Legal Insights HIPAA compliance, Online Reputation & Copyright

Transcript of Episode:

Jonathan Fashbaugh:
Got questions about HIPAA compliance, reviews and online reputation, social media, copyright. I just wish we had someone we could ask.

Trey Lawrence:
Hey, I’m an attorney. Let’s talk about those questions today.

Jonathan Fashbaugh:
On Marketing Chairside.

Speaker 3:
Welcome to the Marketing Chairside Podcast by Pro Impressions Marketing. Where the team covers a variety of dental marketing ideas to help you attract more new patients in the quantity and quality you need to grow your practice.

Jonathan Fashbaugh:
Trey, what percentage of your clients are dental offices?

Trey Lawrence:
Well, okay. That’s actually a really complicated question. Much more complicated than it needs to be. So as general counsel for the AAO, for the American Association of Orthodontists, actually technically my only client is the AAO as an organization. So the technical answer is 0%. The reality is that I interface with our members every day on legal questions from them. So I can’t legally represent them, I can’t give them legal advice, but individually, we give them a lot of answers to their questions specifically and then we also put out all of the informational resources, the legal resources for AAO members. So in that respect, 100% of the people that I’m dealing with on legal issues are practices.

Jonathan Fashbaugh:
So it’ll be a similar thing today because information you’re sharing with us, I found myself wanting to refer to it as legal advice, but of course it’s not.

Trey Lawrence:
Right. In normal human speak it is, but from a very technical legal definition, it is not legal advice.

Jonathan Fashbaugh:
Right. It is legal oriented information.

Trey Lawrence:
Yeah. Legal information is how I usually try to paraphrase it.

Jonathan Fashbaugh:
Well, I’m excited to have you on the show because occasionally there’s this intersection between legal issues and marketing. And it puts us, the marketers, in an awkward position because we want to help our client, but we also never want to get our client in hot water in any way, but we want to advise them to the best of our ability. And of course we always can say, you should talk to your law firm about that. But one of the issues that comes up from time to time has to do with online reputation. Where a client is putting themselves out there as someone who can help people, and then someone comes along and gives them both barrels with an online review that just is scathing and sometimes there’s a story behind it that makes sense and other times it’s like, we’ve never even seen this patient. This is not a patient of ours, and yet they’re saying horrible things about us. Have you had the clients contact you about that and what recourse from a legality standpoint do dentists have if they’ve got a review that they feel is, let’s just say unfair to start with?

Trey Lawrence:
No, definitely. That is an incredibly common question. Certainly the horrible online reviews from people who you know weren’t patients of your practice is a big challenge legally. But even the ones that were a patient. There’s a whole separate set of legal issues that I’ll get into in a second about responding to any online reviews, even the ones from patients that were actually at your practice. Because there’s all kinds of HIPAA issues involved in that too. But the reviews that you know are not from a patient that was treated in your practice are doubly frustrating because there’s the legal issues you have to be careful about and the fact that it wasn’t actually a patient. So it’s somebody that’s harming your business and you need to address that. So the biggest thing is I think probably the most comforting fact in this area is that as a practice and a doctor, you do not owe any HIPAA duties to somebody that was not a patient of yours.
Because I get that question a lot about, well, can I say … There’s some challenges about identifying somebody as a patient of your practice if they were a patient and you identify them as a patient in a response to a review. That’s what I’m talking about with the bad or good reviews from people who were actually patients. But none of those issues exist for people who weren’t actually a patient at your practice. So if they weren’t a patient, you don’t owe them any duties under HIPAA. HIPAA only pertains to the doctor-patient relationship. So it is perfectly safe under HIPAA to say something like, “We have no record of you being a patient at our practice.” Those kinds of things. Another version of this question I hear a lot about is the disgruntled former employee who thinks that they’re going to get back at your practice.

Jonathan Fashbaugh:
Thank you for bringing that up for sure, because that does happen and it’s just maddening.

