Patient Owes You Money and Wants Their Dental Records: HIPAA Rules!

You know, it actually was a loyal office manager who hadn't been trained, who'd worked at the practice for many years, who felt she was doing the right thing, felt that he deserved to be paid for his services, but again, hadn't been trained. Ended up costing the practice a lot of money and time because of this. Welcome to the Phil Klein Dental Podcast. While you're working hard in your operatory preparing an MOD on number 15, something is about to happen at the reception desk that will haunt you and your practice for months and months to come. It will also cost you thousands of dollars, and this can happen to any dental office, especially those that don't train their employees on the nuances of HIPAA compliance. It all started when a patient who owed the practice money requested their dental records. To tell us how this all played out and what went wrong and what should have been done is our guest, Dr. Karson Carpenter. Dr. Carpenter is a dentist and expert in OSHA, infection control, and HIPAA compliance and is founder and president of Compliance Training Partners. Dr. Carpenter will be joining us in a second, but first, for the optimal bond between zirconia and your resin cement, check out Bisco's Z-Prime Plus. Rated best in class by thousands of top clinicians, Z-Prime Plus, featuring MDP, creates a strong, reliable bond to zirconia, metal, and aluminum substrates. And nothing could be simpler. It comes in a single bottle, and it's 100% compatible with both light-cured and dual-cured resin-luting cements. It's time you get the most out of your zirconia restorations. To learn more about Z Prime Plus and the entire Bisco adhesive product line, visit bisco.com. Dr. Carpenter, it's a pleasure to have you on the show. Phil, it's great to be back. Thanks for having me. Yeah. So as I mentioned on previous podcasts, when I interview you, we're very fortunate to have really candid discussions about real life situations that all of us kind of have in the back of our mind thinking, geez, I hope this never happens to me, but I'm certainly interested in hearing the story. of what happened to someone else. You know, there's a crime podcast that we refer to, a crime story or whatever the name of it is. True Dental Crime. Yeah, True Crimes. And this one, in this case, True Dental Crimes. And they're not necessarily crimes that we're talking about in the true sense of a crime. However, they do lead to... all sorts of headaches and some very serious implications when it comes to a dental practice. We talked about that in a previous podcast with a pediatric practice that discovered that their instruments weren't sterilized while the owner was away. And they came back and found these open pouches in the trash and the markers that should be black were red. And she contacted you and you really covered it well in that podcast. So I encourage our listeners to check that one out. Today, we're going to be talking about a very interesting situation. And this situation deals with a patient who apparently, according to the dental practice, owed money to that dental practice. So that patient didn't pay their bills that that practice thought were due to them. So when that woman decided to leave the practice, she wanted her health records. And the dental office wasn't so... amenable to that. And I'm going to let Dr. Carpenter tell the rest of this story, but it's very interesting because we'll learn some lessons from this story that I think we all should know as we all practice dentistry. And it's very important to be aware of this. Dr. Carpenter, tell us what happened. I'd be glad to, Phil. And people have asked me before, do you feel bad? Do you feel like you're scaring? your colleagues, when you tell them these stories? I say, no, absolutely. I feel so good about it. I feel so good about telling them these stories because much like OSHA and infection control, HIPAA violations are actually pretty easy to prevent. It's not rocket science, but it requires some organization. It requires some training, not even that much time or money. So I really like telling these stories. And I'm going to tell you this one. This could apply again. to any practice this happened to be a general practice it could apply to a specialty practice it can apply to a medical practice it wouldn't matter in this case it was a general dental practice on the east coast and i find in my experience because we've been involved with so many hipaa and ocean inspections over the years that whereas an ocean inspection is often triggered by an employee a hipaa inspection is triggered by a patient and that's exactly what happened in this case in this particular case i've seen many that are similar to this and here's what happened phil imagine this was a difficult patient by by you know all descriptions we've all had those they owed the practice quite a bit of money uh when the patient didn't want to pay the money they of course decided they would leave and go to another practice And they wanted their records sent somewhere else. Well, they owed several thousand dollars. The office manager made the mistake of saying, we'll be glad to send those records. You need to clear up your bill first. You need to pay for what we've done. Well, that's all it took. The patient contacted the Department of Health and Human Services, their Office of Civil Rights. So the Office of Civil Rights is a subdivision of the Department of Health and Human Services, and they are the ones that enforce. the HIPAA regulations. Now, you might ask, how would this patient have known how to do that? It's so easy. Just Google it up. The Department of Health and Human Services Office of Civil Rights has several videos and they show exactly what your rights are, exactly who to complain to, how to do it. They talk about the fact that the doctor can be fined. I mean, it's... I guess it's upsetting to me to have to tell my colleagues this, but I want to protect you. We're all very vulnerable. The patient found out this information, made the complaint, could have done it anonymously, didn't even do it anonymously. Actually, her name was right in the