Thursday Troubleshooter: Are patient names on dental lab labels a HIPAA violation?

Oct. 17, 2013
HIPAA leads a lot of dental offices to question proper procedure

QUESTION: Is it a HIPAA violation for a dental lab to have the patient’s name on a label on the outside of the case box being shipped to the office via UPS, FedEx, or U.S. Postal Service? Our lab insists it is not. I am concerned, and I’m trying to get a Business Agreement with the lab, but if they continue the practice, I’m afraid we’re liable.

ANSWER FROM MARY GOVONI,Mary Govoni and Associates.
I’ve experienced this situation in several offices when I’ve been training the team — The UPS or FedEx driver will bring in the lab boxes and read off the names and what the cases are. In two situations, the delivery person knew someone by that name. One of them commented, “I didn’t know she had dentures.” Yikes!

Having the patient’s name on the outside of the box is not a HIPAA violation, but I don’t understand why it needs to be there. Listing the patient’s name and what the case is (e.g., denture), however, violates HIPAA privacy rules. I recommend to all of my clients that they have conversations with the labs they work with about these types of issues. I also recommend that practices have Business Associate Agreements with their labs for additional emphasis on the importance of protecting patients’ information.

ANSWER FROM OLIVIA WANN, RDA, JD,Modern Practice Solutions, LLC:
I would suggest the dental lab not place a label with the patient’s name on the outside of the box. I’m having difficulty reconciling in my mind why this would be necessary. On the other hand, I’m not classifying this as a “violation.” Keep in mind that health-care providers mail prescriptions, devices, patient care items, and more to patients routinely, and this is not considered divulging identifiable protected health information. The information is protected within the box.

Regarding the business associate agreement, dental labs are considered health-care providers, and as such, a business associate agreement is not necessary because sharing information with the lab is part of the patient’s health-care operations. Additionally, dental labs do not usually receive identifiable protected health information. Helpful information that discusses this subject further can be found at www.ada.org and www.hhs.gov. I hope this helps!

Good question! But first I would like to address the Business Associate Agreement (BAA) with the dental lab. I applaud you and your mindset! Too many dental offices receive letters from dental labs stating they’re health-care providers and do not need to sign BAAs. If a health-care provider actually does not own the dental lab, then the lab is not a health-care provider. And what the ADA told an office back in 2003 does not hold the same weight 10 years later following the HITECH Act and the Omnibus Rule.

You must look a little deeper into this subject. Let's take the state of Virginia. The Virginia Board of Dentistry states that a lab slip is a prescription. The Board also states they do not regulate or have control over dental labs. Additionally, it is not mandatory to have a Certified Lab Tech on premises. What does that mean? It means any person who wants to open up his door and hang up a sign stating he or she is operating a dental lab may do so.

The Omnibus Rule states a prescription is PHI (if the script is going to a third party from the doctor's office). We know dental lab slips are a prescription, so dental lab slips are then considered PHI. Get your dental lab to sign a BAA. If they won't sign? In my opinion they don't want the inconvenience of training their employees. If your patients knew their crown or bridge was being designed and fabricated by a dental lab that does not care about training its employees in the privacy and security regulations, would they feel safe giving that dental lab any of their information? I know I wouldn’t, especially if the patient was one who did not tell a spouse or anyone else they were getting a denture. So far I’ve had a 100% success rate on my clients getting their BAAs from labs, you just don't take no for an answer.

As far as a first name on the box of a lab case? If the postal service is safe under HIPAA, and patients have their name on return envelopes, having a name on a lab box is not a big deal, unless you have the case info on the box and you’re keeping the boxes stacked up in the front waiting room for all to see. When the mail carrier comes in, take the lab boxes directly to the lab. Done!

HIPAA is not hard, or as strict as companies who want you to purchase from them would lead you to believe.

Employee threats must be addressed quickly
Is it a HIPAA violation to email radiographs to other dentists?
I don't get any coworker respect in my new position

Do YOU have a tough issue in your dental office that you would like addressed?

Send your questions for the experts to answer. Responses will come from various consultants associated with Speaking Consulting Network, Dental Consultant Connection, and Academy of Dental Management Consultants. Their members will take turns fielding your questions on DentistryIQ, because they are very familiar with addressing the tough issues. Hey, it's their job.

Send your questions to [email protected]. All inquiries will be answered anonymously every Thursday here on DIQ.