Risk Management Tips

The Risk

Patient confidentiality breaches pose a significant risk in the healthcare setting. The HIPAA and New York State laws govern your obligation to maintain the confidentiality of protected health information (PHI). Staff and dentists must be aware that routine office practices, including telephone contact, verbal discussions, and computer use, inherently carry the risk of patient confidentiality breaches.

Dental office staff must also be aware that discussing a patient’s PHI within earshot of others or leaving computer screens that display PHI where patients can see them can result in a breach of patient confidentiality. Furthermore, office staff discussing a patient’s PHI in public, or even in their presence at the office, may result in a serious breach of confidentiality. Such breaches of confidentiality must be prevented.

Recommendations

1. Educate staff at least annually (or more often, as necessary) about the need to maintain patient confidentiality inside and outside the office. Documentation of participation in these educational sessions should be maintained in staff personnel files.

2. Require staff members to sign new confidentiality agreements, which include the consequences of a breach of confidentiality up to and including suspension or even loss of employment, every year.

3. Assess the office premises to determine how best to maintain patient confidentiality. Identify areas that may cause an inadvertent breach of confidentiality and take appropriate corrective actions.

4. Establish private areas away from the waiting room and common areas for discussions with staff and patients. Avoid discussing PHI in such a way that it could be overheard outside the examination room.

5. Face computer screens away from patient common areas and reception areas. Use a screensaver or screen lock when away from the computer.

6. Include written consent forms in your Notice of Privacy Practices to allow patients to permit minimal information, such as appointment reminders and/or test results, to be left on telephone answering machines or with a designated person. Patients must be offered the option to opt out.

7. Any electronic device that is used for the transmission of PHI must be encrypted and have regular software updates installed.

8. Business Associate Agreements must be obtained and maintained for all vendors that have access to PHI.

The Risk

The receipt and review of test results are important aspects of patient care and safety in dental practices. Tests may not be completed or results may be lost, overlooked, or not received, leading to a potential delay in diagnosis and subsequent liability exposure. Follow-up procedures should be an integral part of your practice and can help ensure that patients obtain the necessary testing as ordered and that results are received, reviewed, and properly addressed.

Recommendations

1. Inform patients about the indications for the test(s) and document this conversation in the record.

2. Implement a follow-up system in your practice to ensure that patients have undergone the recommended test(s) and that the results are returned to the office.

3. The follow-up system should allow you to track the following information:

   • the patient’s name

   • the name of the test(s)

   • the date the test(s) was ordered

   • the date the results were received

4. The record should indicate the date of the provider review.

5. It is the dentist’s responsibility to notify patients of significant test results. This should be documented in the patient’s record.

6. Your process should include follow-up when patients have not undergone the recommended test(s). This may include telephone and/or electronic communication. All attempts to reach the patient should be documented in the record.

7. A follow-up mechanism that utilizes the same process should also be in place to track consultations.

The Risk

A missed or canceled appointment and the failure to follow up with or contact the patient may result in a serious delay in diagnosis or treatment. A well-defined process that includes dentist notification and follow-up procedures in this situation will help ensure the continuity of care and enhance patient safety.

Recommendations

1. Develop a process to follow up with patients who have missed or canceled appointments.

2. Dentists should be notified of all missed or canceled appointments daily.

3. The dentist should assess the clinical importance of the appointment, the severity of the patient’s condition, and the risk(s) associated with the missed or canceled appointment to determine appropriate follow-up.

4. A reminder telephone call from office staff may suffice for patients at minimal risk. The telephone call and the content of the message or conversation should be documented in the patient’s record.

5. A telephone call from the dentist may be indicated for patients at higher risk. The dentist should emphasize the importance of follow-up care and the risks inherent in failing to comply. This conversation should also be documented in the patient’s record.

6. If there is no response from the patient or the patient develops a pattern of not keeping or missing appointments, a letter with a certificate of mailing should be sent to the patient to advise them of the risk of noncompliance. A copy of the letter should be maintained in the patient’s record.

7. All efforts to contact the patient, either by telephone or in writing, should be documented in the patient’s record. This provides evidence that the patient was made aware of the importance of continuous medical care.

8. Staff should be educated regarding patient follow-up processes in the practice. Consider conducting periodic record reviews to evaluate the effectiveness of the established processes for patient follow-up.

9. Continued failure of a patient to keep appointments may be deemed noncompliance with treatment. Consideration should be given to discharging the patient from the practice. The attorneys of MLMIC’s Legal Department are available to assist you in determining how and when to properly discontinue a dentist-patient relationship due to patient noncompliance.

The Risk

Patient satisfaction is an integral part of every clinical setting. Dissatisfaction with dental care may be a harbinger of malpractice litigation. When you receive a complaint about care, how you handle the situation may directly impact the potential for future litigation. All dental office practices should have a protocol in place to address patient complaints based on the following recommendations.

