Getting entangled in health-privacy disputes is scary. Full knowledge of the law is the first step toward a
happier ending.

I AM ONE of those lucky people who study, so you don’t have to, the 580 intimidating pages of existing HIPAA law governing health-care privacy. As a HIPAA trainer, I try to create a functional template for every dental practice to make compliance with this mare’s nest of laws as streamlined as possible.

Unfortunately, the often-updated HIPAA Omnibus Rules are maddeningly vague, for two main reasons: One, they cast a wide net to offer maximum protection and security for patients’ medical information; and two, their ambigu-
ity allows for wide applicability even as record-keeping technology changes.

The rules themselves are one thing; the day-to-day reality of running a dental practice is another. With apologies to Rod Serling, I call this the “compliance twilight zone.” Here are three HIPAA horror stories — all drawn from the invaluable HIPAAjournal.com, a clearinghouse for the latest HIPAA news — that illustrate why knowledge of and adherence to these laws is so important.

REMAND AND DELIVER: Patty (not her real name) has managed a dental practice for more than a decade and a half. One day she gets a call from a patient demanding that she be sent her X-rays so she can seek a second opinion, a request she first made via e-mail more than a month ago. Patty declines: “When your balance is paid,” she says, “I’ll send you the radiographs.”
Unfortunately, the patient knows that new HIPAA rules require delivery of records within 30 days (in Texas, just 15 days) of a written request. The patient reports poor Patty to the Department of Health & Human Services, which investigates and fines the practice $17,000.

Oops: HIPAA forbids doctors from sharing any patient health information — even relatively anodyne material.

DATA DUMPED: A flash drive goes missing from a Florida practice. It contains 2,700 patient files with names, birthdates, Social Security numbers and insurance information. HHS traces several breach reports back to the practice itself, triggering an 18-month HIPAA security audit with in-person visits, sometimes weekly, by investigators.

YELP UNWANTED: Irritated by a negative comment a patient has posted to Yelp, a dentist lets his emotions get the best of him. “Due to your clenching- and-grinding habit,” he replies to the post, “this is not the first molar you’ve lost due to a fractured root.” Oops: HIPAA forbids doctors from sharing any patient health information, even as relatively anodyne as this. Hello, audit.

All three scenarios could have been avoided: with, respectively, better staff education; more careful record-keeping and data security; and control of one’s desire to respond to patients’ online complaints. Full knowledge of HIPAA law is the first step to avoiding audits and investigations that can waste time, cost money and imperil your practice. Don’t want to be the protagonist of a HIPAA horror story? Consult a specialist regularly to ensure that your own tales always end happily after after.

JILL OBROCHTA is the founder of
Dental Enhancements, an OSHA and HIPAA solutions company. She offers no-obligation consultations and can be reached anytime at 941-587-2864 or