S5 E07: A Dentist's Guide to The Law

Wright: [00:00:00] Wish you had a lawyer on speed dial to help you answer some of the top legal questions that every dentist asks. Well, hello, hello everyone. I'm Dr. ArNelle Wright.

Ioannidou: [00:00:09] And I'm Dr. Effie Ioannidou. Today, we are sort of making your wish come true and we are sharing practical resources to address the legal issues relevant to you, your team, and your practice.

Announcer: [00:00:25] From the American Dental Association, this is Dental Sound Bites. Created for dentists, by dentists. Ready? Let's dive right into real talk on dentistry's daily wins.

Wright: [00:00:41] We have a really good show for you all today, but first, if you want to be a part of our Dental Sound Bites family, please take a moment to subscribe wherever you listen so you don't miss any episodes.

Ioannidou: [00:00:52] Yes, yes, yes. And we have a very large family now, right? And you can also watch this episode, not only listen to every episode. So let's follow, you guys go and follow the ADA's YouTube channel.

Wright: [00:01:05] Yes. So, there's been so many legal questions that I hear our colleagues talking about in conversation at conferences and with that in mind, we are so excited to start off this conversation with one of ADA's own in-house attorneys, Paula Taroni.

Paula, thank you so much for joining us today.

Tironi: [00:01:24] Thank you. I'm glad to be here.

Wright: [00:01:26] Yay. We're glad to have you.

Ioannidou: [00:01:28] Hi, Paula.

Tironi: [00:01:29] Hello.

Ioannidou: [00:01:31] So, I know you quite well from the Council of Scientific Affairs, but tell a little bit about yourself to our listeners. What do you do in the ADA and how things are going over there?

Tironi: [00:01:45] Thank you. Well, I'm a Senior Associate General Counsel at the ADA, and I'm one of several lawyers here in the ADA Legal Center of Excellence. My background is, I went to the University of Michigan Law School after getting my BA at Notre Dame, and then I got a master's in health law at Loyola University, Chicago.

Law is one of the few professions where you get your doctorate and then you get your master's if you want to, but I wanted an LLM in health law to start focusing in that area. But I think what helps me most here at the ADA is that I used to work in my father's dental office. He was a general dentist in Michigan and what I learned there, I use every day in my career. So as Effie mentioned, I am assigned to be the in-house counsel for the Council on Scientific Affairs. I also work with the Commission on Continuing Education Provider Recognition, the DEAR program, Dental Experience and Research Exchange, and in Data Governance.

I'm a certified international privacy professional in U.S. privacy law and my focus here is mostly on health law, data privacy, and security, including HIPAA compliance. The ADA has some HIPAA compliance responsibilities and I help with those and I also do some work in the disabilities law area.

Ioannidou: [00:03:10] Oh, so you do so many things. I have no idea, but this is very, this is a very rich portfolio for sure, Paula.

Wright: [00:03:19] Yeah. Well, I think it's really good that you introduced and shared with our listeners some of the areas specific to your practice and I do want to let our listeners know where we got inspired for this episode. And it's actually through a book that the ADA sells called a Dentist's Guide to the Law. There are 246 things that every dentist should know everybody, so today in this episode, we're not going to get to all 246 questions, but we're going to cover some that are frequently asked and that are specific to Paula's practice area.

So, with that in mind, our first question and it's actually a double question, is what are the key privacy and security requirements under HIPAA that we should know, understand, and value, and how do they apply in a world of increasing electronic health records and biometrics?

Tironi: [00:04:12] That's an excellent question and before I get started, because I'm an attorney, of course, we need to start with the disclaimer. So, my remarks on this podcast are educational only and they do not constitute legal advice and they don't create an attorney client relationship and my remarks are limited to federal law, not state law.

We have links to some non-ADA websites in the materials that go along with this podcast and for any non-ADA website, we do not endorse the content and we don't imply any affiliation with those organizations that provide their content. We make no representations or warranties about the information on those websites because we don't control them in any way.

So having gotten the disclaimer out of the way...

