HIPAA and the YELP War

You're listening to the Phil Klein Dental Podcast Thanks for joining us. I'm Dr. Phil Klein. Today we're going to talk about a particular case involving a HIPAA violation. It's kind of a nightmare situation, actually, and could affect any of us as dental practice owners. It has to do with social media. To tell us all about it is our guest, Dr. Karson Carpenter. He's a dentist and leading expert on infection control and HIPAA as it relates to the dental profession. And if you've missed the episode of our show where he told the story of a practice that was reported to the state board and OSHA by a disgruntled employee, I highly recommend that you listen to it. You can find that one and all of our previous episodes on Spotify, Apple Podcasts, and any of your favorite podcast platforms. Simply search Phil Kline Podcasts and look for the title Infection Control Protocol and the Disgruntled Employee. Again, today Dr. Carpenter will be telling us a stunning story about a dentist that really got into a mess with the state board regarding HIPAA violations. But first, if you're looking to raise the bar with your adhesive dental procedures, you should definitely be looking into Bisco. Bisco is a great company that has an unparalleled track record. I can unequivocally say... is their passion. They are genuinely dedicated to understanding and improving the ability to bond dental restorations. Bisco is a company that places tremendous value on research and scientific knowledge to benefit you and your practice by offering award-winning products that provide reliable solutions for all your clinical needs. Being an endodontist myself, my favorite Bisco product is Theracal LC, which hands down is one of the best materials to use for direct and indirect pulp capping procedures. It not only seals the dentin, but offers significant calcium release, which stimulates hydroxyapatite and secondary bridge formation, which is exactly what we're looking for in these kinds of procedures. So check out their entire product line of premium adhesive products at bisco.com. Dr. Carpenter, we're looking forward to you sharing your story. I'd be glad to, Phil. And again, it's interesting. It's what I like about when you and I chat and get caught up before a podcast. Sometimes it'll take a little different direction. I was just telling you about, of course, this incident that our company was involved with. This was a recent HIPAA violation that we were involved with, and it all started from what I call a Yelp war. And, you know, I will tell you that practicing dentistry, one of the most frustrating things, is a bad review. None of us wants to get a bad review, but yet we have to understand, I think we have to take a deep breath and realize everybody, the best dentist in the world, is going to get a bad review because often it's the patient being angry about, what do you mean there's a copay? Or it's somewhere where a financial situation breaks down rather than a quality of care. In this case, a patient posted a bad Yelp review. The doctor in the office became angry because it wasn't true. And I truly believe it wasn't true. But the mistake they made was they attacked. They got defensive and they attacked the patient, said they were wrong. Well, the patient then contacted the Department of Health and Human Services Office of Civil Rights, who basically police HIPAA. Now, one thing you can't do is release. Protected patient information. You can't talk about the case, the diagnosis, the treatment plan, the actual treatment you did without a patient authorization. Well, when the HIPAA officials, when the Office of Civil Rights officials looked, they could clearly see on this Yelp war that they were talking about protected patient information. That wasn't so bad, but what it opened, it opened Pandora's box. They then did a mail. audit I call it where you receive a certified letter the following has been alleged by a patient we want to see records of training your written policies in your HIPAA manual well they had none of this so you see this Yelp war created this massive problem for this doctor and this is why we've always got to be prepared we've got to have training I recommend annually for all employees Also, HIPAA training is part of the onboarding process for all new employees, and we have to have written documentation. A lot of times people think the problem with HIPAA is, oh, well, my computer has a virus, or I don't have a proper firewall. Usually it's the soft side. Patient's upset. Patient weaponizes it. HIPAA contacts you. You don't have the things you're supposed to have. The problems start. A lot of dentists post cases to social media. You know, that's one of the ways they help build their practice. They show whitening cases before and after. They show crowns or implants before and after. That's all okay, right? Because you're not identifying the patient. So are you saying that in the case that you're talking about here, this particular dentist was responding to a Yelp review and revealed some health information and it pertained to the person that was critical of that office so that it automatically identified that patient? Absolutely. That's exactly what happened, Phil. And you're also right in that you could put something on social media. I could put a picture of your front teeth that we bleached, Phil. That's no problem. But if I showed your full face and people could say, hey, that's Phil Klein, now we have a problem. Or if it said Phil Klein, if that's the case, I better have an authorization from you. So it must be de-identified. Anything that you