Trey Lawrence:
Absolutely. So again, if that person was an employee but was not a patient, there’s no HIPAA concern at all about you saying that you were not a patient. We’re not sure why you’re leaving a review posing to have been a patient at our practice because you didn’t treat. You don’t want to say things about the termination of the employment. There’s some separate employment privacy issues that you need to make sure that you are aware of in those situations, but definitely no HIPAA duties. So it is perfectly acceptable to point out that these people, were not actually patients.

Jonathan Fashbaugh:
But under what circumstances can a dentist have their attorney reach out and realistically have recourse to do something if the person doesn’t take down the review? Obviously they can always ask, will you take this down, but what legal recourse do people have if it hurts their feelings versus if it says something untrue?

Trey Lawrence:
Yeah. No. Great question. I think there’s a couple of categories of recourse there. One is with the providers, the platform providers themselves, and then the second are the legal remedies. Because that’s one of the questions I get a lot. Especially if the review says something untrue. Especially most pertinently, if the person wasn’t actually a patient. They’re pretending to be a patient. The short answer on that is you absolutely can ask Google or Yelp or whoever to take that down. The odds of that are probably not very good. I’ve heard of many people asking to have those kind of reviews taken down. I’ve only heard of one that actually succeeded in that, and that was a practice where the patient … It was actually a patient, but the patient actually basically threatened physical violence in the you better hope that you never meet me in a dark alley, kind of a comment. And so Google or whatever platform that was, I’m sure had a term of usage that said you can’t threaten physical violence. And so the practice pointed that out and was able to get it taken down.
Short of that, I’ve not heard of success, but it’s worth a try. I think the more likely pathway to getting an actual result is if your practice wants to contact an attorney or contact your attorney that represents your practice and have them send a cease and desist letter. So any cease and desist letter like that, the basis of it is going to be defamation. Defamation is a legal claim where you say something false about me and I’m harmed by it economically. Of course, there has to be something false to give rise to the defamation claim or the threat in this case. If everything that the patient said is true … If it’s an actual patient posting a review, defamation is going to be a lot harder to prove. Again, if it’s somebody who wasn’t a patient that’s posing as a patient, then that per se is false so that’s easy to point out.
The bigger challenge in defamation claims is always proving economic damages. So if you were to pursue this to court, what are you going to say that this one review online harmed your practice with enough specificity to actually prevail on the legal claim? That’s probably going to be difficult to prove in court. But when you have an attorney send a cease and desist letter, you’re not trying to win the lawsuit at that point. You’re just trying to get the review down. And so if your attorney phrases it the right way and makes sure that the person understands that if you choose to pursue this into litigation, that that could be very costly for them in attorney’s fees, defending the claim and all of that. Usually it’s not the merits of the legal claim to get the person to take the review down, it’s just the threat of litigation and the hassle of dealing with it.

Jonathan Fashbaugh:
Right. We’ll get to, again, I think a related issue in a minute. So it sounds like if there is any hint of defamation of character and they’re saying these things that could prohibit or make it less likely that someone is going to come to their practice because it makes them sound shady, then a letter from their attorney to the patient pointing out that if this goes to court, it’s going to be very expensive for you and for me, and this is just a situation that doesn’t need to be. We understand you’re unhappy. I’m humanizing it probably and putting it in words you wouldn’t, but that can be effective it sounds like.

Trey Lawrence:
Yeah. Absolutely. I think your average citizen, your average disgruntled person who’s just spewing on the internet has no interest whatsoever in getting involved in actual litigation and legal costs. And so if there’s any merit … You can’t just send a completely frivolous and baseless letter because that could be a violation of certainly the attorney’s ethical obligations. But if there’s any potential basis to the legal claim at all and basically here, just if there’s anything that patient or that person said that’s untrue, that’s a valid basis for that letter. And I think the threat of the hassle of litigation is going to be persuasive for most individuals.

Jonathan Fashbaugh:
Yeah. I would agree. Now, you pointed out HIPAA a couple of times in this, and that’s interesting to me. Because I have had clients tell me before, “My attorney says I can’t respond to any reviews online because it’s identifying them as a patient, and that’s a violation of HIPAA.” And my jaw dropped the first time I heard it. People get reviews all the time, and that puts a dentist in a really tough place that most other businesses don’t have to deal with. And here they are with their hands tied behind their backs and so many other dental offices respond anyway. But is your advice to not, or is it just in how it’s phrased?