Recommendations

1. One individual should be identified and consistently used as the primary person to address patient complaints. This is often the office manager.

2. All staff should know to whom complaints should be addressed, as well as what information constitutes a complaint that requires attention or intervention by that person. The information should, at a minimum, include:

   • written or verbal complaints regarding care

   • billing or payment issues that involve concerns about a patient’s clinical care

   • letters of complaint from third-party payors, the New York State Education Department, or other regulatory entities. We recommend that you retain personal counsel for assistance in formulating written responses to such agencies.

3. All staff must know how to communicate effectively when addressing a patient problem:

   • Always express concern for the patient’s condition and well-being.

   • Never be adversarial or defensive when communicating.

   • Be an active listener, and ask questions when appropriate.

   • Avoid judgmental comments about patients and their families or negative remarks about staff, dentists, or other providers.

   • Investigate all complaints and follow up as indicated.

4. Conversations with patients should be documented in their records. It is appropriate to quote the patient when documenting their concerns.

5. Keep letters of response to complaints concise and simple. A copy of the written response should be kept in the patient’s record.

6. When complaints involve clinical issues or are complex, dentists or other providers should be involved in addressing the situation.

7. Attorneys’ requests for records may be an indication of a patient’s dissatisfaction. The patient’s record should be reviewed in conjunction with these requests to assess the potential for malpractice litigation.

8. Consider seeking guidance when presented with unusual or difficult situations. MLMIC staff are available to assist insureds with handling complaints, formulating responses, and determining potential exposure to claims of malpractice.

9. Never document any contact with MLMIC or your attorneys in the patient’s medical record.

The Risk

Effective communication is the cornerstone of the dentist-patient relationship. Patients’ perceptions of a dentist’s communication skills may impact the potential for allegations of malpractice. The following recommendations are designed to promote open communication and enhance your ability to reach an accurate diagnosis and develop an appropriate plan of care.

Recommendations

1. Employ active listening techniques, and allow the patient sufficient time to voice their concerns.

2. Sit at the same level as the patient and maintain eye contact.

3. Assess the patient’s literacy level. This may be as simple as asking about the patient’s highest-attained grade level (https://www.ahrq.gov/professionals/quality-patient-safety/quality-resources/tools/literacy/index.html).

4. Use lay terminology when communicating with patients and their families.

5. Develop plans for communicating with patients who are hearing impaired, deaf, or have limited English proficiency (https://www.ada.gov/effective-comm.htm).

6. Utilize the teach-back method when providing patients with instructions and information. This technique requires patients to repeat the information provided in their own words. The teach-back method is particularly useful in assessing patients’ understanding of:

   • informed consent discussions

   • medication instructions, including side effects and adverse reactions

   • test preparation

   • follow-up instructions

   If the patient is unable to convey the information, it should be restated in simpler terms, perhaps utilizing pictures and/or drawings.

7. Evaluate your educational tools and consent forms to determine the grade level at which these are written. This will allow you to provide written materials that will be understandable to the majority of your patient population. Techniques that determine the readability and comprehension levels of documents are available from numerous sources, including:

   • https://www.cms.gov/training-education/learn/find-tools-to-help-you-help-others/guidelines-for-effective-writing

   • http://www.readabilityformulas.com/

8. At the conclusion of your patient encounter, ask the patient/family if they have any questions or concerns that have not been addressed.

9. Your documentation should reflect all aspects of patient interactions and comprehension. This will demonstrate the effectiveness of your communication skills and promote patient satisfaction, which may reduce your potential exposure to claims of malpractice.

The Risk

Lack of communication between providers may result in poor coordination of care. This may include a delay in diagnosis or treatment, failure to act on abnormal test results or findings, the duplication of a prescription, or failure to prescribe appropriate medications or order diagnostic testing. Clearly defining the roles and responsibilities of the referring and consulting providers will promote safe and effective care.

Recommendations

1. A tracking system should be in place to determine if the patient obtained the recommended consultation.

2. Referring dentists should develop a process for determining whether a report has been received from the consulting provider.

3. All consultation reports must be reviewed by the referring dentist prior to being placed in the patient’s dental record.

4. If a patient has been noncompliant in obtaining the recommended consultation, follow-up is necessary. Document all attempts to contact the patient and any discussions with the patient, including reinforcement of the necessity and reason for the consultation, in their record.

5. If a report is not received in a timely manner, contact the consultant to determine if the patient has been seen and whether a report has been generated.

6. Consultants should routinely send reports to referring dentists in a timely manner. These reports should include the:

   • findings

   • recommendations, including interventions

   • delineation of provider responsibility for treatment and the follow-up of test results

7. The consultant should contact the referring dentist when a patient fails to keep an appointment. The patient’s record should reflect the missed appointment as well as the notification of the referring dentist.

