Learn more about the Florida Dental Association here.

Beyond the Bite

The Official Blog of the Florida Dental Association

Category: Legal/Risk Management

Your Response to a Negative Patient Review Could be a HIPAA Violation

by Leave a comment

By FDA Chief Legal Officer Casey Stoutamire

Did you know your response to a negative review from a disgruntled patient or family member could be a violation of Health Insurance Portability and Accountability Act (HIPAA)? There is no HIPAA exception that allows a health care provider to disclose a patient’s protected health information (PHI) in response to a negative review. HIPAA generally prohibits dentists (and all health care providers) from using or disclosing a patient’s PHI without his or her consent. As a reminder, PHI includes information that “relates to the past, present or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103) This means that posting any information that identifies someone as your patient violates HIPAA, even if specific medical information is not posted or disclosed.

The next question is, “How can I respond to a negative review?” Our first piece of advice is to just ignore it and try to generate more positive reviews to offset the negative one. In addition, you could reach out to the patient to try and resolve the problem. Usually, when someone posts a negative review, they are frustrated and want their voice to be heard. If you can resolve the situation, you may be able to convince the patient to take down the negative review. And even if you cannot resolve the issue, ask the patient to give you a HIPAA-compliant authorization that would allow you to respond appropriately to the negative review.

Now, we know ignoring a post is not going to sit well with some of you! If you feel you must respond, it should be generic. Your response cannot confirm that the patient received care at your office. Instead, you could describe your general practices and policies and then ask the disgruntled person to contact your office to discuss things further. It goes without saying that if you do respond, take a deep breath before doing so to calm down and be polite, professional and sensitive to the disgruntled person’s perspective.

To read more on negative reviews, check out a past “Chew on This” at vimeo.com/556207196.

FDA Chief Legal Officer Casey Stoutamire can be reached at cstoutamire@floridadental.org.

Abyde Data Breach: Case Study

by Leave a comment

By: Abyde

You never think it will happen to your practice till it happens to you. What happens to a reactive practice when they’re impacted by a data breach?

Reactive Compliance: Are You at Risk?

One of the most common, yet dangerous, fallacies is that something could never happen to you. This misguided belief can be detrimental to your practice. For compliance, it is imperative to be proactive, ensuring everything is safe and secure before any issues arise. Investing in compliance software, IT support, and cybersecurity insurance is vital. It’s cheaper than scrambling later. Protect your reputation, empower your team, and streamline processes. Recovering from breaches is expensive, involving investigation fees, legal battles, and potential fines. Reactive efforts often lead to scrambling, incurring even higher costs. Reacting to issues often relies on manual and time-consuming workflows, hindering overall efficiency and effectiveness. The damage to your reputation also impacts all of your future opportunities. The consequences of reactive compliance are severe and can be seen in our case study.

What Happened?

So, what happened? Well, Abyde reached out to a practice to educate on HIPAA requirements for over a year. Abyde also attempted to meet with the practice at in-person events. The practice’s owner and doctor refused to review HIPAA requirements with Abyde, believing that the binder the practice used was sufficient to be compliant. Believing that their outdated form of compliance was enough and that their medical practice would not experience a breach was detrimental. Flash forward, and the practice experienced a ransomware attack at the beginning of 2024. As expected, the outdated compliance binder provided minimal support for this practice to navigate the aftermath of a breach. In the wake of a data breach, every second counts. The clock starts ticking on lost revenue, productivity and patients. You risk hemorrhaging sensitive information, eroding trust, and hindering internal operations. The practice now is facing an arduous task ahead, having to rebuild its operations while also seeing patients. The foundation of a compliant practice includes documentation like a Security Risk Analysis (SRA), data breach notifications, an incident response plan, breach risk assessment and training, and more. While no one is completely immune to a breach, your compliance software and IT support can minimize the impact the breach has on your practice. If this practice proactively addressed its compliance efforts, the impact of this ransomware attack could be minimized and handled quickly, allowing the practice to focus on what’s the most important: providing quality care.

What Can I Do?

As said, preventing breaches entirely is unrealistic, but recovery from a breach is in your hands. By proactively utilizing compliance software, like Abyde, having IT support, and cybersecurity insurance, you can mitigate the harmful impacts of a breach. After a breach, swift recovery is critical to minimizing the impact on your entire operation. Thankfully, Abyde is here to help you proactively establish a robust compliance program before risk incidents occur. Abyde offers a simple solution with our revolutionary software, saving you countless hours with our resources. Our software includes an intuitive SRA, dynamically generated policies and procedures for your practice, training, compliance expert support, and much more. With Abyde, your organization can be prepared for risks, and handle them with ease with the help of our software and team of experts. By proactively using compliance software, you pave the way for a culture of excellence that empowers your employees and protects your reputation and patients. Want to learn more about how Abyde can help your practice achieve compliance? Visit us at Abyde.com or send us an email at info@abyde.com.

Copyright Reminders

by Leave a comment

By Casey Stoutamire, FDA Chief Legal Officer

This is just a friendly reminder that any time you use a photo in an email publication, print publication (meeting brochure, newsletter, etc.) or on your website, you must have permission to use that photo. For example, if it is for an upcoming meeting and you want to use pictures of the hotel and/or rooms, work with your hotel contact to get permission, in writing, to use them (this is usually in the form of a license or sublicense).

In addition, if you use a web designer, check your agreement with them to make sure it contains a provision under which the designer will indemnify the association (component or affiliate) if the designer’s improper use of a third-party intellectual property (for example, pictures of a hotel) subjects the association to a claim/liability from the owner.