Ioannidou: [00:05:01] I always love your disclaimers, Paula. I just love them. I love them.

Wright: [00:05:05] I love it. Such an appreciation.

Tironi: [00:05:07] Thank you. So let's talk about HIPAA and data, privacy and security, some of the key requirements under HIPAA. HIPAA has three main rules, the privacy rule, the security rule and the breach notification rule.

And all three rules require a covered dental practice to have written policies and procedures to comply with those rules to train their workforce on the rules and to document that training, and if they become aware that a workforce member has violated one of those rules, they need to apply an appropriate sanction and document the sanction.

So that could be something like a reminder, a written warning, retraining and depending on the severity of the violation, a suspension or even termination, you know? If that's warranted, all of the documentation has to be retained for at least six years from the date it was created or from the date that it was no longer in effect, whichever is later.

And the Office for Civil Rights can ask for that documentation on very short notice in the event of an investigation or a compliance review. Another important part of HIPAA compliance is the business associate agreement. So any outside vendor or Individual or entity that has access to the patient information needs to sign a specific kind of agreement with the dental practice called a business associate agreement.

Recent enforcement actions from the Office for Civil Rights have seemed to focus on two areas. One is the HIPAA security risk analysis and the other is patient access to their health information. So, talking a little bit about the HIPAA security risk analysis first, the risk analysis is something that the dental practice does initially and then keeps updated.

For example, if they learn of a new threat, if they acquire new technology and so forth, and essentially, what the dental practice does is go through all of their information assets and determine whether their risk management is sufficient. So they would identify any vulnerabilities, any risks, kind of rank them from high to low, and then come up with risk management techniques to bring the risk to an acceptable level.

That needs to be in writing and The Office for Civil Rights has been focusing on the risk analysis in their enforcement actions lately. And then, the other one is patient access to their health information. If a patient requests access, like to see or to get a copy of their health information, the dental practice has to provide that access within a certain amount of time in most cases.

So dental practices that provide the information too late or don't provide the information could be subject to HIPAA penalties as a result.

Ioannidou: [00:08:02] This is so complicated. It's not that easy, right? It makes me wonder, does this approach to the risk management assessment vary depending on the size of the practice or, you know, even a very tiny solo small practice in a remote county. Do they really have to follow through all these documentations? Is this, like, federally required?

Tironi: [00:08:32] It is for a covered dental practice. If the dental practice is covered by HIPAA, it needs to have a compliance program in place, but HIPAA is flexible and scalable. So the compliance program for like a small solo dental practice, like my father's practice in Michigan would be very different than the compliance program for say, a hospital.

Ioannidou: [00:08:52] That's right.

Tironi: [00:08:53] And HIPAA is also technology neutral. It doesn't tell you how to comply with the standards. It just tells you that you must and each dental practice can decide how best to mitigate risk in their environment while complying with all of the HIPAA standards.

Ioannidou: [00:09:10] This is really very interesting. It got me excited. So another common question that we frequently hear about and, you know, I think it's one of the questions that I probably have myself as a doctor, but also from the patient perspective is, what happens, Paula, if accidentally there is a HIPAA violation?

For example, say that the staff member by accident sends a wrong record to a patient. As a matter of fact, myself as a patient, I have received medical records, not dental, but medical records of someone. What happens in this case? What's the right approach?

 

Tironi: [00:09:51] I guess I would start by saying human error happens.

We're human. We make mistakes. If the dental practice has their HIPAA compliance program, and it's documented, and they have provided training to their workforce members, and the training is documented, and they discover that a workforce member has made a mistake, HIPAA would require them to take a few steps.

First, it would be appropriate, you know, apply an appropriate sanction. So a reminder, warning, whatever is appropriate and document that that was done. If there's a data breach as a result, then they would need to send breach notification, timely breach notification under the HIPAA breach notification rule and if it involves electronic information, and it meets the definition of a security incident under the security rule, then they have to take a few more steps. The security incident is an attempted or successful unauthorized access to patient information or use disclosure modification or destruction of patient information or interference with system operations.