Trey Lawrence:
I think it’s definitely how it’s phrased. My standard response is not that you can’t respond at all, but you have to be extremely, extremely careful. So all of the lawyers that you’ve heard say don’t, I understand why they say that. There have been several decisions that have come out from HHS lately, HHS is the federal agency that enforces HIPAA, where HHS is basically fining dental practices, significant amounts of money for what to an average person might seem like a very small violation of HIPAA and responding to an online review or comment. So it’s not that you can’t respond, but you definitely have to be very careful. And the number one fact, as you’ve already pointed out, is that you can’t disclose any personal health information about the patient, even to the point acknowledging that they were a patient at your practice, even if they’ve already said it themselves. And I think that’s where the biggest snare lies.
But subject to all of that, when I have practices that contact me ask how to do this on the … If it’s a negative review, my suggested response is something along the lines of, “It appears there’s been a misunderstanding. Please contact our office to set up a time to discuss.” So you’re not acknowledging that the patient was a patient. Another thing that we as lawyers worry about is admissions of liability. So saying things like we’re sorry you’re in this situation of those kinds of things that normal people say can be misconstrued as an admission of liability. You’re not saying anything like that, but you’re acknowledging the bad review itself and you’re just saying to the person, “It appears there’s been a misunderstanding. Please contact us, set up a time to discuss.” And then try to get it offline so it doesn’t become an ongoing conversation in the comment section or the review section. So that’s on the negative side.
On the positive side, if some patient leaves a good review and you want to acknowledge it like normal people do, I think the approach is similar. You can acknowledge the good review, but just don’t acknowledge that they were a patient. So something along the lines of, “Thank you so much. We love to hear great stories like that.” Or we love to hear happy endings like that. Something like that where you’re acknowledging the positive review itself, but you’re not saying something like, “Thanks so much. We loved having you as a patient.” Or those kind of things that actually acknowledge that they were a patient.

Jonathan Fashbaugh:
That’s a clever nuance that solves that problem. One of the things that we do well, I believe, is turn negative reviews into positive marketing opportunities. You’re giving me some pause to think about how best to do that, but I feel like we can still do that. And your concern even makes it an even more logistically prudent approach, I think to just say, our patients experience X, Y, Z. Something along the lines of we’re concerned to hear this review. Patients at our office experience high standards of care and diligence to protect occlusion and whatever details that our patient’s experience. And then it sounds like if we were going to cede any ground, it’d be we’re starting to hear that you’re feeling otherwise or something like that, or can we not even talk about the patient’s feelings?

Trey Lawrence:
No. I think that’s fine. We’re sorry to hear that you’re dissatisfied or you’re feeling dissatisfied. Something like that I think is safe. And then the other facts that you quoted there, the other statements, again, I think you pointed out correctly, HIPAA violation is all about disclosing personal health information. Those facts are not. They’re generic to your patients as a whole. They’re not specific to that patient. So there’s no PHI there. And then you didn’t say that that patient was actually a patient in the way that you phrased it. So I think that’s another good potential approach that addresses the business reality of that negative review being there, but addresses it in a way that’s very conscious of the HIPAA concerns in making a response.

Jonathan Fashbaugh:
And then the other nuance I heard you mention is just because a patient discloses something doesn’t mean it’s fair game for you to talk about. That happens all the time where our clients will say, “Well, they said this, this, and this so can’t I address those things?” But you’re saying not in terms of that patient’s story. You want to talk about your standard operating procedure for whatever the issue is.

Trey Lawrence:
Yeah. HIPAA is very, very specific on the detail that needs to be included in an authorization by a patient to disclose their protected health information to somebody else. So them just saying the fact online doesn’t satisfy any of those details. When you’re thinking about an authorization. You have to think about the HIPAA authorization form that your practice actually has a patient sign and that online comment by the patient doesn’t include that detail so legally it’s not a valid authorization. So even though the patient said those things, they still haven’t authorized you and your practice just say anything in response.