written complaint. So the doctor came in, opened the mail, and it even said at the top of this complaint, sent via regular mail and email. They then went on to make these accusations. The accusations, basically, this patient says that she can't get her records, that you won't give them to her until she pays her bill. So let's clear one thing up first before we get into the ramifications of this investigation by the Civil Rights Department, which is, as you mentioned, the subdivision of the Department of Health and Human Services. What is the... acceptable protocol for this type of situation where a patient owes money to the practice and is leaving and asks for the records. I would assume without you telling me that the practice, it's their responsibility to turn those records over whether they owe money or not. That's what I would assume. Is that correct? You are correct. And we can all have our own opinions about it, that that's not right. But it's the law. It's a fact. And I implore. implore my colleagues to turn records over quickly if the patient requests them, because we can't win here. And I'll give you an extreme example. My wife, who is a dentist, I remember the time she was so upset because a patient came in. She was offering at that time, I think it was to a particular church, she had an advertisement, offered a free exam and x-rays. The patient came in, the x-rays were taken. the patient took out their phone took cell phone images on the screen right in front of them and said, thanks a lot. I just wanted my free x-rays. I'm going to go to another country to get this done. My brother's a dentist there and he doesn't have an x-ray. Well, my wife was very upset. Fortunately, she consulted a HIPAA expert, me. How do you like that? My wife asked me. And I told her, I said, look, I understand it doesn't seem right. You should have to send those x-rays to her, but you have to. She paid nothing. She took a picture of your screen. You have to, now that she's requesting the actual digital copy, you have to send them to her. So my advice, give up those records, please. So basically, Dr. Carpenter, you're saying that whether the patient pays for it or not, once those x-rays, once those digital films are taken, they are the property of the patient, even though they paid nothing for it. You're right. You're right. We have to disclose those records. The days of not being able to do so. are long gone. And you know, Phil, if it was just the fact that Office of Civil Rights said, look, you can't do that anymore, you need to promise us you won't do that again, a slap on the wrist, that would be okay. But here's what I see almost every time. They use this as, I guess I would say, an excuse, or maybe it's because it's easier for them to paint this with a broad brush. What I mean by this is here, in fact, I happen to have the sheet, the actual data request sheet right next to me here, because I anticipate I wanted to read this to you, sent by the Office of Civil Rights. So imagine, what was the complaint? The complaint was they wouldn't send the records. But here is what they asked for. First of all, number one, a written response to the allegation and the complaint. That makes sense, right? That makes sense. That's where you would think it would end. But no, a copy of your written HIPAA policies and procedures regarding use and disclosure, also privacy and security okay things that have nothing to do with this now imagine this practice this is where they started panicking not for number one for number two wait a minute we don't have a written HIPAA manual with written policies we don't have records of training every year for our employees they actually asked here for not only a copy of your training materials But quote, documentary evidence of assurance that your workforce members have been trained in privacy and security via training sign-in sheets, certificates of completion. So you can see this opened up Pandora's box, didn't it? We'll be getting right back to our guest in a second. But first, we all know that to achieve healthy, beautiful smiles, we sometimes need to align the teeth. And to do so, aligner therapy is a great option. So why not set your practice apart with 3M Clarity Aligners Flex from Solventum, formerly 3M Healthcare. Designed for comfort, Clarity Aligners Flex feature a thin, flexible design, yet they deliver excellent force persistence over a two-week period. Plus, they resist scratching and stains, and they're backed by a dedicated clinician team providing support every step of the way. With a variety of affordable case type options, single or dual arch, Clarity Aligners Flex offer a great value to your patients and practice. To learn more, visit 3m.com slash clarity dash aligners dash flex. It sounds like to me it's a form letter that goes out to people that there's complaints made against them and it's coming from the Civil Rights Department, which is part of the Department of Health and Human Services related to HIPAA. But in that training material that They're asking you if you have documented. Is there anything in the training material that says if a patient doesn't pay their bill, you still have to hand over the records? Well, absolutely. In the training that we provide at Compliance Training Partners, whether it's online or live or webinar-based training, that's one of the things we stress, that you have to give up records. Also, the fact that you have to have this, among other things, in your written policy. So our written policies always cover those things. So the way the system is set up, if a patient, has a relative who's a dentist or a doctor, and they want to show an MRI or a CAT scan or a CBCT film or whatever. Radiographs that would typically cost hundreds of dollars, they can get that for free. It's a scam, but they could take advantage of the system and get that for free and then turn it over to someone who's qualified to use it as a diagnostic tool, completely taking advantage of the system, which hopefully doesn't happen very often, but it sure seems like it's unfair to the provider. What you're describing? Absolutely. Absolutely. That can happen to them. It has happened to them. We