8. All telephone conversations between referring and consulting dentists should be documented. Timely communication must occur when an urgent or emergent clinical finding is identified.

The Risk

The communication of test results is an important part of providing care and may involve various dental or healthcare professionals. Test results may be overlooked, lost, scanned into the wrong record, etc. Abnormal test results that require follow-up present an additional risk if they are not received, reviewed, or communicated to the patient. This may result in missed or delayed diagnoses, patient injuries, and subsequent claims of malpractice. If a dentist orders a test, that dentist is responsible for ensuring that the results have been received and reviewed. Dental practices should have policies and procedures in place for the management of test results.

Recommendations

1. All ordered tests must be documented in the patient’s dental record.

2. A process should be in place to confirm and document the receipt of test results. Many electronic record systems allow practices to efficiently track pending laboratory/diagnostic studies.

3. All incoming laboratory reports and diagnostic tests must be reviewed and authenticated by the provider.

4. Patients should be advised of all test results, normal or abnormal. The dentist is responsible for communicating significant test results to the patient. This communication should be documented in the record. Any recommendations or interventions must also be documented.

5. Providers should have a system in place for the follow-up of pending laboratory/diagnostic test results for their patients who have been discharged from the hospital, emergency department, or other dental provider they may have seen. Receipt and review of these results should be documented in the patient’s record. Communication of the results to the patient should also be documented.

6. Dentists should clearly establish who is responsible for follow-up when tests are ordered for a patient by another dentist, specialist, or consultant.

The Risk

The lay public often has limited knowledge and understanding of dental terminology. A patient’s ability to understand dental information may be compounded by stress, age, illness, and language or cultural barriers. Effective communication with patients may improve compliance with treatment regimens, enhance the informed consent process, and increase safe medication use. Dental office practices can improve the patient’s experience and reduce potential liability exposure by employing the following recommendations.

Recommendations

1. Use lay terminology whenever possible. Define technical terms with simple language. Patient education materials should be written in plain language, avoiding the use of medical or dental jargon.

2. Verbal instructions may be reinforced with visual aids and printed materials that are easy to read and include pictures, models, and/or illustrations. Consider using nonprinted materials, such as videos and audio recordings, as indicated.

3. Offer to assist your patients when completing new patient information or any other practice documents. Provide this help in a confidential way, preferably in an area that is private and conducive to this type of information exchange. Encourage your patients to contact you with any further questions.

4. The use of interpreters may be indicated for patients who are not fluent in the English language.

5. At the end of the encounter, use open-ended questions rather than yes/no questions to further assess patient understanding. Instead of asking “Do you have any questions?”, try asking “What questions do you have for me?”.

6. Providers and staff should be familiar with and utilize the principles of the “teach-back method” when reviewing new medications or treatment plans with patients. Explain a concept and then ask patients to repeat the information they just heard using their own words.

7. Patients and family members may be embarrassed by, or unaware of, their healthcare literacy deficits. An empathetic approach to understanding patient health literacy will enhance the dentist-patient relationship.

The Risk

The failure to properly handle and document after-hours telephone calls can adversely affect patient care and lead to potential liability exposure for the dentist. Should a telephone conversation become an issue in a lawsuit — and it is not documented — the jury is less likely to believe the recollection of the dentist, who receives a large number of calls on a daily basis.

Recommendations

1. Establish a system to respond to after-hours telephone calls. This system should include a consistent process to ensure that all after-hours calls are responded to within a reasonable time frame and documented in the patient’s dental record.

2. Dental record documentation of after-hours calls should include the following:

   • the patient’s name

   • the name of the caller if different from the patient and the individual’s relationship to the patient

   • the date and time of the call

   • the reason or nature of the call, including a description of the patient’s symptoms or complaint

   • the dental advice or information that was provided, including any medications that were prescribed

3. If the patient’s condition warrants the prescription of medications, it is important to inquire about and document any medication allergies, as well as any other medications the patient is currently taking.

4. If you use an answering service, it should be periodically evaluated for courtesy, efficiency, accuracy, and proper recordkeeping.

5. The use of answering machines for after-hours calls is not recommended for the following reasons:

   • There are no safeguards in the event of an answering machine malfunction.

   • Patients do not always understand that no one will call back, even if this is stated in the message, due to limited English proficiency, anxiety, or other impediments.

   • If, as a last resort, an answering machine must be used, the message must be brief and simple, such as “If you are having an urgent dental problem, you may seek care at an urgent care center or emergency department of your choosing.”

6. When providing after-hours coverage for another dentist’s practice, a process should be in place to ensure that documented telephone conversations are promptly forwarded to that practice.

