Balancing Digital Communication with Privacy by Craig Scholz, PhD

When I started working for Ortho2 in 1987, orthodontic offices had quite a cumbersome job communicating with patients and other doctors. Patient confirmations were done over the telephone (if at all), X-rays were mailed in large, ugly envelopes to other treatment providers and extraction letters could take all day. Recall postcards were printed on dot matrix printers and often discarded as soon as they were received.

As a teenager, I remember once delivering a large stack of patient charts down the hall to another provider from my dentist's office! This wouldn't fly in today's increasingly regulated and HIPAA-compliant world.

The good news is that today's orthodontic market offers many easy-to-implement software communication tools that can have exponentially powerful results. These products significantly increase an office's "touches" with prospective and existing patients, as well as with referrers and other treating specialists. Most of the products are cloud-based with mobile applications, which give patients and doctors the ability to easily access data, and with these tools patients can pay their accounts online and receive appointment confirmations via text message.

Treatment providers and labs can access shared patient data that enables faster, easier collaboration. Without the convenience of these communication systems, most offices couldn't operate at the level of efficiency required to be competitive in today's market.

Some practice management software companies offer doctor and patient communication functionality directly within their systems. Ortho2's cloud-based Edge system, for example, includes patient reminders, a doctor and patient portal and mobile applications, including the Practice Connect app.

Several companies in the orthodontic space offer a full suite of tools, such as website building and search engine optimization, that focus on efficiently increasing communication with patients, labs and other treatment providers. Most don't just integrate with, but also provide relatively deep connections to, other existing practice management software systems.

However, as anyone with a large spam inbox will testify, too much "communication" can be unwanted and quickly leads to negative feelings about the sender. Practices must also safeguard patient privacy—this is not only vital to protecting the practice but also shows patients and their families that you respect and value your relationship with them.

How secure are these communications? And how can you increase your practice community while maintaining HIPAA compliance and patient privacy? I spoke with several leaders in the orthodontic digital communication space to better understand their offerings and get answers to these questions.

Basic data security
The foundation of data security rests in the safe transfer and storage of patient records in practice management software. Secure logins and passwords, firewalls, antivirus software, accessibility and backup must be maintained to ensure privacy and data storage. Most practice management software companies also employ some form of data encryption within the system, which translates data into another form or code so that only people with access to a key or password can read it. This can be especially important for sensitive clinical data stored within a patient's record.

Securing computers in the office is also essential, as can be inferred from the recent headline, "Stolen Laptop Leads to $3.9 Million Settlement for HIPAA Violations." To date, stolen computers have been one of the most common causes for HIPAA claims. Make sure you have these basic issues covered with your local IT company, which should be able to set up data security systems for you to maintain.

In my experience, the biggest cause of major data loss in an orthodontic office happens because of lack of verification of onsite backups. Although the office staff may be following a daily procedure to ensure backups are done, in many cases no one verifies that the data has been backed up properly. When the server crashes and a backup is needed to restore data, panic ensues when the data is incomplete, corrupt or missing. This is one of the major reasons to consider a cloud-based practice management system—onsite backups are eliminated, and data is stored offsite in a highly secure data storage facility. (Ortho2 hosts all its Edge customer data in a private cloud, versus a public one, owing to the sensitive nature of the data.)

Secure cloud computing can also give you a leg up on HIPAA requirements, compared with traditional onsite legacy systems. In the new world of HIPAA, an onsite server is subject to physical and technical requirements from a security standpoint—access policies, disposal and reuse of media such as backup tapes, and requirements for "emergency availability." These requirements generally become the responsibility of your provider when you move to an offsite cloud-based solution.

Communications with patients

Arguably the most fundamental system with the largest immediate ROI for a practice is one that enhances communication with its patient base. Sesame Communications has been a leader in this space for decades with products that can help orthodontic offices become more productive, efficient and cyber-safe.

