Julian Perez, Senior Vice President, Risk Management & Compliance, dentalcorp
The original Hippocratic Oath, one of the oldest binding documents in history, dates back to the fourth century B.C. A 1943 translation of the Oath reads, "What I may see or hear in the course of the treatment or even outside of the treatment … I will keep to myself." Much has changed in the 2,500 years since Hippocrates swore never “to use the knife;” however, the notion that doctors owe patients an ethical duty of privacy has withstood the test of time. Modern dentists must comply with federal and provincial privacy legislation, as well as professional misconduct regulations that reaffirm the duties of privacy, confidentiality, and professional secrecy.
Despite privacy’s well-established roots in healthcare, dental practices occasionally struggle to meet the detailed requirements of privacy laws as well as patients’ increasingly high expectations. The rapid pace of technological change is another challenge that, if not managed carefully, can too often result in unintended consequences.
Below are five scenarios loosely based on real-world cases. Each case demonstrates a unique way in which a privacy breach can occur, as well as the serious consequences such breaches can have for health professionals and their businesses. Each scenario is paired with observations about the way dental office teams work and key learnings to help you prevent similar breaches.
Scenario 1: A lack of professionalism on the golf course
On a balmy September Sunday, two dentists were out golfing with a few team members from the office. As the group approached the third hole of the course, one of the dentists noticed that Brett Wiggins, a patient and prominent member of the community, was finishing his round and heading back towards the club house. Dr. Nina commented to her team that it looked like Brett was golfing with his new business partners. A receptionist who had a good rapport with Brett called out jokingly as they crossed paths, “Hey Brett, I hope you got a hole in one! Speaking of which, don’t forget your filling appointment on Tuesday.” Brett responded that he would be there and waved as he walked away. Later that afternoon, Brett sent an angry email to the office saying that he thought the comment was in extremely poor taste. He requested his chart be transferred and notified both dentists that he had filed a privacy complaint with their regulatory body. Both dentists were reprimanded by the Dental College and required to take remedial courses in privacy, ethics, and professionalism.
Lessons learned:
Although the receptionist meant well, her statements were a clear breach of patient privacy when she called out to the patient on the golf course. Obviously, the patient did not wish his business partners to know that he had a cavity, and the dental office had no right to disclose that to them. All personal health information must be protected, and one cannot know what another will find embarrassing. Further, the professionalism expected of healthcare providers requires avoiding certain behaviour that might be acceptable for those who engage in other kinds of businesses. The key learning here is that the professional duty of privacy applies to each member of the staff and must be observed within the office as well as outside of it.
Scenario 2: The box that was left behind
On a cool March afternoon, ABC Dental was in spring cleaning mode. Eight months earlier, the office had made the switch from paper records to a digital practice management system. It took a while for the team to get used to the new way of recordkeeping, but by March, they were excited to leave paper charts behind for good. Indeed, they had plans to repurpose one of the records rooms for 3D scanning and patient consultations. To speed that plan along, they started to purge the office’s old documents and records. ABC Dental had been open for three decades and some of its patients hadn’t been back in over 20 years. After the records were placed in boxes, the boxes were carried out through a convenient side exit near where a document destruction truck was parked. Because the side entrance kept locking, an Associate dentist decided to use a box of records to prop it open.
After confirming the records were shredded, the Practice Manager went back into the office through the front door. At the end of the shift, an Office Administrator was getting ready to go home when she noticed the side door was still propped open. Seeing a box there, she figured someone had left the recycling and kicked the box out of the way towards the recycling station in the laneway. Later that day, a concerned citizen noticed the box contained some clinical records and reported it to the privacy commissioner. The privacy commissioner’s office contacted the dentists the next day and informed them that leaving so many records unattended was a serious breach and that the patients whose records had been abandoned would have to be notified. To make matters worse, an investigation had been opened to see whether any fines should be levied against the office.
Lessons learned:
Leaving a box of dental records in an alleyway might seem innocuous, but privacy requires much more than confidentiality. Rather, privacy requires active protection of patient data, and to comply with privacy laws, healthcare providers must protect patient information from intentional and inadvertent disclosure alike. The key learning here is that every dental office should develop clear procedures for handling personal health information and put systems in place to ensure that those procedures are followed. If your practice is going through a conversion from paper to digital files, a useful resource is found here, courtesy of the Alberta Dental Association and College.
Scenario 3: The failure to communicate and redact
Dr. Smart was a diligent dentist who loved to learn and had a passion for sharing his experiences with other dentists. In his fifth year of practice, he discovered a solitary mandibular bone cyst in the panoramic x-ray. He investigated it thoroughly and was able to track its progression over time. Ultimately, the cyst was deemed to be a benign schwannoma, but its growth rate and pattern were unusual. After the case was resolved, he asked the patient whether he could write up a case study and submit it to a journal for publication. Ms. Scholar, the patient, was herself a scientist and happy to contribute as long as she was not identified in any way. Dr. Smart was very pleased when the case study was accepted by and published in a prestigious peer-reviewed journal. As soon as he received a copy of the article, he sent it to Ms. Scholar along with a thank you note. About two hours later, Dr. Smart received a furious response from Ms. Scholar, who was disappointed and shocked that he published her name after she had said not to. Dr. Smart was confused and responded that he had redacted all personal identifying information. Ms. Scholar quickly wrote back that her “name was written on the x-ray!” At that point, Dr. Smart realized nobody had reviewed or redacted the small captions on the x-rays. He had assumed the journal’s editors would do that, and the journal staff had assumed exactly the opposite. The result was that a magazine containing Ms. Scholar’s name and medical history had been mailed out to over 2,000 dentists in North America. Ms. Scholar told her now former dentist that she would be speaking with a lawyer.
