You have just finished a long day in the office, and you and your wife are out to dinner with friends. You forgot to log out of your Gmail account, and your cell phone, sitting on the table, suddenly beeps with new mail. You look at your phone and reflexively open the mail and the attachment. Suddenly, your friend sitting next to you says “Hey, that’s my boss! Those are some messed up teeth.” What is your reaction and or response? It turns out that one of your former residents sent you records of a new patient, this patient, asking you for some advice. Did you breach this patient’s confidence? Did you just engage in a Health Insurance Portability and Accountability Act (HIPAA) violation? Did your former resident do either of these? Did he have the patient’s consent to do what he did?
These questions can manifest themselves in different ways: most commonly through the “curbside opinion.” But it is important to understand that any transmission of patient information that relates in any way to their care falls under the umbrella of teleorthodontics and may bring into play legally mandated privacy considerations. Any transmission of patient information that relates in any way to marketing or practice promotion or development may run afoul of ethically mandated privacy concerns and also may provide the groundwork for civil litigation against you. Also triggering privacy concerns is the fact that today, many of us share patient information via various social media platforms.
As stated by the American Association of Orthodontists Principles of Ethics and Code of Professional Conduct (adopted 1994, amended through 2009) Principle III, Advisory Opinion B, “Members shall maintain confidentiality of patient records.”
Teleorthodontics is the use of information technology and telecommunications to facilitate orthodontic consultation about the care to be rendered, the practitioner, the patient, and public education, as well as promoting public awareness. The attitudes of orthodontists and general dentists toward teledentistry have been assessed by several authors and support the use of teledentistry in making orthodontic consultations more accessible to dentists and patients. On the other hand, referrals of orthodontic cases via teledentistry, as discussed in several studies, are creating new ethical and legal dilemmas.
In Europe, national protocols have established clinical photographic standards. Data obtained by medical photography are regulated by the Data Protection Act, which focuses more on data storage. According to the act, “Personal data shall be processed fairly and lawfully. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data.” The use of teleorthodontics mandates the need to address certain ethical issues as well as the need to comply with the HIPPA Privacy Rule, which protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
It has been suggested that the patient should be informed of the intended use of the photographs and the security measures in place to protect privacy. The patient should provide his or her informed consent for each use of a photograph, whether for diagnostic or educational purposes or other uses. An important dilemma in today’s technological climate would be to inform the patient as to who will be analyzing the images and how the images will be transmitted. One option would be to secure images with watermarking and transmit them with encryption or through private networks, based on the guidelines of the American Telemedicine Association.
Related to the concept of informed consent, our scenario presents a situation in which orthodontist-patient confidentiality was breached. In our scenario, the patient was not aware that his medical information was accidentally seen by another person; therefore, he certainly did not consent to the distribution of his protected health information. Unauthorized use of patient medical information may also occur in situations in which identifying images from a teleorthodontic case are used in scientific presentations or when unauthorized persons overhear or see video conferencing consultations.
This is a multidimensional ethical dilemma, especially when we deal with the pediatric and adolescent populations. Solutions include an informed written consent followed by encrypting the pictures to be shared among various providers and allowing this within a limited period of time. The delivery of health care and the storage of medical information on devices such as mobile phones, personal digital assistants, and laptop computers raises concerns about the protection of a patient’s privacy and the violability of health care information.
Ways to maintain security and protect the storage of patients’ medical information must be addressed when implementing teleorthodontics. To ensure that patients’ confidentiality and privacy are respected, information must be adequately protected whenever transmitted, stored, or received in a teleorthodontic consultation.
With this is mind, one only need to look at 45 CFR Section 164 to see existing federal regulations mandating that technical safeguards be in place regarding the electronic transmission of a patient’s protected health information. Section 164.312 (a)(1) notes that we are required to implement policies and procedures to only allow specifically identified people access rights to the protected health information in question. Section (a)(2)(iv) mandates that we have a mechanism in place to encrypt and decrypt electronic protected health information. Subsection (b) requires us to have an audit mechanism to record and examine activity of whatever systems we use that contain our patients’ protected health information. Section (c)(1) requires that we have policies and procedures to prevent protected health information from being altered or destroyed. Subsection (d) requires that we ensure that the one seeking access to a patient’s protected health information is the person actually authorized to do so. Finally, subsection (e)(1) mandates that we protect against unauthorized access to a patient’s protected health information when such information is transmitted over an electronic communications network.
