all in 100% compliance with HIPAA. Discover how easy it is to start growing your practice with social media by requesting a demo of our patient photo sharing app.