HIPAA Compliance for Dentists! Don’t Get Fined Like This Practice
California dental practice New Vision Dental recently got slammed with a $23,000 HIPAA Compliance Fine for how they responded to negative patient reviews on Yelp. The Office for Civil Rights (OCR) within the Department of Health reported that the doctor of New Vision Dental, repeatedly disclosed Protected Health Information (PHI) in his responses by using patient names (instead of their Yelp usernames), and details of their visits including insurance information.
The OCR verified all of this information by reviewing New Vision Dental’s activity on Yelp. They also made an in-person visit to New Vision Dental to further investigate, and found that the practice was failing to provide adequate information in their Notice of Privacy Practices as well.
OCR provided New Vision Dental with a corrective action plan that involves paying the $23,000 fine, deleting old posts, and reaching out to past patients whose PHI was exposed. Overall, their situation sounds like a typical HIPAA compliance nightmare—and one that could have been avoided.
Our goal at My Social Practice is to protect your practice from costly situations like this. Our HIPAA compliant photo sharing app and HIPAA compliant website service equip you with the tools and knowledge you need to engage online without worrying about violating the most common HIPAA guidelines.
The upside to this story is that we can all learn some valuable lessons from New Vision Dental’s mistakes. So what can you do to avoid making a similar HIPAA blunder?
Create Review Response Guidelines
The first thing to keep in mind when striving for dental HIPAA compliance is consistency. Whether you’re looking at reviews on Google, Facebook, or YELP, it’s important that your practice has response guidelines in place to avoid violating HIPAA policies. Here are some examples you may want to include in your practice’s guidelines.
#1 Only Refer to the Username Featured in the Actual Comment
One of the reasons New Vision Dental got in trouble was for using actual patient names instead of the names listed on their Yelp profiles. By using first or last names that don’t appear in the actual review or profile, the doctor inadvertently confirmed that he knew these people as his patients, which is a violation of HIPAA. (Yes—even simply confirming that someone is your patient violates their privacy in this sector!)
When your team responds to reviews, be sure to only use the name provided in the actual review. Even if a username is something like ChelseaReviews, you might want to err on the side of caution by referring to the commenter as “ChelseaReviews” instead of just Chelsea.
#2 Do Not Disclose any PHI or Details About the Patient’s Visit
This one might seem obvious, but it’s actually a pretty common error in HIPAA compliance for dentists. When responding to a review, make sure you’re not mentioning any details that identify the patient like procedures performed, date of visit, or personal information. Use friendly, information-neutral language that does not confirm the patient’s status.
For example, if someone leaves a negative review about teeth whitening, it would be unwise to respond with “We’re sorry you had a bad experience with teeth whitening on Saturday, but we hope your crown is holding up!”
Instead, you might say something generic like “We appreciate feedback and do our best to make all of our patients feel comfortable during their procedures. Please reach out to us directly if you have any further questions or concerns.”
#3 Be Kind and Professional
Another thing that can land you in hot water is responding to reviews with emotionally-charged language. No matter how derogatory an online review might be, your response must always remain professional and respectful.
In a similar occurrence to New Vision Dental, last year a dental practice in North Carolina was fined $50,000 for responding to a negative Yelp review and disclosing PHI. On top of disclosing the patient’s full name, this practice also insulted the patient’s intelligence, telling him to “continue with his manual work and not expose himself to ridicule.” This kind of petty, unprofessional language will never work in your favor and can come at a huge cost to your practice.
If for some reason your practice is being spammed with false reviews, or inflammatory comments online, you always have the option to report these reviews on Google, Yelp, Facebook and other review platforms.
#4 Know Who is Responding on Behalf of Your Practice
HIPAA violations are a lot easier to avoid when you know who is responding on behalf of your practice. Delegating social media and business review communication to one or two employees who are trained in HIPAA best practices (this could be you as the owner, or another employee) is the best way to stay consistent.
If you need more hands on deck, make sure you’re keeping track of who has access to usernames and passwords, and require anyone with this information to be well-versed in HIPAA guidelines.
If you’re using a dental marketing response service make sure that you obtain a proper signed BAA from the company you’re working with. Also make sure that the company representative is knowledgeable on HIPAA policies regarding review responses.
Review Past Activity
Another way to make sure you’re not slammed with a HIPAA compliance violation is to review your past activity interacting with patients online.
New Vision Dental was given a corrective action plan that included instructions to remove any social media posts from 2014 onward that included PHI. And, after deleting old posts, the OCR also instructed New Vision Dental to inform all past patients of HIPAA violations.
All of this headache and embarrassment could have been avoided if this practice used HIPAA-compliant social media tools!
Look through your previous activity on review sites or other social media for posts and responses that may not be HIPAA compliant. While sifting through, you might have to delete old posts, reach out to patients for consent, or edit details.
Use Our Reputation Management Software
In addition to setting up guidelines and reviewing past interactions with patients online, your practice should take advantage of My Social Practice’s Reputation Management Service.
This handy tool provides several solutions that help your practice perform better on review sites, while staying HIPAA compliant.
- Acquire more reviews
Our reputation management service sends your patients a text after their visit asking them to submit a review online. By getting more reviews, you can boost your star-rating on platforms like Google and Facebook.
- Auto-respond to reviews
Don’t want to worry about saying the wrong thing, or don’t have time to post individual responses? Use our tool to set up HIPAA-compliant auto-responses.
- Improve patient communication
Aside from responding to reviews, this software also helps you communicate with patients through other online channels like chat, social media messaging, and even text.
- Manage directory listings
As an added bonus, the reputation management service makes sure your practice is showing up on search directories across Google, Apple Maps, Facebook, and many other dental directories. Directories are helpful to be found by more local patients and is also a great link building strategy. Link building is one of the more important dental SEO activities.
This isn’t the first time a dental practice has been hit with a HIPAA compliance fine, and it definitely won’t be the last. Our hope is that with My Social Practice, your team will be able to stay compliant, avoid obvious blunders, and build a better presence online.
Aside from staying compliant on review sites, remember to always keep up with HIPAA guidelines in your office, on your own website, and on your social media channels. Provide patients with HIPAA consent forms at every visit, and cover your bases with other My Social Practice tools like our photo-sharing app.
If you haven’t already, be sure to check out our free social media consent form download to ensure your office is HIPAA compliant when sharing patient information and photos online.
Guess What? We Can Help!
Staying HIPAA compliant can feel scary. But you don’t have to stress when you have professionals on your side! My Social Practice offers unparalleled support for our clients. If you have questions about HIPAA compliance, reach out today and schedule a HIPAA compliance consultation.
About the Author: Adrian Lefler is a dental marketing expert and a key member of the dental marketing team at My Social Practice. My Social Practice is located in Salt Lake City, Utah. Adrian is passionate about helping dental practices grow. If you’d like to book one of the members of My Social Practice’s speaking team, you can do that HERE. Interested in learning more about the benefits of dentist SEO or our dental SEO service, please schedule a complimentary consultation. And, don’t forget to read our Google reviews.