would put up needs to be de -identified or you have a written authorization. We're going to continue to talk more about social media and the risks of violating HIPAA regulations. But first, I would like to tell you about Cranberry, a leader in infection control products. Cranberry offers a wide range of Level 3 ASTM face masks, including its 360 face mask. These non-pleated masks are designed with less adjustments to curve with your face. and minimize gapping for better protection. They are available in two sizes and feature an anti-fog cushion to reduce fogging on your eyewear. And I can tell you firsthand, as an endodontist, there was nothing more annoying than having my eyewear fog up in the middle of a root canal procedure because of my face mask. So if you're looking for PPE products that are super comfortable and protective, check out Cranberry. Visit cranberryusa.com. So getting back to social media, Dr. Carpenter, is there any need for any documentation on what you do regarding posting on social media? Or is it that because you're not exposing any patient identity, there's really nothing to document or report? You wouldn't even have to report it as long as you were careful to not identify it. Like I always tell doctors who will call, hey, I'm getting rid of all my film-based x-rays. Can I throw them out in the dumpster? Absolutely. You could throw the films out in the dumpster as long as there were no mounts. the mount would identify the patient. If it's just an x-ray, not a problem. That's just an example to show you what you need to think about when it comes to de-identifying anything you put up. In a previous podcast, we talked about identifying an employee in the office or selecting an employee in the office that would be held to account or responsible for infection control protocol. And you mentioned that it's a good idea to have someone who is clinically knowledgeable to do that. Now in HIPAA, that's different as far as who should be responsible. Can you just clarify all that? I will. When you stop and think about it, it really makes sense for ocean infection control. That involves the products we use in the operatory, the treatment we provide, disposal of... waste. Whereas HIPAA, that's all about the business office. So I would pick either your office manager or an organized business office person, somebody who works up front. Is that person responsible for holding meetings and keeping up with all the compliance protocol throughout the year? Well, of course, ultimately, the owner of the practice is responsible. We all know that. They're the fall guy or fall gal if something goes wrong. But what you want to do, assign somebody to do this. Hold them accountable. In other words, you need to meet with them occasionally. Have you gone through this HIPAA audit checklist this year? Because it needs to be done every year. Do we have a record of training, documentation of training of every employee, including that new employee we hired last week? Was the onboard training done? Was the HIPAA training done? So I will say they don't have to be a HIPAA expert. They need to be organized. They need to follow the guidance, for example, on a checklist that we offer people. to make sure these things are done. Not a difficult thing. It requires organization, though. So generally, when I go to a dental office or a medical practice, for that matter, I fill out some forms. Some of the forms are obviously related to HIPAA. Tell us about those forms that relate to the dental practice and HIPAA. The first form that we get in any medical facility would be the notice of privacy practices. I'm a new patient in your practice, Phil. Your business office person gives me your notice of privacy practices, so I understand. How you use and release my information, I need to sign that. You need to scan that, put it into your practice management software, and keep it forever. So that's the most important HIPAA form. Probably the only other time you might need to sign something as a patient would be if you were going to give authorization for some organization or a person to, say, pick up your records. If you're just sending records from one health care provider to another, Not actually necessary. So Dr. Carpenter, in your experience, how do you see the dental profession as far as compliance? Are most doctors following the rules and laws and regulations of HIPAA? Generally speaking, when you do these consultant packages with these offices, are they pretty much in compliance or do you have to really ratchet things up for them to? be in compliance? And the second question is, and you can answer this together, for those that are inspected, are most of these practices found to be in compliance or does that inspector almost inevitably find things that are deficient in the practice? Well, I'm going to tell you to answer the first question. A high percentage of offices are not in compliance and they don't even realize it. Now, it's not that difficult to be in compliance, but listen, we're all busy. Everybody in the office is wearing three or four different hats, so we don't take the time to do it. I would say that offices that we work with on a first-time basis, we will find that a full 90% of them are not in compliance. Many times they don't realize they need to have training for all employees. That's one of the biggest deficiencies we see. They don't realize that that new person needs to have onboard HIPAA training on day one. Also, another area where we find big vulnerabilities is they don't have the written programs they need. There are certain written programs they must have