So if the dental practice discovers that, that has occurred, they need to identify it and respond. They need to mitigate any harmful effects and document the incident and the outcome. So HIPAA, I think, takes into account that mistakes can happen and has these procedures to go through when the dental practice discovers that somebody has made a mistake. It's not necessarily a violation that will result in civil penalties against the dental practice, particularly if they are compliant with HIPAA, they've done the training and so forth.

Ioannidou: [00:11:29] And I'm sure that it, you know, what you mentioned about security, I'm sure it has to do with the size of the breach, right? If it's, if I'm sure it's different if there is a breach of security that affected, you know, 10 records as opposed to a thousand records.

Tironi: [00:11:47] That's an interesting question. All breaches need to be reported to the Department of Health and Human Services.

Larger breaches, I believe it's over 500 individuals affected, need to be, the Office for Civil Rights needs to be notified. When the dental practice notifies the patients of smaller breaches, they can be reported once a year and the office for civil rights investigates breaches, but a breach is not necessarily a HIPAA violation.

A dental practice can be in full compliance with HIPAA and a breach could still happen. The important thing is to provide notification when required and then use that information to see if you need to update your HIPAA compliance.

Wright: [00:12:30] There's so much and you know what, as an aside, it's a wonder that we get to have this conversation because truthfully, I'm not sure that I knew all this.

Ioannidou: [00:12:43] No, no, no. I hear you and I'll tell you, it's interesting after so many years, I mean, I got my dental degree back in the nineties, right? Mid-nineties. Practicing dentistry in the U.S. for quite some time. Obviously, the legal framework between Europe and the U.S. is very different. We never had any legal training in dental school in Greece. Obviously, I don't remember having any legal training in residency in the U.S. and 25 years later, whatever 30, do the math. I come here to California and to get a license, dental license, in California. You have to pass the law and ethics exam and all these things that you Paula, you just mentioned related to HIPAA was one aspect of the I think three, four questions in the exam were addressing HIPAA and I can tell you, it's not easy. It's not an easy exam. You really need to know your, you really need to study the law and it was the first time that I came after so many years, I came facing these requirements.

Wright: [00:13:52] Wow. So this is fresh for you, right Effie?

Ioannidou: [00:13:56] I mean, it's a year old, nothing is fresh. Connecticut doesn't require this. Connecticut gives you the license. That's it.

Wright: [00:14:05] Yeah, we had laws and rules, but I don't know if it was this in depth. Like, I mean, I don't know. I could be just not remembering, but I'm so glad to have a refresher, almost like a little masterclass.

So thank you, Paula. Now with artificial intelligence, you know, starting to be commonly discussed, it's a part of the dental profession. Can you tell us about the legal challenges that dentists should be mindful of as it relates to utilizing AI?

Tironi: [00:14:38] Yes, this is an interesting topic and very timely.

AI tools can have benefits and they can also have risks. For example, a large language model that can generate text, summarize articles and so forth can be very helpful. It can save time, save labor, but some of the risks are, there are privacy risks, for example, and there are accuracy risks as well as some copyright issues.

So when it comes to privacy, it's important to think of an AI tool as involving input data and output data. So let's say you ask a large language model tool to generate text for you. You input some data and then the output data comes out. Now, if that tool and provider use your input data to train the AI, it could use your input data and serve it to another user of the tool.

So, if you have included patient information, there's a potential for a breach there. There is also a phenomenon called hallucination where AI can just make stuff up and it can be very convincing. So human review of the output is very important for accuracy. Another issue that can come up is copyright.

If the AI tool gives you someone else's copyrighted information along with the output, then you may be in violation of the copyright. So these are a few things to keep in mind. You can help mitigate that risk by doing due diligence on the AI tool. For example, find out if they're going to use your input data or the output data to train the AI.

Find out how they protect the data. Look at their documentation, look at their terms of service, their privacy policy, their acceptable use policy, and note that these can change regularly. So you might want to revisit them from time to time. Have an attorney look at them, look at the contract, for example, and then have some policies and procedures around what tools staff can use, what tools, what purposes, what can they use the tools to do and steps they need to take, like review the output, make sure it's all accurate.