Jonathan Fashbaugh:
Maybe this is crazy, but could an office change their HIPAA paperwork that they have the client sign that says if you launch a review and disclose matters that you authorize us to address them in a response? Would that hold up?

Trey Lawrence:
Yeah. I think that’s definitely a possibility. I haven’t actually heard that approach before. Maybe I should have thought about it. In that case, as long as it’s in a HIPAA authorization form itself that meets all of the other requirements for a HIPAA authorization, I think that is potentially an option. I know a lot of times the temptation for practices to stick things in the patient contract. Language like that in the patient contract would not satisfy those other things that have to be in the HIPAA authorization. But the situation you’re describing where it’s in the HIPAA authorization itself, I think that could definitely be a possibility.
The one other thing you always have to be careful of on any form like that that you have a patient sign is the potential of the patient down the road to say, “Oh, well, I had no idea that I agreed to that. I had no idea I was signing that.” And that’s not specific just to dental practices. That’s the law generally. I’ve heard that in countless other non-medical situations in court. So if you want to include that in a HIPAA authorization, it needs to be … You don’t want it buried in six pages of fine print. It needs to be easy to read, maybe bold or probably the-

Jonathan Fashbaugh:
Its own section.

Trey Lawrence:
Yeah. Its own section. Those things make it harder for patients to argue that they didn’t know it was in there. They didn’t know they were agreeing to it.

Jonathan Fashbaugh:
Right. Right. But I feel like that’d be pretty easy to do. So if it’s worded and in a separate section, do you feel like if they still said, “Well, I didn’t know that was there,” then it would hold up because it was so clearly marked?

Trey Lawrence:
Yeah. Any of those kind of questions, those are questions that ultimately if it goes to litigation, have to be decided by the fact finder-

Jonathan Fashbaugh:
The judge, right?

Trey Lawrence:
Which is the jury, which is always a role of the dice. So legally it’s very difficult to say anything is a foolproof solution. It’s just all about making it as hard as possible. And I think all of the things that you just mentioned are all factors that would make it less likely that a plaintiff would win on that type of an argument.

Jonathan Fashbaugh:
Now, let’s rewind this scenario a little bit and maybe you have a story you could share. But what situations are more likely to lead to a patient filing some sort of a claim, and how does that get to the Health and Human Services Department? What’s that process if we wanted to look down a path that we don’t want to go down?

Trey Lawrence:
No. Definitely. That’s a great question. I don’t have an exact count on the number of decisions that have come out of HHS, but they’re very … They issue press releases all the time when they’ve entered into some kind of a settlement or they’ve otherwise penalized a practice. In those decisions, they don’t typically say how the claim came to HHS’s awareness. That always makes me as the lawyer want … I would love to know how they do it. I have a few guesses as to how they do it. I think certainly if a patient contacts a lawyer who has more of a healthcare background and knows about things like HHS, that might make them more likely to include that as one of the tools in their toolkit to help that patient. So it could be if a patient already has a problem situation with the practice they’re considering suing them or they’re considering filing a dental board complaint, then their lawyer also may have as another option also filing a complaint with HHS.
I think that’s one possibility. The other thing that I have read about … I don’t have confirmation of this certainly from HHS, but the word on the street seems to be that this is going on, is that HHS like some of the other federal agencies like the FTC is one in particular too. FTC also does a lot of legal work with advertising. And the word on the street is that they are getting very sophisticated in their AI scanning the internet type of capabilities. And so it may be the case too that it’s … Certainly, I think in the future that will be more so. I can’t say exactly what the state is now, but I think the federal agencies will develop more ability to use AI to scan the internet proactively on their own and catch some of these things. So that’s why if you’re on the internet, then you need to be thinking about these issues. It may not matter that you don’t have maybe as larger practice as some other groups or maybe your website’s not quite as sophisticated, all of those things. I think if the AI is coming into play and being used to scan, it doesn’t matter. If you’re on the internet, then you’re subject to being discovered by that AI scanning.