The Risk

Once the dentist-patient relationship is established, dentists have a legal and ethical obligation to provide patients with care. However, there may be circumstances when it is no longer appropriate to continue the dentist-patient relationship. A dentist may choose to discharge a patient for a variety of reasons, such as noncompliance with treatment, nonpayment, failure to keep appointments, or inappropriate behavior. Properly discharging a patient from care can be a complex issue. To avoid allegations of abandonment, providers should consider establishing a formal process for discharge.

Recommendations

1. The discharge of each patient must be determined by the dentist on an individual basis and based on dental record documentation of patient noncompliance or disruption. We recommend that you contact the MLMIC Legal Department for specific advice.

2. A formal patient discharge should be made in writing. To avoid allegations of abandonment, the patient should be given at least 30 days from the date of the letter to call you in the case of an emergency. This period may be longer depending on the patient’s condition and the availability of alternative care.

3. The three most common reasons dentists discharge patients are:

   • nonpayment

   • noncompliance with the dentist’s recommendations

   • disruptions to the dentist-patient relationship

4. The discharge must be effective as of the date of the letter.

5. Refer the patient to their dental insurer, the local county dental society, or another referral source to obtain the names of other dentists.

6. Provide the patient with prescriptions for an adequate supply of medication or other treatment during the 30-day emergency period.

7. Use the USPS certificate of mailing procedure, not certified mail, to send the discharge letter so it cannot be refused or unclaimed by the patient and can be forwarded if the patient has moved.

8. When the patient to be discharged needs urgent, emergent, or continuous care or has a disability protected by state and federal discrimination laws, the question of whether the patient can be discharged should first be discussed with counsel, since immediate discharge may not always be possible.

9. Become knowledgeable about the requirements regarding any restrictions on discharge imposed by the third-party payors with whom you participate.

10. Promptly send the patient’s records to their new dentist upon receipt of proper authorization.

11. Flag the office computer or other appointment system in use to avoid giving the patient a new appointment after discharge.

12. Document the problems that led to the discharge in the patient’s record.

13. Form letters and a memorandum on the discharge of patients are available from the MLMIC Legal Department.

The Risk

Dentists are often asked by close friends, relatives, or colleagues for dental advice, treatment, or prescriptions both inside and outside of the office. At times, these individuals may be seen by you as a courtesy and/or at no charge. Although the American Dental Association does not specifically prohibit the treatment of relatives or close friends, it is not without potential risk.

Over the years, we have seen a number of lawsuits filed against dentists by close friends, colleagues, and even their own family members because of care provided by our insureds. The defense of these suits is frequently hampered by the fact that there are often sparse or entirely nonexistent records for these patients. The failure to maintain a record for every patient is considered professional misconduct under New York Codes, Rules, and Regulations (NYCRR) 8 §29.2. Providing care under these circumstances may pose unique risks.

Remember, the same standards apply to all patients, and it is important that your close relationship does not influence the treatment you provide. Here are some recommendations about how to handle these situations.

Recommendations

1. Always create a dental record for friends, relatives, and colleagues to whom you provide care of any kind.

2. All patient encounters must be documented in their dental record, including those that occur outside the dental office.

3. Take a complete dental, medical, and social history when seeing friends, relatives, or colleagues as patients. This should include a thorough medication history to avoid potential drug interactions.

4. Do not write prescriptions, especially for controlled substances, for individuals with whom you do not have an established professional relationship. Always document the reasons for prescribing medications along with the dose. If narcotics are prescribed, consult the New York State Prescription Monitoring Program (known as I-STOP) registry and document this in the patient’s record.

5. When a dental surgical procedure is to be performed:

   • A signed informed consent form must be obtained and placed in the patient’s record.

   • The form must document that the informed consent conversation with the patient occurred, the patient understood the conversation, the patient’s questions were addressed, and the patient consented to the procedure.

The Risk

Patient noncompliance is one of the most difficult challenges for healthcare providers. Noncompliance may include missed or canceled appointments or failure to follow a plan of care, take medications as prescribed, or obtain recommended tests or consultations.

The reasons given by patients for noncompliance vary but often include the denial that there is a dental problem, the cost of treatment, the fear of the procedure or diagnosis, or not understanding the need for care. Dentists and other healthcare providers need to identify the reasons for noncompliance and document their efforts to resolve the underlying issues. Documentation of noncompliance helps to protect providers in the event of an untoward outcome and allegations of negligence in treating the patient.

Recommendations

1. Establish an office policy to notify the dentist promptly of all missed and canceled appointments. We recommend that this be done daily.

2. Formalize a process to follow up with patients who have missed or canceled appointments, tests, or procedures. This process should include recognition of the nature and severity of the patient’s clinical condition to determine how vigorous follow-up should be.

