Dentist-Patient Confidentiality and Digital Dentistry
Steps dentists should take to maintain trust and stay in compliance
Trust is the cornerstone of any successful dentist-patient relationship. This includes not only trust in the dentist’s skill, but also his or her ability to maintain patient confidentiality. The concept has its basis in ethics, rather than law, and stems from the privilege of the relationship, which is of a special nature—that is, were it not for the relationship between the dentist and patient, the dentist would not have access to specific patient information. As an extension of that principle, the patient might not confide specific health information if he or she believed that the information might be shared with others not required to have it.
Digital communication enables dentists to collaborate with off-site colleagues, specialists, and labs, providing interdisciplinary care to meet their patients’ needs. Unfortunately, it has become apparent that much of this communication is flowing through unsecure digital channels. Unknowingly, many dentists are sending private health information through email and cloud-based storage services such as Dropbox, which make it possible for files to be easily intercepted, forwarded, or fall into hands that do not uphold dentist-patient confidentiality. To ensure dental professionals meet their confidentiality obligations, they must make sure all communication channels are secure and compliant.
Progression of Information Exchange in Dentistry
More than 50 years ago, dental collaboration meant all parties met in the same room to exchange information. Because information was shared verbally and through hard-copy files that were literally handed from dentist to lab technician, patient information was safeguarded. However, with the introduction of new technology, like the mobile phone, fax, and Internet, the exchange of information became less secure.
The Internet has revolutionized dental communication, as it offers a visual medium that enables collaboration across great distances. With digital high-resolution imaging, collaboration was, for the first time since in-person meetings, available immediately to all. Although this has enabled great strides in dental technology, it has often meant placing the security of patient information at risk by sending it through unsecure means like email or online storage sites.
During the past 2 decades, as digital transmission has replaced more traditional methods of information transfer, regulations setting standards for electronic information security that extend doctor-patient confidentiality into the electronic world have emerged. The purpose of the legislation is to protect the principles of dentist-patient confidentiality; the standards ensure that the technologies used to store and transmit patient information are upheld.
These standards for maintaining the confidentiality of PHI include:
Health Insurance Portability and Accountability Act (HIPAA), which was introduced in the United States in 1996; the Final Rule (Omnibus) updates to the regulations went into effect March 26, 2013, with compliance required by September 23, 2013.
Health Information Technology for Economic and Clinical Health Act (HITECH) and HITECH Safe Harbor in the United States.
Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
Additionally, there is significant legislation in each state and province, as well as very specific guidelines from professional dental bodies for the handling of patient information. The information protected by these standards is called “protected health information” (PHI), which is individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Real World vs. Electronic World
Dental practices across North America are changing to help protect PHI in the real world and the electronic world. The governing principle—restricting PHI access to those who must have it to deliver health services—must be followed in both, but the practical application is very different and can be challenging in the electronic world.
In the real world, protecting PHI affects multiple internal process that include how files are stored and retrieved, as well as how patient records can be viewed. Someone examining a practice for HIPAA compliance would focus on the physical security of the patient records, ensuring that no one could view the record on a computer monitor or have access to the patient record room.
In the electronic world, this same activity takes a more complex set of tasks to ensure compliance. To protect patient confidentiality in keeping with the HIPAA regulations, consider the following:
Access—Who has access? How can you ensure it is limited to only those who need it?
Transmission—Is every transmission of patient information secure? Remember, email is never secure.
Storage—Can you prove that your patients’ data are stored securely?
Auditability—Can you track each individual who has had access to PHI?
Disposal—Can you ensure sensitive data are disposed of when needed?
Compliance Combines Consent with Security Safeguards
Every practice is required to meet government regulations for storing, handling, and transmitting PHI, which includes security and obtaining patient consent. Data must be encrypted to remain secure, both when being stored and when being transferred. Encrypting patient information makes access extremely difficult for anyone except the parties intended to view it.
HIPAA, HITECH, and PIPEDA regulations also require specific policies around the storage of PHI: emergency access, identity authentication for staff, data backup, auditable records of data access, deletion and disposal of PHI, and many more. The problem is that many dental practices use email to send sensitive patient information, and most email services—including Gmail, Hotmail, Apple Mail, and Outlook—do not meet many of the requirements regarding PHI.
Best practices also require that consent be obtained from patients before sending any of their PHI to associated treatment providers. Although a dentist can get consent to send a patient his or her own PHI over email, that data transmission is not covered by HIPAA. Even if a patient agrees, all regulations state that patients are not able to consent to having their information sent by the dentist to any other medical professional through noncompliant methods, including email or file transfer services like Dropbox.
Although specific rules vary somewhat by location, every dental practice is tasked with ensuring compliance with legal guidelines and maintaining patient trust when it comes to PHI. Dental practices can go through their systems and adjust as needed to ensure that they are compliant and protecting patient confidentiality, but many will choose to use one of the many out-of-the-box solutions that are available on the market today (Table 1).
About the Author
Lorne Lavine, DMD, founder and president of The Digital Dentist (TDD), has more than 29 years invested in the dental and dental technology fields. In 2002, he moved from Vermont, where he had maintained a private practice to California to establish TDD, a company that focuses on the specialized technological needs of the dental community. As a consultant and integrator, he has extensive hands-on experience with most practice management software, image management software, digital cameras, intraoral cameras, computers, networks, and digital radiography systems.