Jonathan Fashbaugh:
It segues into the next piece that I wanted to talk about, but have you heard of law firms instigating these things by having humans look for these instances and now they’re going to have access to those same AI tools to look for opportunities to … I don’t know. Is that legally okay for a law firm to reach out to a person and say, “Your HIPAA rights were violated. I think we have a case here if you’re interested in filing a complaint.”?

Trey Lawrence:
Yeah. That happens all the time in the class action world. There are some very sophisticated plaintiff’s class action firms. They don’t sit around and wait for consumers to contact them. They have whole teams of people that are doing exactly what you described that are out there. In the old days, it used to be reading the newspaper ads or the magazine ads or whatever looking for misrepresentations and other violations. But now then with the AI and the other technology, I’m certain that those plaintiffs firms are incorporating that. And like I described with the agencies, they are also out there proactively scanning the web for these kinds of violations. And once they discover one, there’s no ethical prohibition on … There are some ethical prohibitions. Much too detailed for any of your listeners to care about. But there are ways for those firms to get in … If they run across … If they see a review and there’s a patient that’s mentioned in there and they can go to that patient’s say Instagram account or Google account or whatever. There are ways for them to contact those patients and say, “Hey, we saw this. Would you be interested in participating in a legal claim?”, type of a situation.

Jonathan Fashbaugh:
Right. Wow. We have seen that happening in a way, in a flavor with regard to copyright issues on websites. It seems to be complex and varied, but essentially some sort of a company partnering with a law firm that then is partnered with the owner of an image in theory, reaching out to dental offices and saying, “You violated our copyright using this image and therefore you will owe us money. We’re willing to settle though.” This just reminds me of the threat of litigation that we were talking about in the context of reviews. Dental offices are running into this. And we’ve been involved in situations like this where it’s like, no, we definitely know we have the right to use this image, but the law firm or this entity is threatening litigation and it leaves us and the client in a scary situation. If one of your community’s members got one of those letters and said, “What should I do about this, Trey?” Do you have any thoughts on how to handle that type of situation?

Trey Lawrence:
Yeah. Definitely. I know people never want to hear the lawyer say You need to contact a lawyer, but this is absolutely one of those situations. And number one, all intellectual property law and certainly copyrights and trademarks is a very specific area of the law. You really need somebody who’s an expert in that area to guide you through the analysis. And then the second step is the analysis is this really is a classic risk benefit type of analysis. So to make a decision on what your course of action is going to be, you have to assess the risk and the benefit.
So on the benefit side, definitely it’s how important is the use of this image to us? If it’s something that’s not that important, then it’s not worth the fight at all. Just take it down. You don’t have to send a letter admitting that you violated their copyright or anything like that. You can say, “We can test your factual claim, but in the interest of avoiding any further dispute on this, we will take it down.” If there’s not really any benefit to fighting the fight, then it’s definitely easiest just to take it down and avoid it. If it is an important image and you need to continue to use it, then that’s where you have to assess the risk. And that’s really where the copyright lawyer or the specialist in this area of law is going to be a crucial tool in making that assessment. Because to be able to assess what kind of risk you’re at, you need to look at what is the copyright, what is the registration? You need to have somebody go to the patent trademark office and pull the registration if there is one. You need to have somebody that has seen enough violations litigated so that they can look at your use and then what the person is claiming ownership of and determine in their judgment whether it’s a violation or if it’s …
A lot of these cases, it may not be exactly the same. It may be an altered image or it looks very similar, but it’s not exactly the same, and you need somebody who’s litigated these kind of cases to be able to say, “I think this is something that may be determined to be an unauthorized use”, or “No, I think these are different enough that you have a basis to argue that it’s not a violation.”
That’s all the kind of things that the copyright lawyer will go through. And then at that point, once you’ve assessed the strength of the claim, if there is benefit of fighting the claim and then the lawyer believes that you have enough merit to try to defend yourself, then you can send a letter back and say, “We don’t believe that there’s a violation here,” and explain the reasons why, or however your lawyer wants to handle it at that point. But really it’s that risk benefit analysis. How much are we at risk legally, and is there benefit to fighting this or does it really not matter that much? That’s the analysis that you need to go through, and you really need the trained expert lawyer to help you with that.