Lessons learned:
We can all sympathize with Dr. Smart; the article he was so excited to write ended up becoming a huge headache. Anyone who has redacted dental or medical records knows how difficult it can be to remove all personal identifying information. The key learning here is that anytime documents are being released to someone other than the patient, mere consent is not enough. Rather, healthcare professionals must always ensure the release is in accordance with the scope of the consent provided. Consent is not an all-or-nothing proposition, so pay attention to the wording of the release. If ever in doubt, provide the patient with the records that you will be releasing beforehand and check whether they object to the disclosure of any information within those records. Had the patient received the article before it was published, things would have ended very differently.
Scenario 4: A breach is a breach
Corrie, a dental office treatment coordinator was married to Beatriz, a woman who worked as a bookkeeper in a different dental office. At home, Corrie and Beatriz often joked about whose office was better and each tried to prove that their dentists, patients, and colleagues were superior. Over time, this debate migrated to email, and the spouses would often send messages to each other during the workday. After a few weeks, the emails started to include screenshots of day sheets, financials, patient charts, and other information. The purpose of the screenshots was to support an argument that one of the offices had more patients, a busier schedule, better financials, or more interesting cases. One day, a receptionist at Corrie’s office discovered hundreds of these emails in the sent folder of the shared office email and immediately reported it to the principal dentist. Concerned for his patients’ privacy and alarmed that the information was being sent to a competing dental office, the dentist reported the matter to the privacy commissioner, who in turn referred the matter to the police. After investigating the matter, the police did not press charges; however, the privacy commissioner ordered that over one thousand affected patients would have to be notified. To pour salt in the wound, the embarrassing matter ended up in the local news. As a result of the notifications and publicity, both offices lost large numbers of patients who asked to have their charts transferred to a dental office that would be more careful with their sensitive information.
Lessons learned:
Corrie and Beatriz never had any intentions of misusing patient health information—they were just competitive and playful spouses. While this case had a very severe outcome, the mishandling of personal health information should never be taken lightly. The key learning here is that a breach, no matter how innocent the intentions of the person sending or receiving the information, is still a breach. Serious consequences can result from a breach of privacy, even if it was all in fun. Just as there is no privacy law exception for playfulness, there is no exception for sharing private patient information with friends or family members. All team members should receive training that emphasizes the importance of safeguarding private information at all times. Dental offices should also have policies in place that govern how and when sensitive data can be sent outside the network, including through email. A guide on communicating personal health information by email can be found here.
Scenario 5: IT knows best
Dr. Dentico had recently started to take on more complex orthodontic cases. Dr. Dentico was a hardworking perfectionist, which meant that she was spending several nights a week working from home on ortho treatment plans. After a few sleep-deprived weeks, Dr. Dentico grew tired of preparing charts to take home. She decided instead to use her network’s remote access program to simply sign into the clinic’s PMS from home. When she started, Dr. Dentico intended to change the default password to the remote access program, but she never got around to it. Her IT service provider told her that there were safer ways to work remotely, but Dr. Dentico didn’t think the investment was worth it. One Thursday morning while Dr. Dentico was driving to work, she received a frantic call from her receptionist. When the receptionist arrived at work that morning and tried to boot up the network, the system shut down. When she restarted the computers, a strange icon appeared on the screen saying that all the files were encrypted and that $20,000 in bitcoin would be required to unlock the files. Without access to the PMS, the office had no medical histories, treatment plans, or x-rays to review, so the office had to cancel several days of patient visits. Dr. Dentico immediately regretted her decision not to invest in the backup system her IT consultant had recently recommended. After notifying the privacy commissioner and the police, Dr. Dentico decided to cut her losses and pay the ransom.
Lessons learned:
Dr. Dentico opened a remote access to his practice’s network so that she could provide her patients with better care. But we all know what they say about good intentions. Leaving aside her dedication to excellent patient care, Dr. Dentico made multiple mistakes. The first mistake was ignoring the advice of her IT consultants about the risks of the program she was using. Her second mistake was failing to change the default password. Dr. Dentico’s third strike is that she did not have a robust backup system in place. The key learning here is that every dental office should ensure it has a reliable IT partner and listen to their advice to make the office less vulnerable to cybersecurity events. Ransomware is on the rise and every person working in a dental office must be vigilant.
As originally published in Oral Health.
About the Author
Julian Perez is the Senior Vice President of Risk Management & Compliance at dentalcorp and is responsible for the development, implementation, and oversight of company-wide standards, programs, and systems to support practices in the delivery of optimal patient care. Julian has a robust legal background having worked for a Wall Street law firm in Manhattan as well as a professional liability program providing malpractice defense to over 10,000 dentists. Julian holds a bachelor’s degree from Yale University and a juris doctorate from Columbia University’s School of Law.