for privacy, for security. They don't even realize they're not in compliance. They're not doing it purposefully. So I would say a very high percentage, probably about 90% are not in compliance. Regarding HIPAA inspections, people will ask me, doctors will ask me, well, you know, I live in this zip code in New York. What are the odds that I'll be inspected? Has anybody been inspected in my neighborhood? Because if they haven't, I'm not too worried. My response is all it takes is a phone call or a letter anonymously from any one of your patients. And HIPAA will address it. They must address it by law. So the statistics don't matter. All you need to do is have that angry patient walk in your office and you'll be inspected. And to take that further, Phil, once they do that, Again, I find about 90% of offices fail because they don't have proof of some simple things. One, training for all employees, including the new employee. Two, they don't have the written documents. I call it the contents of the HIPAA manual, the different policies. So 90% is my number. Pretty high number, isn't it? So the training is so important, and that seems to be. the roadblock or that's the hurdle i should say for many of these offices because training takes time you have to have someone come in and train them or you can do it online i assume how much training does an office need to be in compliance you know i'm going to say ballpark figure about two hours a year for each employee Again, I think that you can do it with us via webinar. You can do it with our online training. But it needs to be done. Now, I also, because I don't like to scare doctors in practices. I don't. Because, again, like OSHA, HIPAA compliance is not that hard. The inspectors are actually quite fair. They're quite reasonable. And like OSHA and even State Board of Dentistry, I think they're almost rooting for you to be in compliance. But when they go in and find you have no proof of training, you have no written policies, yeah, they're a little angry. So don't take this the wrong way. They're not out to get you. It's not that you're going to fail a hip inspection. A little preparation, you'll be just fine. Is that example that you mentioned earlier in the podcast where that person who wrote a bad review, which you call a Yelp war, exposed the dentist through? his kind of angry emotional response, is that kind of like a outlier situation, very atypical? Or is that something that now that Yelp is, you know, it's been around for a long time and reviews are a big part of doctors and dentists and all sorts of healthcare providers, among many other things, of course, is that something a doctor should be really aware of and be on the lookout for? It really is. I will tell you that that is something I see on a regular basis, a HIPAA investigation triggered by a social media war. So that's something we have to be very careful of. And again, remember, read deep. Even if it's the best dentist in the United States, somebody's going to be angry at them and talk bad about them. They're doing that to all of us, to all of our colleagues. Don't take it personally. because this opens up Pandora's box. We don't want this to happen. We can't take this chance. So it's very important that our team all be instructed on proper privacy policy. And that's part of HIPAA training. What would you recommend in closing, Dr. Carpenter, for a doctor that does get involved with something like that, where there's a bad review, he or she wants to respond, but in that response, there's a chance that they're exposing who that patient is by talking about the details of a procedure. what would you say is the best way to handle that? Absolutely, I feel the best way. First of all, I think we need to address a bad review. I don't think we can just go silent. But I think something on the order of very sorry to hear that you feel this way, please contact the office directly to see if we can help you resolve this matter. That's it. Very professional, very clean. You don't sound scared. You've addressed it. Other people see that. And you know what? People are smart. People understand. that sometimes these are personal attacks. But don't go into fighting back and forth. You can never win. Dr. Carpenter, thank you very much. And again, thanks for all your contributions to Viva Learning over the years. I do want to let our listeners know that you have an excellent webinar on HIPAA, on VivaLearning.com, as well as infection control. which is good training, real solid training on VivaLearning.com. And we ask all of you to take a look at that. Also check out Dr. Carpenter's company. that he's had, as I mentioned earlier, for decades. He's got an incredible reputation in the industry. Being a dentist, he's more in touch with all the ramifications and nuances of maintaining a compliant office regarding infection control protocol and HIPAA. And his company is called Compliance Training Partners. Just Google it and you'll find it. In fact, his daughter is very involved in the business and she's doing a wonderful job. So great company to work with if you want to get your office up to speed. Dr. Carpenter, thank you very much. And we'll see you on the next podcast. Thank you, Phil. I really appreciate the invitation. See you next time. If you've been enjoying our podcast, we'd love to hear your thoughts and feedback by leaving a review on your favorite podcast platform, whether it's Spotify, Apple, Google, or any other platform you listen on. Leaving a review is a fantastic way to support us and help others discover our show. Thanks for listening. See you next time.