Nearly everyone has problems and concerns on the job, and sometimes you're just too close to a situation to solve something yourself. Share your concerns with Team Troubleshooter, and the experts will examine the issues and provide guidance. Send questions to [email protected].
QUESTION: A dental hygienist recently did some repair work on a patient, then took before-and-after photos of the patient's mouth using his (the hygienist's) personal cell phone. He then posted the photos on his Facebook page. The patient was not identified by name but, in addition to the photos, the hygienist described what caused the damage that led to the repair work and what procedure was done to correct the issue. He then added a sarcastic comment related to what caused the need for the dental repair work.
I don't know if the patient gave consent for the hygienist to post the photos on his Facebook page, or if he gave consent for the hygienist to describe the specifics of the cause of the damage that led to the repair work.
So here are my questions: even though the dental hygienist didn't reveal the patient's name, did he commit a HIPAA violation by posting photos and giving specific details of the patient's repair work?
Also, if it was a HIPAA violation, is the hygienist the only one who could potentially face penalties, or could the dentist-owner where the hygienist works also somehow be held accountable and face penalties?
ANSWER FROM LINDA HARVEY, The Linda Harvey Group, Compliance/Risk Management Strategist:
Protecting patient privacy and confidentiality is clearly mandated under HIPAA Privacy Rules. If this hygienist obtained a proper HIPAA-compliant authorization from the patient prior to posting the information, there was no violation. However, given the hygienist's sarcastic comment, my risk management radar says otherwise. If that is the case, this individual clearly disregarded his legal and professional obligation to safeguard patient information and opened himself and his employer to possible HIPAA violation charges.
Here are several key points to consider:
The Privacy Rule clearly defines 18 elements of information or identifiers about a patient that constitute protected health information (PHI). This includes full-face photographs and other comparable images.
Covered entities, including dentists, are required to have policies and procedures for disciplining employees who violate the practice's HIPAA policies. This individual should be disciplined by his boss if he did in fact violate the policies.
In this situation, under the Breach Notification Rule, the employer needs to evaluate the event and determine if it meets the threshold for reporting it to the Office for Civil Rights (OCR). The office should also call the patient and apologize before the patient finds out from other friends on Facebook.
Take down the information. Backups made by Facebook and/or screenshots of the information taken by friends of the hygienist could result in the information being inappropriately redisclosed to others.
Respecting patient confidentiality and privacy has always been a cornerstone of professionalism. Now given specific legal requirements under HIPAA, it's critical for all dental professionals to understand and follow these laws.
This Troubleshooter originally appeared in 2017 and is updated regularly.
More popular Troubleshooters
Don't be shy! If YOU have a tough issue in your dental office that you would like addressed, send it to [email protected] for the experts to answer. Remember, you'll be helping others who share the same issue. These who assist dental professionals with their various issues do so because they're very familiar with the tough challenges day-to-day practice can bring. All inquiries are answered anonymously on DIQ.