Protecting Electronic Communications
Don’t let convenience trump compliance in your interactions with patients
James G. Kouzoukian, DDS | Bijan Anvar, DDS
Most businesses in the United States can freely communicate with their existing clients, business associates, consultants, and vendors utilizing electronic means, such as email and text messaging, without restriction or regulation. However, businesses in the healthcare industry are a notable exception. The communications of dental and other healthcare professionals are regulated by federal and state governing bodies. The federal entity under which these communications are regulated is the US Department of Health & Human Services' Office for Civil Rights (OCR), and the regulations themselves are specified in the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Introduced in 1996 and the subject of tremendous interpretation by legal professionals, HIPAA provides a framework for dentists and other healthcare providers to appropriately protect necessary electronic interactions with those individuals, businesses, and professionals with whom they conduct their daily practices. Some states may impose even stricter patient privacy regulations, and as such, these will supersede the federal requirements.1-3
In this age of technology, it is universally acknowledged that email and text messaging (ie, the electronic communication modalities regulated by HIPAA requirements) are necessary to be able to effectively and efficiently communicate with patients and other providers. However, some dentists have been misinformed regarding the ways in which they are permitted to initiate electronic communication with their patients and respond to patient-initiated emails and texts. Many practitioners outsource the handling of these communications to service providers, such as health information organizations, which are assumed to remain compliant with regulations, but are the means employed by these providers truly satisfactory?
It is generally agreed upon by healthcare attorneys that electronic communications between dentists and their patients are HIPAA compliant when the digital information shared is adequately encrypted. Encryption is a means by which data are converted into a code that is unreadable by anyone other than the intended recipient in order to prevent unauthorized access. Because HIPAA-compliant encryption for protected health information (PHI) is particularly stringent and requires greater security, any health information organization used must be questioned to ensure that their level of encryption is sufficient to ensure the confidentiality that is required to be provided to the patient. Not all encryption methods fit the strict parameters of HIPAA. Data must not only be protected "in transit" but also secured when "at rest" on both the sender's and recipient's devices.1,4
Although the recommendations for daily electronic interactions with patients presented by this article err on the side of caution, they are not intended to be legal advice and may not be appropriate to a dental practice's individual situation. Practices should consult with an attorney for advice regarding specific circumstances.
First, it is important to point out that when a patient provides his or her email address to a healthcare practice when filling out intake forms, it should not be assumed that the patient has also given permission to be contacted by the practice via email that contains PHI. Even a simple acknowledgement that an individual is a patient of a practice could be considered a violation because the healthcare specialty provided by a practice to its patients is considered to be PHI. Each patient must specifically be asked if he or she wishes to engage in email communication. For those who respond positively, only encrypted information can be sent via email. If the practice intends to share unencrypted information by email, a specific HIPAA release form stating that fact must be presented in writing for the patient to read and sign. An article available on the New Jersey Dental Association's website, "Emailing Patient Information: A Resource for Dental Practices," includes a sample American Dental Association HIPAA security risk assessment for small dental offices as well as a sample authorization and consent to send unencrypted PHI by email form.5 When signed by patients, this form may permit the sending of unencrypted email; however, caution must still be exercised when composing the body of any email that contains PHI.5
If a patient initiates communication by sending an email to the dental office to ask a question, such as when a future appointment is scheduled or what month he or she should return for a checkup, an answer can be given freely in an unencrypted manner because it is the patient who has initiated communication; therefore, consent is assumed. If questions regarding specific treatments or health conditions are asked, responses should be very minimal, specifically limited to the patient's requests, and accompanied by the additional response that any further information should be discussed via a telephone call. "Please call the office" is the best response for any email initiating a treatment-based discussion. Details associated with diagnoses and replies to treatment questions should never be emailed in an unencrypted form. For example, if a patient asks if you will be able to take care of his or her painful tooth, this only requires a yes or no answer, which may be unencrypted. However, any details regarding the anticipated treatment must either be encrypted or relegated to telephone or face-to-face conversations.2,6
If a patient contacts a dentist at a personal email address instead of the practice's business email, which may be the case if the patient is a personal friend of the dentist, the response should always include a statement that reads, "This email address is not secure." If the patient still wishes to continue and grants permission, responses should be as minimal as possible until a secure communication medium becomes available.1
Similar considerations exist when text messages rather than emails are passed between the dentist and patient. If the patient initiates communication via text message, consent may be assumed for a very minimal response. Encryption must be employed for any detailed text discussions because text messaging is neither protected nor secure. The ADA consent form includes the language "or other electronic means" and may be applied to unencrypted text messaging in addition to email; however, practitioners should keep in mind that health and treatment details should still be relegated to verbal conversations on the telephone or in person.1,2
Nowadays, many dentists give their cell phone numbers to patients, either directly on their business cards and office intake forms or indirectly as an emergency contact in their practices' voicemail recordings. Unless the dentist has disabled text messaging, which is unlikely because most dentists only own one personal cell phone that they use to receive texts daily, patients will, at one time or another, send text messages that may or may not discuss the details of completed or proposed treatments. Caution must be exercised when replying to these texts, and because the devices being used can also transmit spoken dialogue, the patient should be encouraged to initiate or receive a telephone call rather than continue the communication via text messaging. Healthcare professionals should never initiate or encourage text messaging beyond sending very simple information because this form of communication can easily get out of hand and beyond control.6
Social Media Contact
If a patient contacts a dentist by messaging him or her on a social media platform (eg, Facebook, LinkedIn, Instagram, etc) regarding treatment, it should be understood that the only secure means by which to do so is through "direct secure messaging" provided by a reputable health information organization. "Private messaging" on social media websites is not necessarily secure by HIPAA standards. In some cases, the transfer of PHI is regulation compliant, but the storage of such information within a social media platform on the recipient's device is not adequate. Once again, responding practitioners should exercise caution as to the appropriateness of the content. The safest and most prudent return message is always "please call the office," or if it is after business hours, "please call this cell phone number rather than sending a text message."1
Communication technology will continue to advance, and healthcare providers will certainly encounter evolving regulatory challenges in the future. In this day and age, it is paramount to remember that dental professionals must not succumb to temptation and openly write electronic messages or posts about our patients' health-related issues without first considering the importance of privacy and compliance.
About the Author
James G. Kouzoukian, DDS, maintains a private practice in Forest Hills, New York, and Bijan Anvar, DDS, maintains a private practice in Larchmont, New York.
1. Anvar B. Data protection for dentists. In: Proceedings from the World's Fair of Dentistry; September 24, 2017;Queens, NY.
2. US Department of Health & Human Services. Guide to privacy and security of electronic health information. US Department of Health & Human Services web site. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf. Published April 2015. Accessed June 13, 2019.
3. US Department of Health & Human Services. Health Insurance Portability and Accountability Act of 1996. Office of the Assistant Secretary for Planning and Evaluation web site. aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996. Accessed June 12, 2019.
4. Lavine L. 12 steps for creating a HIPAA compliance plan. Dental Products Report web site. http://www.dentalproductsreport.com/dental/article/12-steps-creating-hipaa-compliance-plan. Published January 24, 2018. Accessed June 18, 2019.
5. New Jersey Dental Association. Emailing patient information: a resource for dental practices. New Jersey Dental Association web site. https://www.njda.org/docs/librariesprovider35/default-document-library/emailing-patient-records.pdf?sfvrsn=0. Published 2014. Accessed June 13, 2019.
6. Kouzoukian JG. Patient communication: ensuring compliance with governments regulations. Compend Contin Educ Dent. 2015;36(5):318.