Sesame offers a suite of practice-to-patient tools for engagement and interaction to improve practice effectiveness and efficiency, which can lead to increased growth and profitability. Its offerings include website building, SEO, automated voice, text and email reminders, two-way texting, a doctor portal and a secure collaboration system.

Here are some notable statistics from Sesame:

• 97 percent of dental patients prefer to "click, not call," to communicate with the practice.
• 74 percent said that having access to information anytime, online, makes them more likely to stay with their doctor.
• Practices using Ortho Sesame realized an average of $105,323 in incremental production through reduced no-shows.
• Practices with Ortho Sesame that had no previous reminder system reduced no-shows by an average of 21.16 percent after one year.

Sesame ensures secure communications for its products several ways. Websites include a complimentary SSL certificate (Secure Sockets Layer, an industry standard for encrypting data to transmit private documents), which encrypts the traffic between the patient's laptop or mobile device and the website. Patients can stay on top of their treatment, confirm appointments and make payments in this encrypted environment at a time and place that's convenient for them.

The system also allows patients to customize how they receive communications from the office, which can help prevent overwhelming them with touches. Because email isn't a safe way to exchange protected health information, Sesame offers end-to-end encryptions between providers with a secure messaging application that doesn't require installing additional software.

In discussing patient privacy, Sesame's product manager, Dimitri Rabinovich, says: "A key part of the relationship between the provider and the patient is trust. A provider must be sure that all communications that relate to a patient are as secure as possible. This applies to everything from the practice website to messages between providers about a patient. Sesame started as a software company that served the orthodontic provider community, and we are still 100 percent committed to making offices more productive, efficient and cyber-safe at the same time."

Communications with doctors and labs
Another growing aspect of communication in orthodontics is digital collaboration with other treating providers and dental or orthodontic labs. One leader in this space is Henry Schein's Digital Dental Exchange (DDX), which connects orthodontists with other providers and thousands of labs across the country.

DDX is a web-based service that offers a fast, safe and efficient way to exchange and manage casework with labs and other treatment providers. With DDX, doctors can reduce prescription errors and omissions, streamline case management workflow, open new lines of real-time electronic communication and keep sensitive patient information safe and secure.

Security and privacy have been woven into the DDX platform in several ways. Information that's transmitted by DDX across the internet is done so using modern security technologies, and patient data that is stored by DDX is encrypted. Email alerts are a central part of the DDX communication platform that keeps stakeholders up-to-date on cases, but for regulatory compliance these emails are formatted so as not to include patient information.

User controls and user sessions are also key components of DDX security, so patient data is not exposed if practice team members leave their workstations unattended. Secure transmission of image data and patient records use SSL technology and DDX's data centers use encryption to help keep sensitive casework information protected and backed up at an offsite location. This allows an office to recover case and patient information quickly—even if their own systems go down or get damaged.

Currently, the biggest issue with doctor-to-doctor collaboration lies in the continued use of unsecure methods of transmission.

"It's still very common for us to see patient names attached to imaging being sent via Dropbox, YouSendIt, even email, and those are all typically noncompliant methods. Three years ago, we were talking mostly about digital collaboration. Now we spend at least as much time telling offices that you can't use email to send sensitive patient information," said DDX General Manager Sandy MacDonald.

Implementing a secure, HIPAA-compliant system for the transfer of records should be a priority for any office using outdated and unsecure methods.

Savvy use of social media

By far the most questions I hear concerning patient communication and privacy are regarding the use of social media. Recent data suggests that 78 percent of Americans use at least one social media service, and its proliferation into orthodontics continues to escalate.

Social media can provide many benefits to orthodontic practices when implemented in ways to protect patient privacy. Companies like My Social Practice specialize in developing smart, effective approaches to social media campaigns and in helping orthodontists strategize the best techniques to encourage this type of sharing.

Orthodontic practices are different from dental practices because they have two target audiences—the public and referring dentists. Social media helps orthodontists engage with both audiences in affordable, efficient ways that no other marketing strategy can provide and can turn existing and former patients into advocates.

