It is no longer a simple matter to communicate with patients or to market a dental practice via telephone, cellphone, text message or email. This is a guide to the rules for communicating via these technologies with patients and other individuals. Also included in this resource is sample language to use for those instances when patient authorization or consent is necessary for communicating via these technologies.
Obtain authorization to initiate contact with a patient regarding treatment, insurance, and account via the patient’s cellphone. The Federal Communications Commission, using the authority of the Telephone Consumer Protection Act of 1991 (TCPA), issued the order below that requires a business to obtain an individual’s consent prior to calling or sending a text message to an individual’s cellphone number. A health care exemption to the order applies if the communication:
A health care provider must:
The TCPA order does not limit a return call to an individual’s cellphone number if the individual initiates the contact.
In order to initiate contact with a patient via the patient’s cellphone regarding any topic other than treatment and appointment reminders, a dental practice must obtain the patient’s consent to do so.
The following provides sample language a dental practice can add to a patient information collection form. Note that if a dental practice intends to contact the patient on his or her cellphone for marketing purposes, the practice should add that to the consent language.
I consent to the dental practice using my cellphone number to (choose one or both): ______ call or ______ text regarding appointments and to call regarding treatment, insurance and my account. I understand that I can withdraw my consent at any time. My cellphone number is (include area code) _______________. _________ (initial)
Electronic communication of patient information must be done securely. The only exception to the requirement is when a patient, after being advised of the risks, consents to receive the information in unencrypted email. Patient consent to receive unencrypted email is not consent to transmit protected health information (PHI) in unsecured communications with other entities such as specialists and payers. If the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of providing an electronic copy by more secure methods should be offered and accommodated. Following is sample language a dental practice can add to a new patient information collection form:
Except for appointment reminders, we use secure methods to electronically communicate with our patients. Unencrypted email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in unencrypted email may be misdirected, disclosed to or intercepted by unauthorized third parties. However, you may consent to receive unsecured email from us regarding your treatment. We will use the minimum amount of protected health information necessary in any communication. Our first email to you will verify the email address you provide. Please initial the statement indicating your preference.
Obtain patient acknowledgment that the practice will leave messages on the answering machine or with anyone who answers the telephone at the telephone number provided by the patient. Sample language:
I understand brief messages from the dental practice may be left on my home answering machine or with anyone who answers the telephone at my home unless I have provided the practice with alternative instructions for communication. ________ (initial)
Only use the minimum patient information necessary for the appointment reminder. Postcards, voice messages, unencrypted email messages and text messages should not include diagnosis or treatment information.
Sample language for an appointment reminder:
This is Main Street Dental with a reminder that Jack has an appointment on Wednesday, March 3, at 2 p.m. Please call us at 222-2222 if you have any questions.
When using a vendor to make the appointment reminders, the dental practice should:
When a dental practice does not normally engage in email communication with patients and a patient requests email communication, the practice must ensure the email is sent securely either through encryption or a secure web service. The only exception to the requirement is when a patient, after being advised of the risks, consents to receive the information in unencrypted email. Patient consent to receive unencrypted email is not consent to transmit PHI in unsecured communications with other entities such as specialists and payers. If the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of providing an electronic copy by more secure methods should be offered and accommodated.
Following is sample language that can be used to obtain patient consent to communicate via unencrypted email. Be sure to retain documentation with the patient record.
We are happy to respond to your query. We normally use a secure electronic communication method (encryption), however, you have the right to request to receive your information via unencrypted email. In order for us to send your information to you via unencrypted email, you must provide your consent, recognizing that unencrypted email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in such email may be misdirected, disclosed to or intercepted by unauthorized third parties. We will use the minimum amount of protected health information necessary to respond to your query. If you wish to conduct this discussion via unencrypted email, please indicate your acceptance of this risk with your email reply. You may withdraw your consent at any time. Alternatively, please contact our office to arrange a telephone conversation or office visit if you decide against corresponding via email.
Please email your request to our office. (Then the office can respond as described above, or the dentist or HIPAA privacy officer can discuss with the patient the risk of unsecured email and document the conversation and consent in the patient record.)
Contacting patients about uncompleted recommended treatment or for not being seen in the past year is common in dental practices. However, telephone calls to recall patients may be viewed as solicitation and, therefore, subject to the federal Do-Not-Call Registry rules. Telephone solicitation is limited to 18 months from the time an individual completes a transaction with the business or until the individual requests that he or she not be contacted again, whichever period is shorter. If an
individual makes an inquiry, a business may call that individual for three months or until the individual requests that he or she not be contacted again, whichever period is shorter.
Become familiar with the federal Telemarketing Sales Rule if using telemarketing. Even if a dental practice does not use telemarketing and instead uses direct mail or general media advertisements (radio, print or internet), how a dental practice responds to the calls resulting from those ads can be subject to the rule. Any “upselling” done in the course of a call will make that call subject to the rule. Refer to the FTC website for more information.
The federal CAN-SPAM Act and California law apply to all email messages, including business-to-business communications, that are advertisements or promotions of a commercial product or service or that promote content on commercial websites. Unsolicited commercial email may not be sent to or from California email addresses. An example of a marketing email is a promotion for teeth whitening sent to a dental practice’s patients of record. Appointment reminders are not commercial communications.
It is a good idea to obtain an individual’s consent prior to sending him or her an email, even if the email is not a commercial message. Verbal consent to receive emails is allowed, but the consent should be documented.
Following is a summary of the main requirements:
When sending a group email, a dental practice should ensure email addresses are entered only in the “Bcc” field so as not to impermissibly disclose PHI. If a dental practice hires a third party to send marketing communications and the recipient list includes patient email addresses, the practice should sign a HIPAA business associate agreement with the party.
In an ideal world, collection calls would not be necessary (see the “Patient Financial Protocols” article for options to eliminate collection calls). In the real world, collection calls are made by dental practices before the debt is turned over to collection agencies.
At the federal level, the key law for dental practices is the Fair Debt Collection Practices Act, enacted to prevent and prohibit abuse by debt collectors. Below is an excerpt from the FTC website detailing what debt collectors are prohibited from doing:
Debt collectors may not harass, oppress or abuse any parties they contact. For example, they may not:
Debt collectors may not use false or misleading statements when collecting a debt. For example, they may not:
Debt collectors may not state that:
Debt collectors may not:
Debt collectors may not engage in unfair practices when they try to collect a debt. For example, they may not:
While the federal law was written to cover debt collection agencies and not original creditors, as of Jan. 1, 2000, all creditors (e.g., dental practices) and debt collection agencies that are subject to California law are also subject to most of the standards of the federal law. That means that businesses covered by the California law (both original creditors and debt collection agencies) must comply with the standards expressed in both state law and, with some exceptions, federal law. The state attorney general’s office website provides a guide to state laws on fair debt collection practices.