Dental Compliance 101: Keeping Patient Information Confidential

By Samona France, Compliance Protection Specialist – 

Medicaid dentists have a hard job!

Low hours and below-market reimbursement rates, coupled with layers of bureaucracy and vague guidelines for marketing to/treating/retaining Medicaid eligible patients can crush the dreams and finances of well-meaning dentists and their practices.

But complying with all of the various laws is not optional; it is a requirement.

Even something as simple as gathering, copying, processing, and forwarding patient records to another treating dentist can be a minefield if you don’t know how to do it correctly. Sharing patient records between specialists, dentists, laboratories, the Dental Board, or the Texas Medicaid Office of Inspector General all require awareness of and compliance with various state and federal laws.

You’ve probably heard of them: HIPAA, HITECH, and specific state dental board regulations.

Although the legal requirement to keep patient information private is not new, the amount of information being transmitted electronically from one office to another every day is at an all-time high. Electronic transmission of patient information, while efficient, creates many opportunities for the potential loss, misuse, or theft of that data.

But avoiding criminal charges and civil penalties does NOT have to be overwhelming or expensive—it just requires easy to understand processes that are rooted in knowledge of the law.

Why is compliance important? Because the penalties are steep.

Confidentiality has always been a foundation of the doctor-patient relationship. Indeed, practitioners should not have to be persuaded or convinced to keep patient information private.

Disclosure of “unique health identifiers” or “individually identifiable health information” that is made “knowingly” is a criminal offense. Specifically, a person may be subject to criminal penalties if he or she knowingly:

(i) uses or causes to be used a unique health identifier (like a name or Medicaid number); or

(ii) simply obtains individually identifiable health information; or

(iii) simply discloses individually identifiable health information to another person.

Criminal penalties range from misdemeanors to felonies, but the maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [the information] for commercial advantage, personal gain, or malicious harm.”

And here’s the kicker— “knowingly“ just refers to knowledge of what happened, not knowledge that what happened constituted a violation of the law.

So, ignorance of the law is no defense.

Do your employees know what they should do? Or why?

Did you know that it is common for significant monetary fines and penalties to be levied against even small practices for incorrectly transmitting patient records to other practices?

In fact, the U.S. Office of Civil Rights has made HIPAA infringement such a priority that it has contracted with outside auditors to find HIPAA violations.

Ask your practice staff these questions:

  • When a patient or other dentist requests a patient file, what is your protocol or process?
  • Do you require the patient to sign a request form?
  • Do you verify that the employee at the other practice can legally receive the documents?
  • Do you know the timeline for responding to various requests for information?
  • Do you email the records? Do you place the records in “the cloud” to be downloaded by the recipient?
  • Do you encrypt the records? What about the email/cloud that holds the records?
  • Does your office staff know how the process should change if the request for records is from the Dental Board or the State Inspector General’s office?
  • If you use any service that could have access to patient files, do you have Business Associate Agreement with them? What about your IT support company? What about your copy service? Your outside lab?

If you and your staff don’t have answers to these questions, you are asking for trouble.

For more information on HIPAA compliance and how Compliance Protection Specialist can help you keep your office compliant email us at or by phone at (469) 774-7144.


Leave a Reply

Your email address will not be published.