Jonathan Fashbaugh:
Yeah. That’s the maddening thing though. At least in the case of the clients that we’ve had run into this, it’s never an important image. Often it’s ones that we’ve actively removed to avoid things like this where it’s like, it’s been so many years since we posted that blog post where we used a random image of a faucet and because we don’t really need it, we’ve taken the image down. And then the client still got a letter that said they had evidence that this had been used, and therefore for a period of time there was something warranted. But just a broader question, do you know if an image changes ownership, former licenses still protect the person who purchased the rights to that image in the past, right? Those don’t just reset or have to be paid again, do they?

Trey Lawrence:
Yeah. No. Generally that should be the case. Again, I’ve got to play the lawyer here and say there’s always potential exceptions. But in general, any license like that … Unless there’s something specifically in the license agreement itself, the original authorization they had that says that it’s limited to that ownership, that it doesn’t extend to any future owners. But any competent lawyer that’s ever drafted one of those would have language in there that specifically says that the rights survive any change of ownership.

Jonathan Fashbaugh:
Got it. Got it. Okay. Okay. Are there any other types of HIPAA or legal issues that you run into with the orthodontic practices that you discussed that are viewers should be aware of?

Trey Lawrence:
Yeah. I could go on all day. I’ll start at the top of the list. Definitely one big one. This is a little more of an issue perhaps for orthodontic offices or other practices where treatment tends to go on over a period of time. But that’s the problem with when a patient starts out as a patient of the practice as a minor and then becomes an adult during the course of treatment. From my experience specifically, I think on the orthodontic side, it’s very easy to forget to put a reminder for yourself in a calendar or your treatment, the appointment planning software or whatever to flag that the first time that that patient comes in and they’re now legally an adult, there’s several things you probably need to address with them, but definitely the HIPAA authorization is a big one. Because if mom and dad were the signers on the account originally, and now the patient’s an adult, but mom or dad are still paying for treatment, then obviously probably need to discuss treatment information with mom or dad. But until that now adult patient signs a HIPAA authorization saying that you can discuss that information with mom or dad, then technically you’re not permitted to.
So that is a big one. I’ve given practices a little checklist of three or four things that they need to remember when a patient turns 18 during the course of treatment. That’s one. A photo release is very similar. If mom or dad signed a photo release for a patient and then that patient turns 18, now you no longer have the right to use that patient’s photo unless the patient themselves signs a photo release.

Jonathan Fashbaugh:
Wow. Yeah. That reminds me of … I heard there was big time litigation of the kid whose photo was used on the cover of Nirvana’s Nevermind cover as an infant, and he’s naked and then he’s not a kid anymore and he’s like, “I don’t really appreciate that.”

Trey Lawrence:
Hopefully none of—no practices pictures look exactly like that one did, but still the underlying legal problem is still the same.

Jonathan Fashbaugh:
We can call that legal advice, maybe. Don’t take naked pictures of—

Trey Lawrence:
I think as a general world that’s pretty safe. I’ll give out that advice. Yeah.

Jonathan Fashbaugh:
We’ll drop that topic now. Any other marketing-related types of tips that you have for our viewers and listeners?