   • Consider having the dentist make a telephone call to the patient as a first step when the patient’s condition is serious.

   • If the patient’s clinical condition is stable or uncomplicated, staff should call the patient to ascertain the reason for the missed or canceled appointment.

   • All attempts to contact the patient must be documented in their dental record.

   • If the patient does not comply, send a letter by certificate of mailing outlining the ramifications of continued noncompliance.

3. During patient visits, emphasize the importance of following the plan of care, taking medications as prescribed, and obtaining tests or consultations.

4. Seek the patient’s input when establishing a plan of care. Socioeconomic factors may contribute to the patient’s noncompliance.

5. To reinforce patient education, provide simple written instructions regarding the plan of care. Use the teach-back method to confirm that patients understand the information and instructions provided.

6. With the patient’s permission, include family members when discussing the plan of care and subsequent patient education in order to reinforce the importance of compliance.

7. When there is continued noncompliance, patient discharge from the practice may be necessary. The attorneys of MLMIC’s Legal Department are available to discuss patient noncompliance and the discharge of a patient.

The Risk

Many procedures are performed in the office setting using dentist-owned or leased equipment. Equipment failure or malfunction may lead to patient, staff, or dentist injury. The appropriate maintenance of this equipment is essential to patient and staff safety.

Recommendations

1. A process should be in place for the maintenance of equipment. The manufacturers’ directions for use and recommended preventative maintenance schedule should be followed.

2. A record of all maintenance activities should be generated and retained.

3. All patient care equipment should be inspected on an annual basis at a minimum or more often if recommended by the manufacturer.

4. Equipment should be labeled with the inspection date, the initials of the inspector, and the date the next inspection is due.

5. A designated staff member should confirm that all required inspections and preventative maintenance of equipment are performed at appropriate intervals.

6. Relevant staff should be properly trained in the use of equipment. Documentation of training and education should be maintained in their personnel files.

7. The scope of practice of dental personnel/licensed staff must be considered when they perform or assist in a procedure and/or use equipment.

8. A process should be in place that requires the immediate removal of malfunctioning equipment from use in the practice. This process should include a provision to sequester any piece of equipment that may be directly involved in injury to a patient, staff member, or provider. Promptly notifying your dental professional liability insurance carrier is recommended when an equipment-related patient injury occurs.

The Risk

Obesity continues to be a serious health issue in the United States. Dental offices may not be well equipped to accommodate patients of size. Injuries can occur if appropriate equipment is not available to accommodate them. Furthermore, bias or ambivalence by healthcare professionals in treating obese patients can negatively affect patient care and lead to poor outcomes. Providing a safe environment while optimizing sensitivity to the needs of this patient population will enhance patient care and minimize exposure to claims of negligence.

Recommendations

1. Examination rooms and waiting areas should include appropriate and safe furnishings, such as large, sturdy chairs, high sofas, benches, or loveseats, that can accommodate patients and visitors of size.

2. Diagnostic and interventional equipment that can accommodate morbidly obese patients should be available. This may include but is not limited to:

   • floor-mounted toilets

   • sturdy grab bars in bathrooms

   • sturdy step stools in examination rooms

3. Office staff should be knowledgeable about the weight limits of their office equipment. Color-coded labels can be used to discreetly identify weight limits.

4. Office staff should be educated and trained in techniques to safely assist and transfer patients of size. Although patients of size may face many additional medical issues, they are less likely to obtain preventative care and more likely to postpone or cancel appointments because of embarrassment and/or feeling that healthcare providers are biased against them. Patient support and follow-up are important.

5. Healthcare providers should assess their own potential for weight bias. Recognize any preconceived ideas and attitudes regarding weight. Give appropriate feedback to patients to encourage healthful changes in behavior. Encourage patients to set goals and actively participate in their plan of care.

6. Educate staff about the needs of this patient population to enhance their ability to demonstrate understanding, respect, and sensitivity.

7. If the practice is unable to provide safe treatment to a morbidly obese patient, the dentist will need to give the patient access to a reasonable alternative.

The Risk

Medication errors result in a significant portion of professional liability claims. Patient harm can result from known risks, adverse or allergic reactions, drug interactions, and errors in prescribing. Careful attention to detail in prescribing and monitoring the use of medications promotes patient health and safety.

Recommendations

1. Dentists must discuss the indications, risks, benefits, and alternatives of prescription medication with their patients and document these discussions in the patient’s record.

2. Consideration should be given when treating and prescribing for patients who are immunocompromised, undergoing chemotherapy, or on anticoagulation or any other high-alert medication(s).

3. The patient’s allergy history should be reviewed prior to prescribing medication.

4. Allergies/sensitivities should be documented in a highly visible and pertinent part of the record.

5. Medication reconciliation should be performed on a routine basis, including the use of herbal supplements and over-the-counter drugs. Patients should be encouraged to bring a list of medications or actual prescription bottles to their visit(s) to facilitate this process.