Wright: [00:16:55] This is so like, when I think about it, I tend to be a little stubborn when it comes down to utilizing things like AI, it's almost from a place of fear and I know that it's here, but I wonder, like as you, as an attorney, you are all learning about all of these things that kind of like in real time, right, so you have to kind of learn on the spot and make some things, you know, I guess, have some guidelines and things like that, but do you know of any practices, maybe I'm not sure how much, you know, practices you're focused on, but like, do you know of any practices, how they're utilizing AI as it relates to patient care? Like how, what's that intersection? I'm just curious on if you have any thoughts on, you know, I don't know, how practices are using it and how, I guess it could like, I don't know, go in the wrong direction, you know, for us that are in practice.

Tironi: [00:17:54] I understand. Yeah, for clinical decision support tools that use AI, that's a higher risk area and so vetting is very important. One of the areas that should be vetted for is bias, because some AI can be biased. They can discriminate. So asking the vendor or asking the provider of the tool, what they do to vet the tool for bias is very important step in that process.

Wright: [00:18:20] That's great. Thank you. Wow.

That's good, because there's a lot of different software that is coming out and they provide AI, like within the software so that you can use it for, you know, streamlining and all these things. And when you mentioned patient data, I'm like, Oh, cool. So I didn't know that we were there yet, you know, pardon my ignorance.

Ioannidou: [00:18:41] Oh, no, we are. We can use AI for diagnostic purposes. I mean, the example that Paula brought up in terms of composing notes and bringing clinical information together to apply to a text is one thing, but we are now pulling clinical data and radiographic data to diagnose patients, diagnose caries, to diagnose, you know, periodontal disease. I mean, there are a lot of apps that feed through clinical data and give you, spit out for you, a clinical diagnosis for periodontitis. As we know, the last classification is not that easy.

Wright: [00:19:23] Yes. I was just looking at this yesterday and I was like, whoa, my gosh.

Ioannidou: [00:19:27] Correct. So they have developed a lot of tools to speed up this process and I like what you brought up, Paula, because on one hand, you know, the feeding of this data to large, I guess, to data tools that don't protect the confidentiality of the patient. I mean, the same thing applies to the editorial policies, right? You cannot just copy paste your paper and expect that this is securely edited, anybody can pull from this data. Now it becomes public. It's pretty much the same with patient data, unless they are behind a firewall and they are protected and their file confidentiality is protected. You are, you're absolutely right.

Tironi: [00:20:15] There are a number of tools out there. I don't know them all, but it's important to vet them. You know, some are more private than others. Some give you more protection than others.

Ioannidou: [00:20:25] It's important to vet them. That's the bottom line.

Wright: [00:20:27] I think that was some of the best advice that we've gotten. Cause like we talk about AI, you know, a lot or just like the more timely thing to remember is, make sure that you're vetting and especially when you utilize new software, like asking those questions it, you know, I haven't gone down that road yet, but that's a good tip for us. So thank you so much for sharing that with us too.

Ioannidou: [00:20:50] And on top of this, then you have the paperless billing, right? And many practices now have transitioned. Others are transitioning as we speak to a type of paperless office, which is, as you see behind me, it's my dream, so it will never happen in here.

But anyway, so what are the legal considerations for dentists? What do they need to know to move to make this transition?

Tironi: [00:21:16] Well, some examples of the legal issues that would come up in the context of paperless billing, I'll start with HIPAA because protected health information, which is the information protected by HIPAA, includes payment information.

So payment information is protected by HIPAA as much as information about a patient's condition or treatment. So electronic billing would require that the billing system be included in the HIPAA security risk analysis. So the dental practice would identify threats and vulnerabilities, assign a risk level, and then mitigate the risk to bring it down to an appropriate level.