Trey Lawrence:
One of the things I see all the time in the orthodontic world is the online promotions. It’s a fun way to get attention for your practice if you’re doing some kind of a drawing or some kind of a referral incentive program. In the month of May, every new patient gets entered into a drawing for some fun prize. That’s something that’s really easy to share out on social media and gets a lot of attention. Similarly, the kind of things with, refer a friend or family this month and you get entered into a drawing for an iPad or you get a $50 gift card from Amazon. Something like that. Definitely be aware. Anything with the drawing in it can potentially fall under state sweepstakes law. So you need to make sure that if your promotion’s qualified for that.
The elements are usually pretty simple. It’s an element of chance, that’s the drawing part. Anything with a drawing, there has to be a prize of value, and then the patient has to give consideration to be entered. So that means do something of economic value to be entered. So that could certainly be a case start, but giving a referral has economic value or even posting. If you have a program, anybody who leaves a five star review this month gets entered into a drawing. There’s economic value to that five star review or the five star rating. It doesn’t mean you can’t do those kinds of promotions, but if you have something that has all of those, you need to know what your state sweepstakes law is. Probably talk to a lawyer one time, let them set you up a template that then you can fill out all the blanks of what’s the prize and the start date and the end date and all of that. And then just make sure that you’re in compliance with the law every time.
And then similar to all that, the referral programs. Some states you can only fee split with another doctor, but in some states there can be fee splitting with a non-doctor. And so if your state is one of those fee splitting states for non-doctors where you can fee split with a non-doctor, then your referral programs … That’s another one again, you probably talk to a lawyer that’s familiar with the fee splitting rule under your state’s dental board to make sure that any referral incentives like that satisfy the rule and don’t constitute fee splitting.

Jonathan Fashbaugh:
So you want to make sure you’re following the rules on the sweepstakes and fee splitting. But it sounds like on the sweepstakes side, it’s maybe more having somewhere those conditions and disclaimers of chance, that just needs to be documented and available for people to check out?

Trey Lawrence:
Yeah. Usually every state has pretty specific statutory language on if you have something that is the sweepstakes, what you have to do to hold that contest. The most common is certainly the written terms and conditions. Like you mentioned, you need to have written terms and conditions that if somebody asked for, you could give them a copy. There usually has to be a clearly defined start and end date. And then probably the next most common one is the no purchase required for entry type of an option where whatever it is, if it’s a leave a five star review, if somebody still wants to enter the contest, then they have to send a postcard to a certain address. Those kinds of things. But those are all the kinds of things. They’re very clearly set on in statute. So if a lawyer looks those up for you, they can create literally a template. Terms and conditions document and then the other pointers that your staff needs to know. And then from then on, it’s just literally fill in the blanks on your template each time you have a new contest.

Jonathan Fashbaugh:
Right. Right. Wow. Wow. That’s amazing. It sounds like that has come up a time or two for you.

Trey Lawrence:
On social media, I see practices all the time that I think are in violation of that. Probably have no idea. I think the biggest challenge is just the use of the word sweepstakes. That sounds like the Publisher’s Clearing House thing. Nobody looks at their drawing for a fun little prize in their practice and thinks sweepstakes. But it’s just knowing that those kinds of contests probably do fall under your state sweepstakes law.

Jonathan Fashbaugh:
So it sounds like regardless, you would recommend a dentist contact their attorney to get in the know about that, but are there any big time states where it’s like, if you’re in this state, this is absolutely a concern for you?

Trey Lawrence:
Not really. The big concern areas usually center more around the dollar value of their prize. I’ve not studied every single state’s statute. But the ones that I’ve seen, it’s more of a $10,000 prize or something. Unless your practice is holding a drawing for a new car, you’re probably not getting into that threshold. The normal prizes that I see all the time on social media where it’s an iPad or something like that. Those are well below the dollar threshold most of the time that really gets into that ,okay, now you really got to get serious and know the rules territory.

Jonathan Fashbaugh:
I was thinking about email encryption and having a HIPAA-compliant email system. How vital is that in a dental office? Should dentist just be paying extra to have some souped up email?