6. The side effects of certain medications should be monitored with laboratory and/or diagnostic tests as indicated. Test results should be reviewed and adjustments made as necessary.

7. Discontinuance of or a change in medication(s) should be documented in the record, including the rationale for the change.

8. Patient visit intervals should be established for the continuance of prescription medications.

The Risk

The management of chronic pain through the prescription of controlled medication poses challenges and risks to both the patient and the healthcare provider. Common allegations against providers in pain management claims include:

• liability for failure to adequately treat pain

• liability for allegedly inappropriately prescribing controlled substances

• potential for civil charges being brought against a dentist or other provider for the patient’s diversion of narcotics and/or drug abuse or overdose

• liability for failing to recognize a patient’s addiction and/or diversion and to refer the patient for treatment

Recommendations

1. Perform and document a thorough initial evaluation of the patient. This should include a history and assessment of the impact of the pain on the patient; the nature, type, and cause of the pain; and a focused examination to determine if there are objective signs and symptoms of pain. The provider should also review pertinent diagnostic studies, previous interventions, and drug history and assess the extent of co-existing medical conditions that impact the patient’s pain. It is important to obtain the names of all other providers the patient is seeing or has seen and the pharmacies the patient uses.

2. Develop a specific treatment plan based on the evaluation.

3. Maintain accurate and complete records that clearly support the rationale for the proposed treatment plan.

4. Perform a thorough and informed consent discussion regarding the plan of care, including the risks, benefits, and alternatives, as well as the risks of the alternatives, such as no treatment with controlled substances.

5. Request the patient’s consent to obtain copies of the records of all prior treating dentists, and review these records before prescribing controlled substances to determine if there is a history of drug-seeking behavior or drug abuse.

6. Use a written pain management agreement when prescribing controlled substances for patients with chronic pain. If the patient has a prior history of drug abuse, refer them to a pain management practice or clinic, if possible. A pain management agreement outlines the expectations of the provider and the responsibilities of the patient, including:

   • a baseline screening of urine/serum medication levels

   • periodic unannounced urine/serum toxicology screening

   • medications to be used, including dosage(s) and frequency of refills

   • a requirement that the patient receives medications from only one provider and uses only one pharmacy

   • the frequency of office visits

   • any reasons for the discontinuance of drug therapy (e.g., violation of agreement)

   A sample pain management agreement can be obtained by contacting the MLMIC Legal Department at (844) 667-5291.

7. Document and monitor all prescriptions and prescription refills.

8. Consult the I-STOP registry prior to prescribing any controlled pain medications. Document either that you have consulted the registry or the circumstances surrounding why consultation was not performed.

9. Protect prescription blanks if still utilized in your practice. Limit and monitor staff access to computer-generated prescriptions.

10. Take positive action if you suspect patient addiction or diversion. Public Health Law §3372 requires dentists to report any patient who is reasonably believed to be a habitual user or abuser of controlled substances to the New York State Bureau of Controlled Substances by calling (518) 402-0707.

11. Refer the patient for treatment of addiction, and, if appropriate, discuss this with the patient. Document the referral and discussion in the patient’s record.

12. If a patient is believed to be selling/diverting narcotics and the patient’s random urine test confirms no drug use or there has been a forgery or theft of prescriptions, contact the MLMIC Legal Department to discuss how to discharge the patient and how to handle requests for medications from the patient before the discharge is final.

The Risk

Healthcare professionals share the responsibility of minimizing prescription drug abuse and drug diversion. Dentists are tasked with differentiating patients in need of effective pain management from those who may be seeking drugs for inappropriate reasons. The following recommendations are intended to provide guidance to healthcare providers when confronted with drug-seeking patients.

Recommendations

1. Perform a complete review of the patient’s pertinent history and conduct a thorough dental evaluation. Address and document all objective signs and symptoms of pain.

2. Exercise concern when dealing with patients who are not interested in having a complete dental examination, are unwilling to authorize the release of prior medical records, or have no interest in a diagnosis or referral and instead say they want the prescription immediately.

3. Be cautious if a new patient has an unusual knowledge of controlled substances or requests a specific controlled substance and is unwilling to try any other medication.

4. Document a trial of non-narcotic medication and/or therapy before choosing to place the patient on a controlled substance.

5. If you are able to identify the true source of the patient’s pain, document that and any positive test results in the patient’s record.

6. New York State providers must consult the I-STOP registry prior to prescribing any Schedule II, III, or IV controlled substances. To establish a Health Commerce System account to enable you to do so, access the website at https://www.health.ny.gov/professionals/narcotic/prescription_monitoring/

7. Document the patient’s informed consent for treatment of chronic pain with controlled substances. Have the patient sign a written pain management agreement (available from the MLMIC Legal Department) when prescribing controlled substances for chronic pain.

