Member Login | About | Contact
American Association of Oral and Maxillofacial Surgeons

Practice Management & Allied Staff News & Materials

Practice Management Matters - Sept/Oct 2009

September 18th, 2009

OSHA's regulation of records, photographing patients and blogging

Question: Does OSHA regulate sterilization monitoring logs, medical records or training logs?

Answer: OSHA does not regulate the length of time sterilization monitoring logs must be maintained. Rather, each state has laws governing the length of time the logs must be kept. The law may be a Public Health Code and/or a State Board of Dental Examiners/State Licensing Board mandate. You should check with both your state Public Health Agency and the State Board for specifics.

While OSHA does not mandate sterilization logs, they do regulate the length of time that medical records and training logs (i.e. training, Hep. B vaccination records and injury logs) must be maintained. OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030 states the following: the employer shall establish and maintain an accurate record for each employee with occupational exposure, in accordance with 29 CFR 1910.1020; the employer shall maintain the records required by paragraph (h) for at least the duration of employment plus 30 years in accordance with 29 CFR 1910.1020. Training records shall be maintained for 3 years from the date on which the training occurred.

This answer was adapted from correspondence with the Organization for Safety and Asepsis Procedures (OSAP). Further information OSHA's Bloodborne Pathogens Standard can be found at Additional resources on infection control including links to state agencies can be found at

Question: What can we do if a patient wishes to open a "covered account" and refuses to provide a photo ID or social security number for identification purposes? Also, can we photograph a patient?

Answer: Under the new Red Flag program, if an OMS practice meets the definition of "creditor" and maintains "covered accounts"(defined as any consumer account that permits multiple payments or transactions, or any other account that may pose a reasonably foreseeable risk of identity theft to consumers or businesses), the practice is required to establish reasonable processes and procedures to combat identity theft in connection with these patient accounts. This category may include many health care providers given the common post-services payment they receive for health care services.) If a new patient asks the practice to extend credit, the patient should be willing to provide some form of identification. No business should be expected to extend credit without proper identification, such as a driver's license, and credit references. If the patient has no form of photo ID and the practice is still willing to treat and extend credit, the practice can ask for some other form of identification, like a Social Security card and a recent photograph. If the patient refuses and cannot pay without credit, the practice should follow the same procedures it does with other potential patients who seek treatment but don't have the means to pay for it. With existing accounts, it is assumed the practice already knows and can identify the patient so your identity theft program would include reasonable procedures to protect confidential information, monitor transactions and verify the validity of requests for information like account or ID numbers or change-of-address that can lead to identity theft.

If the practice takes a photograph of a patient, the patient should consent and the practice should treat the photo with the same level of privacy protection as the patient's medical records to deter the theft of the patient's identity from the files of the practice and/or the company that does its billing. Patient photography falls under the purview of HIPAA privacy and state laws. While the Joint Commission and HIPAA do require consent or authorization to use photographs outside the scope of treatment, payment or operations (TPO), if you are using photographs as part of the patient's medical record, it is a good idea to include this in your notice of privacy practices and/or procedural consent forms. Also, HIPAA supports the patient's authority to grant permission, provided no state laws to the contrary exist.

Additional guidance can be found through the following online resources:

  1. Fighting Fraud with the Red Flag Rule: A How-To Guide for Business

  2. Federal Financial Institutions Examination Council's guidance on online authentication

  3. The Red Flag Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

  4. The Red Flag Rule Application to the Healthcare Industry

Question: Do you have any suggestions or recommendations for starting a blog?

Answer: Blogs let you communicate directly with your existing patients and potential new patients. However, beware: a posting can, and most likely will, eventually be misinterpreted by a reader. So, your first decision is whether to use a pseudonym or to write a bit more restrictively using your real name, which adds credibility.

You must first decide if you want to blog about:

Medical issues - As an expert in your field, you may be more inclined to use your blog to promote yourself and therefore use your real identity. With a marketing objective, you may choose to post your blog on your practice Web site and/or offer RSS (Really Simple Syndication) feeds so readers can subscribe to your blog.

Personal interests - Gardening, the Yankees, global warming, movie reviews. If you're more interested in sharing recipes, vacation photos, and family updates with friends and family, a private blog may be better.

Either way, post a disclaimer to give you a safety net. For example, here's the author's disclaimer on this response: "I am not licensed, certified, or otherwise legally entitled to practice law. Therefore, where questions of a specific legal nature are involved, appropriate counsel must be sought."

You'll find disclaimers on various medical doctors' blogs, such as a medical advice disclaimer; a financial, legal, and other advice disclaimer; or an information disclaimer. Sophisticated bloggers even include a "terms of use agreement" and/or posting guidelines, which explicitly state responsibilities and expectations. You may also see disclaimers about links to advertisers, age restrictions, indemnifications, and intellectual property right statements. Other legal liability issues include: Defamation, Intellectual property (copyright/trademark), Trade secrets, Right of publicity, Publication of private facts, and Intrusion into seclusion. The Constitution and federal laws, such as copyright law, apply nationwide. However, many laws that affect bloggers - including defamation, reporter shield laws, and privacy laws (within constitutional boundaries) - vary from state to state, so learn your own state's regulations. Keep liability in mind as any person making a publication available to the public would. Note: You'll also enjoy the same freedom of speech and press protections.

You could also blog anonymously. The Supreme Court has repeatedly upheld the First Amendment right to speak anonymously:

"Author is generally free to decide whether or not to disclose his or her true identity. The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible. Whatever the motivation may be, the interest in having anonymous works enter the marketplace of ideas unquestionably outweighs any public interest in requiring disclosure as a condition of entry. Accordingly, an author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment."

This question and answer was adapted and copied with permission from Physicians Practice. Copyright 2009, Physicians Practice, CMPMedica. All rights reserved.