Going back to your dinner, you should apologize to your friend regarding the inadvertent “leak” of another’s protected health information, enlighten him about the shortcomings and problems associated with this issue in today’s society, and most importantly, call your former resident to apprise him of the dissemination of his patient’s protected health information, thus allowing him to evaluate his HIPAA compliance protocol.
Our American Association of Orthodontists policy regarding teleorthodontics is woefully inadequate, as is evidenced by the meager attention paid to patient confidentiality in our code. We, as an organization, need to address this issue sooner rather than later.
We also need to recognize that society today has changed and that millennial practitioners have a totally different sense of their professional role and the values inherent in professional practice than do their elder peers. Although certainly every generation has promoted its share of change in why and how we do what we do, the incredible advances in technology over the last generation have way outpaced our ability to deal with the fallout technology generates as it evolves. I believe the Internet has created a scary place in which we find ourselves practicing, and this environment is fraught with danger from many fronts: one of which involves our use or misuse, as the case may be, of teleorthodontics. There is potential risk exposure in the criminal, civil, and, most importantly, the administrative arenas for an unsuspecting practitioner.
One of the simplest things we can do to protect ourselves is to engage in a little “defensive dentistry” in the form of enhancing our informed consent process. HIPAA protected health information confidentiality breaches and other privacy concerns, inadvertent and otherwise, can be mitigated with enhanced informed consent documents that memorialize the patient’s consent to how protected health information will be used in the orthodontic environment. A simple paragraph like the one below, added to your informed consent form is, if nothing else, a good starting point.
Like all health care services, my doctor may have to consult with other health care professionals concerning my treatment. The consultation may be oral or written, and may be transmitted electronically on the Internet, particularly by e-mail. Any such transmission will contain some of my protected health information and may be inadvertently seen or read by persons other than the consulting practitioner. Permission is hereby granted to exchange medical and dental information about me or my child over the Internet only as it relates to diagnosing, providing, or paying for my treatment. In addition, I give my permission to use photographs, x-rays, models, and clinical data about me or my child in scientific publications and presentations and for no other purpose.
Another simple thing we can do is to deidentify our patients as much as possible when we transmit protected health information electronically. The following are commonly used deidentification tactics.
Remove geographic subdivisions that are smaller than a state such as the patient’s home city, street address, county, and full zip code.
Remove all dates related to protected health information such as birth date and dates of treatment.
Remove all contact information such as phone and fax numbers, e-mail addresses, social security numbers, medical records numbers, account numbers, insurance plan numbers, and vehicle or drivers identification numbers.
Remove IP addresses and URLs
Remove or block out certain aspects of full-face photos and other comparable images (if possible given the particulars of the circumstance) and any unique identifying marks or characteristics.
For me, this is real simple. Just stop sending anything and everything over the Internet nilly willy. I cannot imagine that all the posts and blogs I have seen on the Internet regarding “how would you treat this patient” have been authorized or expected by the patient. If it’s for real, you first tell the patient that you want to discuss her case with Dr Smith and that you would like permission to send her records to him; don’t send them out into cyber space to elicit comment from any number of unknown persons. When she says okay, and she will (if she doesn’t, you should immediately start to be concerned about whether this will be a problem patient), make sure that her records are encrypted in some fashion. Tell Dr Smith to expect the records; you should have an understanding with everyone you do this with that patient privacy is a high concern for you and your patient, and you expect full HIPAA confidentiality on his end. If he is the type who can’t do that, find someone else for your second opinion.
Think about it this way. Would you want your kid’s protected health information plastered all over the Internet because the doctor treating him doesn’t view this as a big deal, since everyone is putting everything out there? It is totally conceivable that some nefarious people will get your kid’s protected health information and then what? We are doctors, we have taken an oath to protect a patient’s privacy, we have to do what we have to do, but we can be either smart or stupid about it. As Forrest Gump said “Stupid is as stupid does.”
Oh, one more thing. We now have companies using imaging technology to facilitate patients performing do-it-yourself orthodontics to greater or lesser degrees, and to allow doctors to monitor the progress of a patient’s treatment from a remote location. Some of these applications clearly cause concern; others may turn out to be a good thing in some ways. Only time will tell. One thing is for sure: we need to take a good hard look through the appropriate prospectascope and as a profession start to develop some guidelines or parameters regarding acceptable and unacceptable uses of this technology. We can be part of the problem or part of the solution.