8. Specifically document drug treatment outcomes and the rationale for medication changes.

9. Assess whether further treatment for addiction or pain management is appropriate and document this discussion with the patient. If necessary, refer the patient for consultation to a pain management clinic or rehabilitation facility.

10. Carefully monitor and protect Official New York State Prescription pads if you use them. Unless an exemption is applicable, prescriptions for controlled substances must be electronically dispensed.

11. When electronically issuing or writing a prescription for controlled substances, write the quantity and the strength of drugs in both letters and numbers to prevent alteration.

12. Report patients who are reasonably believed to be habitual users or abusers of controlled substances to the New York State Bureau of Controlled Substances. This is required by New York State Public Health Law §3372.

13. Contact the MLMIC Legal Department to discuss how to address a patient you believe is selling/diverting narcotics or altering, forging, or stealing prescription pads.

The Risk

With virtually all dental offices and healthcare facilities connected to the internet and using computer systems, maintaining the security of computers and other electronic devices as well as the privacy of patients’ PHI has become critical.

The following are tips for staff and providers on securing this technology and information.

Recommendations

1. Require that staff and providers have strong and unique passwords:

   • Passwords should have a minimum of 12 characters and include uppercase and lowercase letters as well as numbers and symbols.

   • Passwords should be changed at set intervals.¹

2. Do not share passwords. Do not allow others to document in an electronic record system under your password while you are logged on.

3. Grant staff access to an electronic record system only on a “need-to-know” basis:

   • Individuals should be granted access only to the information necessary to perform their jobs.

   • If an employee transfers to a different job function, have a process in place to reduce or increase their access based on the new job functions.

4. Educate staff on the reasons why and instruct them not to:

   • plug their personal devices into USB ports on the system’s computers

   • install software on their work computers without prior approval

   • click on suspicious links in emails

   • allow unencrypted USB devices to leave the facility

5. Position computers and printers away from patient and visitor traffic and consider the use of screen filters to prevent others from seeing PHI.

6. Encrypt all computer hard drives. At a minimum, all laptops and tablets should be encrypted, especially if they are to leave the facility.

7. Provide frequent and ongoing cybersecurity education and training.

8. Policies and procedures should clearly define the disciplinary actions to be taken for inappropriate use of the computer system.

9. Develop a cybersecurity incident response process to address a security breach or cyberattack, and test it at least annually to confirm that there is:

   • a defined procedure to report any suspected information security incident

   • an obligation for employees to report any suspected incident immediately upon discovery

   • one or more individuals with clearly assigned responsibilities to manage incidents

10. Promptly disable an individual’s access to the computer system upon their leaving employment:

    • For involuntary dismissal, disable access prior to the notification of termination.

    • If access to the employee’s emails, voicemail, etc., is necessary, assign another qualified individual to address any information that requires review or action.

11. Maintain inventory control of all computerized devices, including laptops, thumb drives, and handheld devices.

12. Install appropriate antivirus software, and update devices frequently to protect the computer system from security vulnerabilities.

13. Routinely perform system back-ups of files and data. Test back-up restoration semiannually at a minimum.

14. Perform audits to ensure compliance with health information technology policies and any applicable regulations.

¹ Current guidelines suggest that if the password length is set to 16 characters, it should be changed annually at a minimum.

The Risk

Dentists recognize that along with their practice websites, public websites such as Yelp, Healthgrades, and ZocDoc and social media sites such as Facebook and X (formerly known as Twitter) can be used as marketing tools to inform the public of their services. The online community, however, is afforded an opportunity to respond, rate, and, at times, complain about those services. These statements and reviews are readily accessible to anyone with an internet-ready device.

While there is a basic instinct to immediately respond to negative online reviews, dentists must remember that privacy rules make a complete response via social media inappropriate, and responding directly to an online post puts the provider at risk of disclosing PHI. Your response may not contain any identifying statements, but the mere recognition of a patient-provider relationship is a potential HIPAA violation.

The following tips will help you successfully and appropriately respond to negative online reviews.

Recommendations

1. Critically review all social media posts for accuracy and authenticity. While some negative statements regarding the performance of you or your staff may be difficult to read, evaluate these reviews to determine if there is any opportunity for learning or process change. Also consider the totality of positive reviews against the negative reviews.

2. Do not become engaged in online arguments or retaliation — especially if the comments made are particularly negative and potentially detrimental to the reputation of the practice or provider.

3. According to federal and state confidentiality and privacy laws, providers are precluded from identifying patients on social media. To protect patient privacy, all patient concerns and complaints should be resolved by the practice by contacting the patient directly and not through social media.