The same goes for playing music and offering television or movies in your office. The U.S. Copyright Act, Title 17 of the United States Code, gives copyright owners control over the public exhibition of their works. In nearly all cases, this means that a public performance license is required to show copyrighted content in public. And yes, dental and medical offices are considered public spaces when it comes to copyright law. This requirement applies even if the content can only be viewed by a single patient. This section of law applies to movies, television programs, and other audiovisual content enjoyed from sources like broadcast, cable or satellite television; DVDs; downloads; or streaming services. If you fail to comply with copyright law, you could be liable for damages ranging from $750 to $150,000 for each illegal showing, plus court costs and attorneys fees. Long story short, by showing tv programs and movies without a license, you risk fines for copyright infringement and the monetary repercussions can be significant.

However, there is good news. For several years, the American Dental Association has worked with the Motion Picture Licensing Corporation (MPLC) to provide a discount for members on copyright licensing. MPLC issues the license your practice needs to show copyrighted content in compliance with federal copyright law. The Umbrella License allows for unlimited showings at your dental office without fear of copyright infringement. It provides coverage for old and new titles from more than 1,000 motion picture and television rights holders, including Disney, CBS, Warner Bros., NBCUniversal, Paramount, ABC, Televisa, HGTV, Lionsgate, Discovery and many more. To secure an Umbrella License, visit dentist.mplc.org/ or contact MPLC at 866.552.MPLC (6752) or info@mplc.com. Information is also available at ada.org/mplc.

Decrypting the Buzz Around Email Cybersecurity

by Leave a comment

By: Robert McDermott, President and CEO, iCoreConnect

Do you feel like you’re hearing a lot about ransomware, phishing and hacking these days? You’re not imagining an increase in these buzzwords. They’re popping everywhere: news media, compliance reports, technology and trade journals, and the list goes on. It’s important to recognize that these words are more than just the latest media buzz. They’re real threats.

Cybercrimes remain a problem for dental and medical professionals with little sign of going away anytime soon. The primary ways your practice can be compromised are through your IT infrastructure and your email. The weakest link in the chain, however, is people.

Criminals have become quite effective at using malicious email to exploit human vulnerability and gain access to protected health information (PHI). When an email comes in posing as a trusted source like a bank, an online payment site or even a social networking site, your staff needs to know what to do … and what not to do. Every day, cybercriminals successfully steal everything from patient and insurance records to passwords, social security numbers, credit card information and account numbers. These kinds of attacks are called “phishing.” They are designed to get you to click a link, call a number or respond with personal information.

Educate your staff on what to look for in a phishing attack. The Federal Trade Commission’s Consumer Division explains that phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. These emails may:

  • say they’ve noticed some suspicious activity or login attempts.
  • claim there’s a problem with your account or your payment information.
  • say you must confirm some personal information.
  • include a fake invoice.
  • want you to click on a link to make a payment.
  • say you’re eligible to register for a government refund.
  • offer a coupon for free stuff.

As a dental health provider, confirm that every email with any connection to PHI, payments, passwords or other sensitive information is being sent through a secure, HIPAA-compliant email service.

Not sure how to know? Check to make sure your secure email service uses its own private network to transmit messages, not the public internet. You also will know if your email is fully secure and compliant based on the way email communication is initiated. If your practice must initiate the first message in an email conversation, then your system is highly secure. The security key is that no one can randomly email you or your staff if you haven’t sent a secure email to them first. That eliminates phishing and hacking because cybercriminals can’t reach you. Once you have that first email interaction with another doctor, pharmacy, patient, etc., your workflow is the same as any other email.

If you are sending PHI via Google, verify you are using the paid version, Google Workspace Gmail. Even if you have some security steps in place on a non-paid Gmail address, you are most likely neither HIPAA compliant nor protecting your patient’s records. You may want to consider using Gmail, and other similar services, for sending everything that isn’t PHI or sensitive information. Secure and non-secure emails often can be accessed in the same email interface requiring only one login to access all your email accounts.

So, what happens if your email isn’t secure and someone in your office clicks a link? Well, you’ve just left the back door unlocked and let a cybercriminal sneak into your business. Once a cybercriminal gets into your system, usually without detection, they have one goal: wreak havoc to get money. They can lock up your entire records system and hold it for ransom, usually requiring payment in bitcoin. Thousands of attacks are launched every day with good success. It’s a scenario you don’t want to deal with. Fortunately, it’s also preventable.

Teach your staff or bring in an IT managed services provider (MSP) to talk with your office about the best practices to prevent phishing scams. Learn to identify a suspicious email and report it to your IT or MSP team. Most importantly, never click on buttons/links, call the listed phone number or respond to the message, especially with personal information.

Replace your current moderately secure email service with a truly secure, HIPAA-compliant email and you’ll significantly decrease the risk of your data being accessed through email.

Cybersecurity, phishing and ransomware are more than buzzwords. They represent identity theft, credit card and bank account access, and the loss of patient trust. Prevent access. Use secure email. Stay off the radar of those looking to profit off your practice. These simple steps can save you headaches and heartbreaks from having PHI stolen or captured and then paying a high ransom to get your practice up and running again.

FDA Services endorses iCoreExchange HIPAA-compliant email. iCoreExchange not only meets or exceeds every compliance and security requirement, but it also allows you to attach as many large files as you want to any single email. Speed up your workflow, protect patients and your practice. Check out this convenient and compliant service or call 888.810.7706. FDA members receive a substantial discount on iCoreExchange.