Orthodontists are no longer solely forced to go out and "find" new patients; social media helps new patients find them through reviews and through publishing "share-worthy" content on their own trusted, permission-based social networks. Social media also helps practices build their reputations, share their practice cultures, increase their online visibility and become great storytellers.

So, when it comes to social media marketing, which is all about sharing, it's understandable that there may be some apprehension about snapping and sharing photos and videos from your practice.

Jack Hadley, a partner at My Social Practice, suggests that practices obtain consent for any image that's used. The consent form can be brief, as long as it covers the basic areas needed by HIPAA, and should include the following six components:

1. What the patient is specifically authorizing.
2. The purpose of the authorization.
3. The ability to revoke the authorization.
4. An expiration date.
5. The opportunity to receive a copy, if desired.
6. Who, specifically, the patient is giving authorization to.

Hadley also recommends that practices designate a space for social media photos, to avoid the risk of having anything or anyone in the background that could compromise patient privacy. (Find free sample consent forms and HIPAA strategy checklists on My Social Practice's website to download and get started.)

While solicitous emails or texts from an office can quickly become annoying to patients, the same people rarely object to social media posts that are interesting and share-worthy, Hadley said. "Back in the old days—a couple of years ago—it was possible to post too many times and annoy your audience, because fans saw the majority of the things you posted. But today on Facebook, for example, they often won't see your posts unless you're spending money boosting them. So practices have more control over what people see and don't see. We recommend that a practice should post daily on Facebook and boost it with a few dollars. We rarely if ever hear about patients or prospective new patients unfollowing because they get too much stuff."

Hadley also suggests that offices create opportunities for photos that patients take and share on social media. When a patient takes a photo, shares it on social media accounts and simply

tags your practice, there's no need for HIPAA consent. Practices can then share that post on their own business page. This approach is not only simpler but better for promoting the practice because all of the patient's friends will see it.

In terms of privacy concerns, Hadley concludes: "Remember that HIPAA and privacy policies are there to protect patients, not to create barriers. Don't let fear or doubt keep you from taking advantage of valuable opportunities to build relationships through patient and team photos. By adhering to a few common-sense safeguards and making sure your entire team is trained, you can confidently and comfortably include practice photos and videos in your social media efforts."

Moving forward
There's no question that digitally shared patient information will continue to expand in the coming years. Soon all medical professionals with access to patient data will have to use electronic medical and health records (EMR and EHR) or face penalties, and dental specialties won't be far behind.

Most practice management software companies have already begun preparations for this shift and the security required for its development. New and developing companies like OrthoScience are using patient clinical data in exciting ways. By compiling anonymized, 3-D data sets, Ortho­Science can demonstrate elements that distinguish an orthodontist's approach to treatment of the craniofacial complex, oropharynx and nasopharynx. The company provides unbiased science that allows orthodontists to share transparent information with both doctors and patients. By creating a worldwide network of clinicians and data, Ortho­Science aims to improve the standards of orthodontic education and peer review.

Like most things in life, the best integration of communication technology and privacy is about balance. While it's important to keep in communication with your patients, you certainly don't want to overwhelm them with touches. More important, you don't want to use communication methods that are unsecure or could get you in trouble with the HIPAA folks. Make sure your implemented technology is secure and fits with your brand, and that your staff is well-trained so you can deliver consistent messaging. Train your team on your practice's social media policy, and make sure everyone is clear on what they can post, the proper way to invite patients to participate and who to go to if there's a question.

One thing I've learned in my 30 years in the orthodontic software business is that solutions need to be simple and easy to implement—if not, they're quickly abandoned. Implementing a new communication system in your office can be a powerful way to connect with your patients, doctors and labs.

Whether using communication tools directly from your practice management software or integrating third-party modules, the process can be relatively easy and completely secure. Patients and referrers who have easy and secure ways to access important information will be happier and more likely to refer new patients to your office. In addition, your office and staff will benefit from the increased efficiency of improved workflows and security.