It's important to have policies and procedures that tell staff how to use the paperless billing safely. They need to know who to report to if they discover a breach and so forth. Also, you would need a compliant business associate agreement with the vendor, potentially if the vendor has access to patient information, and anyone else that would have access to patient information who's not a member of your workforce.

It's important to remember too that HIPAA does not preempt more stringent state law. So, if a state has a law that's either more stringent than HIPAA, which means, the state law gives the patient more protection than HIPAA does, or it's not contrary to HIPAA, meaning you can comply with both, then HIPAA would not preempt that law, and the dental practice in that state would need to comply with both.

So finding out if the state has particular laws around, say, credit cards or, you know, electronic payments, ETFs, whatever, would be a part of that compliance and then there's something called the PCI DSS. That stands for payment card industry data security standards, and that's a set of standards for protecting credit cards and this is not a law. This is an industry standard that was developed by the payment card industry, and it's usually enforced through a contract. So if a dental practice has a contract with a credit card processor, it probably requires complying with PCI DSS. So there's a website, pcisecuritystandards.com, that has information about those standards and how to protect credit card information.

Wright: [00:23:36] We'll be right back.

Announcer Ad: [00:23:38] Being understood is critical, especially in dentistry. Participate in tailored workshops led by experts in interpersonal communication and leadership designed to elevate your leadership skills and empower you at Elevate 2025. Register at ADA.org/elevate.

Announcer Ad: [00:24:06] Hey, Dental Sound Bites listeners! Loving this episode? We have an exclusive deal for you. Use code DENTALSOUNDBITES, all one word, to save 15 percent on the Dentist's Guide to the Law resource cited in this episode. Go to store.ada.org to order or find the link in the show notes at ada.org/podcast. Hurry, this code is only good for a limited time.

Announcer Ad: [00:24:28] Give your staff a gift they'll really use with Threadfellows, we're talking Yeti mugs, Patagonia fleeces and North Face backpacks all featuring your practice logo. ADA members Save 10% and get free shipping at threadfellows.com/ada.

 

Wright: [00:24:45] Welcome back to Dental Sound Bites. We are having a conversation about the top legal questions every dentist asks with ADA's in-house attorney, Paula Tironi.

Ioannidou: [00:24:57] A very naive question I'm going to ask you now, right? So many regulations and so many legal details that one needs to be aware of. How can a new dentist, I mean, obviously we have the ADA, excellent book with the 246 questions, but how can someone know where to start from as they build their practice? This must be very complicated. Like they definitely need to find either advice or a mentor or something to navigate this maze.

Tironi: [00:25:35] I agree. I mean, life is getting more complicated and the law is getting more complicated along with it. I think having an experienced attorney who's licensed to practice in the same jurisdiction as the dental practice.

Someone you can call with questions is very important. The ADA has a resource called A Dentist's Guide to Selecting a Lawyer and the A Dentist's Guide to the Law also has information about how to select an attorney, how, you know, how to best use an attorney to help your practice comply with the laws. The federal, state, and even local laws that apply to your practice.

Ioannidou: [00:26:16] That's great. That's great to know for sure and we have to have all these links at the description of the episode, I guess to share with people. I think this is really important.

Wright: [00:26:26] I do too. It's actually really valuable. So, I'm enjoying this so much. I just feel like the thing that I love so much as an aside, again, is like, I feel like I'm learning right alongside the listeners. So, just being informed, being, you know, refreshed on certain things. It's really, really good for me too.

So Paula, we I have another question for you. Because we are in the social media digital age, everybody's recording, it's the age of ring cams, security monitors. Is surveillance permitted in a dental practice, and can you talk a little bit about this age where we're taking selfies and we're doing videos and things being posted to social feeds?

Tironi: [00:27:09] Certainly. You know, surveillance in the dental practice, there's, it's not prohibited, there are risks, there are benefits. One of the benefits is that it can help with facility security and that's actually a HIPAA requirement. The HIPAA security rule requires that the dental practice protect electronic protected health information on its premises.