Trey Lawrence:
Yeah. The short answer is if you want to make sure that you’re in compliance with HIPAA, it is absolutely vital. Because HIPAA specifically says that if you’re otherwise subject to HIPAA, then one of the things you need to comply with is making sure that you have an encrypted email server. Any email that has patients protected health information in it needs to be sent in encrypted format. And of course, there’s no way to really filter out the emails that do in the emails that don’t so your system just needs to be HIPAA-compliant and have the encryption. I think the other thing that practices run into problems with is not thinking about other communication channels that similarly need to be encrypted. So texts, I think pretty clearly fall under that too. Now, certainly just like an appointment reminder to a patient and/or if they’ve agreed to the receipt of those texts is not as big of an issue. But if you’re using texts to actively communicate with patients about treatment information or those kind of things, then you need to see whether you fall under the encryption requirements for that as well.
And then another area that I have seen lately but have not … I haven’t seen a definitive answer, but I would guess that HHS is going to head this way as any kind of video conferencing software. And I’m certainly not a technical expert, but my understanding is that there are some things like Skype or some of the other layperson type services that definitely do not have encryption. Zoom, my understanding is I think you can subscribe to a pro option that may be encrypted, but I’m not 100% certain on that. But just all that suffices, say, if you’re using video conferencing options either with patients or with other providers, you’re consulting with other providers and that kind of thing, then you need to look at whether the video conferencing service that you’re using is encrypted and if not, I am aware that there are certain ones out there that specifically market themselves to medical professionals because they are encrypted. And so you probably need to look at using one of those.

Jonathan Fashbaugh:
Wow. Wow. Again, it just doesn’t feel … Isn’t there even language in the Hi-Tech Omnibus that says within reasonable expectations, doesn’t it somehow take into account the practice’s size or something like that?

Trey Lawrence:
That language is in there. But the problem with the word reasonable is it is always subject to somebody’s interpretation. So it depends on … I know this particular iteration of HHS is very hyper focused on enforcement. That’s a great question. And off the top of my head, I’m not sure exactly where the exception is, but those are the kinds of things that a lawyer who specializes specifically in HIPAA can drill down for you and look at the size of your practice and determine whether you need to comply with that specific restriction or not.

Jonathan Fashbaugh:
Man, I just feel like the patient is the one who loses in this situation because if it’s so hard to communicate … You mentioned plumbers and other types of businesses .if I can’t communicate with them easily, I don’t want to do business with them. So it seems like the patient and the dentist lose more than the odd breach situation. But better safe than sorry.

Trey Lawrence:
Yeah. No. It’s ironic for a statute that supposedly was drafted to protect patients. Similar to that, when COVID came along and the practices were having to shut down for the pandemic, I note specifically the state of Texas, all the dentists in the state of Texas, including our AAO orthodontist members got letters from the state dental board saying, “Hey, we’re just reminding you that we don’t have a tele dentistry statute on the books, which means that you cannot use Skype, FaceTime, any of those services to communicate with your patients.” And meanwhile, from the orthodontics side, you have patients that have active appliances in that really did need to be in communication with their dentist or orthodontist. And it’s something, again, that’s supposed to serve to benefit patients who is actually standing in the way and causing some problems. Potentially even harming patients that have active appliances in and can’t meaningfully communicate with their dentist or orthodontist.

Jonathan Fashbaugh:
Right. Right. The world we live in.

Trey Lawrence:
The thing that makes me the most nervous about dental practice is, oh, I heard it online or heard it in social media and going on that. So I can just leave the … If you have any question about anything, don’t depend on rumor, hearsay, social media group advice, even trusted colleagues. Just make sure that you talk to a lawyer that can actually read the statute, read the regulation, and tell you what … Something like that.

Jonathan Fashbaugh:
Trey, thanks for being with us today. Any final words of legal information that you’d care to share with our audience?

Trey Lawrence:
With all of these subjects we’ve been talking about today and any other legal topics, it is very easy … I heard it online, I was on social media, I was in the Facebook group, I heard this, I think this is true. Drill down and find out the truth. And unfortunately, with some many of these legal topics, it means you need to talk to a lawyer. So don’t depend on rumor, hearsay, any of those things. Talk to a lawyer, find out the truth, let them dig in for you. Make sure that you’re in compliance with the law instead of being one of these horror story penalty situations that we’ve been talking about today.

Jonathan Fashbaugh:
Spoken like a true attorney. Trey, thanks again and thank you to you, the viewers. This episode was hot. I would say that Trey’s advice was pretty near radioactive. Good thing I’ve got my fancy Geiger counter here. Let’s just check. It’s you. You’re the one. This is awkward.