4. If you do choose to respond via social media, use a standard response that also serves as a marketing opportunity for your practice. Some examples include:

   • “[Insert name] Practice is proud to have been providing comprehensive and compassionate care in the community since [insert year] and takes the treatment of its patients and their privacy seriously. Because federal privacy laws govern patients' PHI, it is not the policy of [insert name] Practice to substantively respond to negative reviews on ‘ratings’ websites, even if they provide misleading, unfair, or inaccurate information. We welcome all our patients and their families to address any concerns/requests or information about their care with us directly, as we strive to continue to provide individualized care in our community.”

   • “At our practice, we strive for patient satisfaction. However, we cannot discuss specific situations due to patient privacy regulations. We encourage those with questions or concerns to contact us directly at [insert phone number].”

5. If you feel the patient’s complaint has disrupted the dentist-patient relationship, consider discharging the patient from your practice. This action may be viewed as retaliatory by the patient and may set off a new series of negative posts. Attorneys of MLMIC’s Legal Department are available to assist you in making this decision.

6. Notify your local authorities if you feel at any time that your safety and/or the safety of your staff or your family is threatened or at risk.

The Risk

Healthcare communication continues to become more electronic, and while social media accounts tend to have a more casual communication style, healthcare providers must remain vigilant about the security of their platforms as well as the message they convey to their existing and potential patients. Social media is a powerful tool, but it is not without risks.

Social media hygiene is a set of practices and behaviors related to cleaning up and maintaining your digital presence in terms of both security and the message your social media applications deliver to existing and potential patients.1 In much the same way as we regularly wash our hands with soap and water, it is critical to follow those practices that will keep you and your virtual data secure and convey an appropriate message about your organization.

Recommendations

Performing proper social media hygiene is a two-step process, the first of which is system hygiene:

1. Regularly update all electronic devices and applications as recommended.

2. Use passwords that follow appropriate security protocols:

   • Longer passwords are more secure: 16 or more characters is recommended.

   • Passwords should include different characters: numbers, symbols, and at least one capital letter.

   • Avoid recycling passwords.

   • Do not use the same password for all devices/apps/accounts.

   • Do not allow staff to share passwords.

3. Review the organization of files stored on your devices:

   • Determine whether you have the right information and applications on the right device(s).

   • Define the files that are mobile-, laptop-, and PC-appropriate.

4. Optimize factory settings:

   • Use default settings as appropriate.

   • Know how to disable, lock, or erase information in the event of device theft.

5. Use multifactor authentication (MFA) to log into your social media accounts.

6. When possible, employ device encryption.

7. Lock down who can see your posts/information.

These steps are often cited as the best measures to employ for protection against cyberattacks. However, your cybersecurity must extend beyond your device(s) to include the information that is attached to you and your practice.

Reviewing the information on your social media platforms is the profile hygiene portion and second step of this process:

1. Analyze your current social media profiles to determine if there is anything that:

   • must be immediately addressed or can wait for revisions

   • is no longer current

2. Clean up your digital past:

   • Delete old photos and posts that are no longer relevant.

   • Delete old and/or neglected social media accounts.

   • Obtain consent from patients for photo use.

3. Ensure that the privacy settings on your platforms remain up to date.

4. Review your blog and website:

   • Ensure that all information remains relevant and accurate.

   • Consider whether the message presented about your practice is as you intend.

   • If links are embedded, test that they are still functional and appropriate to your message.

   • Delete any stale/nonfunctioning links, and, if appropriate, replace them with current information.

5. Keep personal and professional social media accounts separate.

6. “Friend” requests are to be avoided. Patients will be able to “Like” or “Follow” your page without you needing to “Friend” or “Follow” in return.

7. Educate your staff about social media, and use the same guidelines for keeping personal and work social media accounts separate. Refrain from discussing PHI and avoid “Friend” requests from patients. If a staff member manages the dental office’s professional page, all posts are to be reviewed.

8. Never discuss PHI on social media, publicly or privately. If a patient contacts you through a post, comment, or direct message, direct them to contact you through your office phone, email, or secure patient portal.

9. Do not post anything that could be construed as misleading.

   • The New York General Business Law NY Gen Bus Law §350-A says that whatever you are using in your advertising (any type of advertising) must be truthful and not misleading. Any statements you use in advertising or on social media, such as an accolade or success rate, are subject to the New York State General Business Law. Edited photos could also be in violation because someone could argue that the photos are not truly indicative of the work done.

   • If a dentist is in violation of NY Gen Bus Law §350-A (2012), it may be considered professional misconduct and can lead to an investigation through the OPD or the Office of the New York State Attorney General.

   Routinely performing social media hygiene can help protect your practice from security breaches, keep your social media sites informative, and improve overall patient satisfaction.