So, you know, video surveillance can help with that. However, there are some legal risks as well. I think one of the first questions is, would it be recording just video or audio and video? Because if it's recording audio, then the dental practice should look into its state eavesdropping laws because some states are what they would call a one consent state, some states are a two consent state.

So if you're recording audio, make sure you're complying with your state eavesdropping laws. Now whether it's audio or visual, HIPAA would require including it in the risk analysis if it's going to happen to capture patient information. One of the HIPAA identifiers is a full face photo or the equivalent.

So pictures of patients coming and going would bring this within your HIPAA compliance program. Including it in the risk analysis, having policies and procedures and training people on how properly to use these recordings. Questions come up like: Who is going to have access? How can the recordings be used? How long will you retain them? And so forth.

The recordings could be discoverable in the event of a lawsuit. For example, the opposing party in say, a slip and fall lawsuit, or maybe a malpractice lawsuit could request a copy of the recording. So there's that consideration as well. And then, you also, if you're going to be using any of the recordings, for example, say that you have an image of your practice or an image of your staff that you want to post online, for example, make sure that no patient information has been captured.

So if there's a monitor, for example, with a schedule, you want to make sure you're not posting patient information on your website without the individual's authorization and for your staff, make sure you have a release before you post any photos of the release on, of the staff online. So, Staff members would need to sign a release and patients would need to sign something called a HIPAA valid authorization to make their protected health information public, even just their face.

Ioannidou: [00:29:37] And does these same requirements and releases apply on the use of those pictures on the website or are there any additional liability issues for things that you are presenting on the practice website.

Tironi: [00:29:59] Yeah, the practice website can raise a lot of legal issues.

One of them, as you mentioned, is if you're posting images of staff, make sure that they've signed an appropriate release. If you're posting pictures of patients or even information about patients, make sure that they've signed a written authorization permitting you to do so. But some other issues that come up with websites, one of them is accessibility.

So the Americans with Disabilities Act applies to dental practices because they're places of public accommodation and the U.S. Department of Justice has determined that websites also must be accessible to people with disabilities. So, for example, if you post a video on your website without closed captioning, someone who's deaf or hard of hearing may not be able to fully access the information and if you post a photograph, someone who's blind and using a screen reader might not know what's in the image unless you use something called alt text, which captures in words. What the image portrays, speaking of the Americans with Disabilities Act, do you happen to know the two animals that can be service animals on the federal level?

Wright: [00:31:10] I don't.

Tironi: [00:31:11] I'm sure you can guess one of them.

Ioannidou: [00:31:13] I mean, dog should be one, no?

Wright: [00:31:15] The service dog.

Tironi: [00:31:16] A dog certainly is one, and there's one other species that can qualify as a service animal under the Federal Americans with Disabilities Act.

Wright: [00:31:28] I'm not guessing.

Ioannidou: [00:31:31] I can tell you the other one, maybe horse.

Tironi: [00:31:35] Miniature horse, very good.

Wright: [00:31:36] Oh, is it a horse?

Tironi: [00:31:37] Yes, a miniature horse.

Ioannidou: [00:31:40] Oh my God!

Wright: [00:31:41] No, I wasn't thinking that.

Tironi: [00:31:43] Yeah, the Federal Americans with Disabilities Act only permits two species of animals, a dog or a miniature horse. The states can expand that.

Ioannidou: [00:31:53] What does this mean, miniature horse? Are they meaning ponies?

Tironi: [00:31:57] No, even smaller.

In fact, there's a resource that's going to be posted along with the podcast to a guidance document from the Department of Justice about service animals and the miniature horse, the size is determined by the law. How big the horse can be, but they can be a service animal. So if someone walks into a dental practice with a miniature horse, A Dentist Guide to the Law has a flowchart on what you can and cannot do, what you can and cannot ask with regard to the horse or the dog.

Ioannidou: [00:32:35] Interesting. Oh, I love this. I will tell my daughter, she's an equestrian and I'm sure she will appreciate a lot the fact that a miniature horse is an acceptable service animal. Well, this is interesting.