also deal, although I'm trained as a dentist and so many of our employees at Compliance Training Partners have dental backgrounds, we deal with physicians across the country as well, as well as veterinarians, interestingly enough. Of course, animals don't have HIPAA rights yet. Maybe they will someday. But we have seen many medical practices with very similar things happen to what's happening in dentistry. So one way of handling that, of course, which is probably not done very often in a dental practice, is to show the patient what you're doing that day, collect the money, and then render the services. So if they request their records, it's paid for. Now, they do this in the veterinary office all the time. When I bring my cat in, they do a quick exam. Before they do anything, another person comes in with a clipboard, says this is what we're going to be doing today, and they ask for a credit card. Once the credit card is run through, I sign the document, they take the cat, render the services. And I'm sure that most dental practices don't do it this way, but that would certainly obviate the issues related to a patient requesting their records and not paying their bill. You know, it's interesting, Phil, because that almost becomes a practice. It's this what makes our podcast fun. This turns into a practice management situation. Certainly, it can be your policy in a dental practice to request payment before any procedure is done. that most of my colleagues particularly general practitioners will say that just won't fly though in my practice many of my colleagues who are specialists that will because it may be for example when you practice endodontics and i send a patient to you that may be the only time you'll see them i think the patient is pretty accepting of paying for everything first it seems that the standard in a general practice is to do the procedure And then have payment, particularly for diagnostic procedures. But certainly you could have the policy you described and that would eliminate some of those bad feelings about not being paid. Yeah. So I guess you have to look at the big picture and to build a practice for better practice marketing, being perceived in the community as a caring, wonderful dentist. I guess it's worth doing it the old fashioned way and hoping you get paid. And for those that don't pay, it's a small percentage. I guess it's like a credit card company. You write it off as bad debt. But overall, what we've learned from this discussion so far is that if someone doesn't pay and they ask for their records, You have to turn it over to them. HIPAA law is the property of the patient. Even though it hasn't been paid for, you need to give those records up. The good news is, and I think everybody would agree, most people are honest. Most people are decent. It's a small percentage. But I think that we have to, again, practice defensively. And to me, that means protecting your business. Even if that patient hasn't paid for that diagnostic imaging and they owe you a couple thousand dollars for restorative treatment, you can deal with trying to collect that afterwards with a collection agency if you want. But for now, if that record needs to be sent, send that record so you don't end up with a letter. from the Department of Health and Human Services. Yeah. And some of the things that I've learned from talking with you, Dr. Carpenter, throughout our podcast series that we do, we do about four to six of these a year, is that the unexpected happens to you based on something that happens beforehand. In other words, what I'm trying to say is you do something that may not be particularly related to the ramifications of what you've done. And that means you have to be prepared. in advance for the possibility of being audited or that surprise inspection by a regulatory person like OSHA. And you've talked about this in the past, disgruntled employees. That person is not pushing their weight. They're not doing their job. They're disruptive and they're toxic to the other team members. So you fire them. And that disgruntled employee knows things about your practice that they know you will be vulnerable. in the event of an inspection. So they report it. And the moral of the story is, whatever you do with other people, whether it's your patients or your employees, you're vulnerable to those people that are unhappy with whatever happened, and they could report you. And it's very important, like you say, and that's your whole business, your whole business is based on that, is being prepared. So tell us how a dental office, at the minimal level, should be prepared for HIPAA. Since that's what we're talking about today, the minimal level. I'm glad you asked that because there is a real pleasant part of this story. And that is, I've also been involved in a number of inspections, letters like this for data requests, where the office did have written policies, a HIPAA manual with written policies, did have annual training. And I'll tell you, Phil, I feel that... Office of Civil Rights wants these things to go away. They don't seem to be out to get you. They really don't. They're almost saying, look, please send me this stuff so we can sign off on this and be done. I've been involved with many inspections where the letter was almost identical to this. They request written policy. You send it. They want certificates of training, training logs. You send it. and the problem goes away very easily so to me what is the minimum you need to do to prepare for something like this first of all make sure all staff members have documented HIPAA training that's one of the reasons that our training is also available online is that you hire that new employee it needs to be part of the onboarding process You need to be able to print a certificate of completion. I really like there being a certificate of completion from a third party. This has saved many an inspection. The second thing is having a written manual with written policies for privacy and security. These things can make these inspections go away quite quickly. So getting back to that case, Dr. Carpenter, where the patient requested their records and the office manager said, no, you