With the rise of telephone-based fraud and phishing, dental practices face increasing pressure to safeguard their conversations as well as their computer systems.
Phone calls continue to be a common entry point for privacy risks and scams that can jeopardize HIPAA compliance. Here’s what experts at Abyde, a leading compliance solution, recommend:
How the Minimum Necessary standard applies to phone calls
HIPAA does not prohibit telephone use. Rather, it requires that practices handle phone conversations with the same care and privacy safeguards as any other form of communication to protect patients’ health information. HIPAA allows providers to share patient information over the phone for treatment, payment and health care operations, if reasonable safeguards are in place.
Under the HIPAA Privacy Rule, the Office for Civil Rights established the Minimum Necessary standard. This standard defines what shouldn’t be shared in communication. It requires health care providers to make “reasonable efforts” to limit the use, disclosure and requests of PHI to the minimum needed to accomplish the intended purpose.
Best practices for HIPAA-compliant telephone calls:
- Verify the caller’s identity: Before sharing any PHI, ask for at least two patient identifiers, such as date of birth and address -.
- Limit disclosures to the minimum necessary: Share only the information needed to address the caller’s request.
- Use private spaces for phone conversations whenever possible and avoid using a speakerphone in public or open areas.
- Be mindful of voicemail: Limit messages to basic details such as the dentist’s name, callback number and appointment date and time. Avoid including diagnoses, test results or treatment plans.
- Document in the record: Record disclosures to comply with HIPAA disclosure accounting rule and when office policy requires it.
- Follow written policies: Ensure that the practice’s HIPAA policies are clear, accessible and consistently applied by all team members.
- Train staff regularly on how to handle common scenarios, such as requests from family members, insurance companies or pharmacies.
- Stay alert for scams: Do not share login credentials, account information or payment details over the phone with unsolicited callers. When in doubt, hang up and call the verified number back.
Telephone scams target dentists with spoofed numbers
Under the guise of “reinstating a dental license,” scammers have been calling California dentists and soliciting personal information. These scammers frequently ask for payment information, Social Security numbers and driver’s license numbers.
Scammers can use technology to spoof legitimate numbers. Dentists have reported scam calls that appear on caller I.D. as the Dental Board of California, the Office for Civil Rights and even the F.B.I.
The illusion of legitimacy has tricked dentists into sharing sensitive information with unknown callers. One CDA member recently shared how they were defrauded of significant savings in a sophisticated phone scam, noting that the callers seemed professional and well-versed in state dental board investigations.
Officials from the dental board or OCR will rarely call your practice. When the OCR, which is responsible for HIPAA enforcement, initiates an investigation, it typically does so through email or U.S. mail. Later in an actual process, the party can contact the case investigator using a direct number.
Be wary, always verify – and get more support
Regardless of who the caller claims to be, verify their identity, share only necessary information and ensure the individual you speak with is authorized to access PHI. Be wary of unusual requests, exercise caution with callers who claim to be a government entity and never share personal or financial information over the phone.
For more tools and support for having safe and HIPAA-compliant communication or to review new OSHA-compliant solutions, schedule a consultation with an Abyde expert.