Wright: [00:32:50] Very. I have a question really quickly before we move on about the risk analysis and just like compliance training. Any thoughts that you could share with our listeners or just like recommendations on how often this should be done if they're not doing it already specifically, like early career dentists that are interested in leading their team. People like me, just things that we should be aware of and how we should be talking to our teams about these things.

Tironi: [00:33:21] Absolutely. I would be more than happy to explain more about the HIPAA security risk analysis. It's an important topic.

So there is no prescribed format for the risk analysis. It has to be accurate and thorough and take into account all of the protected health information in the dental practice. So that's all information about patient's health condition, treatment, and payment for healthcare. A good way to start is to list the information assets and the protected health information that each of them contains. And to analyze the risks in terms of threats and vulnerabilities. And the way, one way to analyze the risk is to think about it in terms of likelihood and severity. So let's say for example you have a photocopy machine that has a hard drive inside that keeps a picture of everything that you scan or photocopy.

If you return the photocopier to the leasing agency or otherwise dispose of it, and you don't wipe that hard drive, there is a potential for a data breach, right? If somebody can get the hard drive and see what's on it, there could be patient information on it. So, you would ask, well, how likely is that to happen? And how severe would it be if it happened? And then you can multiply that together, like say you use a scale of 1 to 3, with 1 being low, 3 being high for likelihood, and then for severity, you multiply them together and that gives you a risk score. And that way the dental practice can prioritize, they can address the highest risks first.

So for the photocopier, what they might do is have a policy or procedure saying, before we get rid of a photocopier, we're going to wipe the hard drive, or we're going to have someone else wipe the hard drive for us in order to protect, to prevent a data breach. So the dental practice would go through all of its information systems, its information assets, all of its protected health information, and determine what the risks are and the vulnerabilities are and if their current risk mitigation is not sufficient, then they can go ahead and make that stronger to better protect the patient information. Another good example is ransomware. Ransomware is a threat now in all industries, but particularly in the healthcare industry. So ransomware is where a threat actor will encrypt files and then charge a ransom for the decryption key and ransomware is a kind of malware that is often delivered through a phishing email. So say a member of the dental team gets an email, it looks legitimate, they click on a link, or they open an attachment and the threat actor downloads the malware and now all their files are encrypted.

So it's a risk, right? There's a threat, potentially a vulnerability because the dental practice gets email and you know, you have to decide which ones are safe and which ones are not. So a way to mitigate that risk could be phishing training for the dental staff, for the dental team, how to spot an email that doesn't look legitimate. What to do if you think that it might be a threat actor sending you that email.

Ioannidou: [00:36:34] Or these weird emails that we frequently receive that your password has expired. What are you doing? Why don't you click on this link to make sure you update? I mean, you're absolutely right. This is a very common threat. I mean, it happens on a daily basis and the training, even for us, we receive this training in a hospital-based dentistry and academics. We receive this training very frequently, once a year and, you know, we take exams on this. It's like, it takes, it's a very serious training. Many times I got myself you know, guessing, like, should I click on this or not? I have second thoughts and I think it's, there are so many techniques that you can use, but it really, it really becomes a very serious threat on an almost daily basis.

Tironi: [00:37:30] Yes, absolutely and you know, there are some other HIPAA security standards that can help prevent or mitigate a ransomware attack, for example, encryption.

So, if the data is encrypted and a threat actor is able to acquire it or access it, then you may not have a data breach. If the information is properly encrypted and the decryption key is not compromised, then it might not be necessary to send breach notification and of course for the threat actor unencrypted information is much more valuable than encrypted information.

Another thing to do is review system access to try to detect inappropriate access to the system. Use multi factor authentication to help prevent people who are not authorized to view data from viewing the data. So a lot of the HIPAA security standards also help protect patient information and can help reduce the risk of a ransomware attack.

Ioannidou: [00:38:30] For sure and many times we feel, especially the, two layer authentication, that can become frequently a pain in the neck. I feel like, oh, again, I have to do this and I have to go to the authentication app and I have to get this number and I copy this number over there and da da da. But then I think it pays off because it's really, you feel that you are, you know, you're a little bit more secure at least and protected, right? So these are steps that may be painful to set up, you know, to remember all these passwords and make sure that you keep your passwords safe and secure, but on the other hand, these are necessary steps to be safe in the practice, I guess, based on what Paula, right now, suggests.