owe us money. When you pay us, you'll get the records. What is the potential fine there? Does it vary or is there a typical fine for that kind of HIPAA infraction? You know, I'm going to say that the fines I see normally aren't life-changing. It might be a $5,000, $10,000, $15,000 fine. I have seen some that went into six figures where the doctor was so upset they just decided to ignore them and not even answer the complaint. Then not even be willing to go in to meet with an administrative law judge and then be fined an enormous amount. But I'm going to tell you, you don't have to be afraid of a fine. I think for most of us, let's say a $10,000 HIPAA fine. That's not going to make us bankrupt. You don't feel good about it. But what will hurt you far more than that is the fact it's not just that they want the money. They want to see documentation and evidence of training. They want to see copies of your written policies. They often want to follow up. Time is money in dentistry. To me, what you have to do to prove that you're now in compliance costs far more than the fine. So my advice, do this stuff ahead of time. It's not expensive. It's not time consuming. And you'll be bulletproof. In the case that we're talking about here where the practice didn't turn over the records, was that a decision made by the person behind the front desk? Was it even known to the dentist that that person who was talking to that patient and knew that they owed money was not going to turn those records over? You know, it actually was a loyal office manager. who hadn't been trained, who'd worked at the practice for many years, who felt she was doing the right thing, felt she was protecting and supporting her doctor, who she thought quite highly of, felt that he deserved to be paid for his services, but again, hadn't been trained, ended up costing the practice a lot of money and time because of this. Bottom line, it was the doctor's fault, but she meant no harm. She tried to do the best. The best she knew how. That was the problem. Right. So it wasn't an intentional violation of HIPAA law. No. It was just something she felt was the right thing. And I do understand where she's coming from. But law is law. And if it's part of the HIPAA regulation, and that falls under, that's a federal law. Federal law. Yeah. It is. It is a federal law. Yeah. So I mean, I know HIPAA. Training for all employees and training before they begin the duties of that job. So we need to have documented training that will prevent most of your problems right there. And you stop and think about it too, Phil, that this really ended up costing this practice money in terms of lost revenue in another way. If they were a compliant practice that immediately sent the records as they should, even if that patient complained, they had the documentation of training, they had documentation of their written manual. Okay, now after the fact. Now you can go to that collection agency and collect that money. Whereas when something like this happens, believe me, they just walked away from not only what, in this case, ended up being a HIPAA fine, but they walked away from that. In this case, I think it was about $4,000 the patient owed. So if you do things the right way in the long run, it's typically less expensive. In reality, they didn't really fulfill the services by not giving her the records. So then you can't chase somebody for money. For something they owe you that you haven't given them. But I mean, yeah, there's a fine line there, but that's a good point. That's a very good point. They had no chance of collection based on that. Well, that office manager needs to review that training, that annual training very soon if she has not already. So hopefully she has. Let me tell you, anybody who we help with an inspection like that, they soon become a very good client because they realize the value. And typically the response is, They just didn't know. They feel really bad about it. They want to do the right thing, but without training, you can't do the right thing. Yeah. What happens to those people is that when they retire, and I'm talking about the office manager that did this, when they retire, they go on the speaking tour and they tell everybody, here's what I did that I screwed up so badly. And I am here to teach you never to do this. And I am very well experienced to be able to be a mentor to you on this topic. um well and i really hope that that our discussion i i really for our colleagues listening uh don't be scared by this just make this a call to action again this isn't rocket science. It's just like OSHA, easy stuff, but put it on your to-do list, assign it to somebody in the office. I always say for OSHA, make it a trusted clinical person, but for HIPAA, make it a trusted business office person, typically an office manager who makes sure that training of new employees is done, that the written policies are there, and that patients are treated properly when it comes to HIPAA regulations and release of data. Yeah. And what's really good about working with your company, just to plug for your company, and I know you personally for many, many years, you have a great operation compliance training partners, and I'm talking to the audience is that they could reach out to you in the event of a situation like we just described, or in the event when a dentist realizes that instruments were being used for a week and a half while this person was on vacation and they weren't fully sterilized. You need somebody to talk to that knows. the ropes, because they have been through this time and time again. You have not. This is new to you. So your decision on what you're going to do following these kinds of events are critical. That first move within a period of time, it has to be done quickly. And the idea is to get that information from an expert and compliance training partners offers that service. And Dr. Carpenter is an expert in this. He's been teaching for decades on this topic. So again, we're very happy to have you on the show, Dr. Carpenter. Thank you very much. And we look forward to more episodes in the future. Thank you so much. Thanks again, Phil. Look forward to coming back.