Tironi: [00:39:18] Yeah. It's the world we live in.

Wright: [00:39:19] I was just going to say for me, like in practice, we get the training as well, to your point Effie, and I have to catch myself from being like, oh, this again, you know what I mean? But like hearing it for, I think in this setting, it just reminds me of the significance of it and it just, it becomes more meaningful actually.

So, I mean, it's almost time to wrap up the episode, but we do have one more question before we go, Paula, that I'm sure our audience will want to know and that's, can members reach out directly to the ADA's legal team?

Tironi: [00:39:55] That's a very good question. If a member wants legal advice or needs a legal opinion on an issue that they're facing, they should really reach out to an attorney who's licensed to practice in their jurisdiction. For general questions, members can find a wealth of information in the ADA publication, A Dentist's Guide to the Law. The publication has a number of questions and answers. It has sample forms, there's a sample business associate agreement, a sample agreement for a website developer that has information about a number of topics, including website accessibility for people with disabilities and there's a lot of information available on the ADA website of a legal nature.

Now, it could be that a question is answered there with more information than we could provide in a phone call and a member should always start with the Member Service Center because staff there is able to provide information on a number of frequently asked legal questions, but if the member center does refer the call to the legal division, the ADA can provide general information. The ADA Attorneys can provide general information of a legal nature, but we can't provide legal advice because our client is the association itself and not all of its members and since there's no attorney client relationship with members, then the conversation would not be protected by the attorney client privilege. However, we're happy to talk to members about legal issues generally, and often we're able to provide links to ADA resources and federal government resources that could be helpful.

Ioannidou: [00:41:35] I mean, this is so helpful, Paula, thank you so much for coming here to the show today and for answering all these legal, complicated for us, questions. Easy for you, complicated for us.

Just a very short, funny story to share that connects Paula and I; years ago when I was in the council, in the spirit of multitasking, we had a council meeting, I think it was during the pandemic. Obviously, it was online on Zoom and I was driving. So I connected to meeting driving, minding my own business, Paula noticed that I was driving and she's like, you have to pull on the side we cannot run this meeting like this. This is liability for the organization, pull over. So I did.

Tironi: [00:42:35] Safety first. Safety first.

Ioannidou: [00:42:38] Safety first and she was absolutely right. So I will always remember this. Other organizations don't do this and the truth is that, you know, in other national meetings, you don't have an attorney attending the meeting either. So that was a, that was a nice wake up call for me. So I appreciate it and thank you, Paula.

Wright: [00:42:58] I love that.

Announcer: [00:42:59] On the next Dental Sound Bites.

Wright: [00:43:02] We're diving deep into the world of pediatric sleep medicine. Find out what dentists need to know about sleep and airway health.

Thank you so much for being here, Paula.

Tironi: [00:43:16] My pleasure. Thank you for having me.

Ioannidou: [00:43:18] Thank you. Thank you. Thank you.

Wright: [00:43:20] We are going to add resources and links to everything that we talked about today in our show notes for today's episode and if you like this episode, please share it with a friend.

Ioannidou: [00:43:32] And if you haven't yet, be sure to subscribe to this podcast, wherever you're listening, so you can get the latest episodes.

You can also rate it, write a review and follow us on social media.

Wright: [00:43:44] And don't forget that the conversation continues with bonus episodes on the ADA member app and on the YouTube channel.

Tironi: [00:43:51] Goodbye. Bye.

Wright: [00:43:54] Goodbye, people.

Ioannidou: [00:43:56] Goodbye, people.

Wright: [00:43:58] Yes, there you go.

Announcer: [00:44:00] Thank you for joining us. Dental Sound Bites is an American Dental Association podcast.

You can also find this show resources and more on the ADA member app and online at ADA.org/podcast.