By now, you’ve probably heard about the new federal health privacy regulations that will be enforced beginning April 14, 2003. These regulations will implement the privacy provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, and will mandate extra protections for the privacy of patients’ health information. The regulations also will create additional rights for patients regarding their health information.
The American Dental Association suggests that dentists who are not covered entities still may want to consider adopting some or all of the privacy practices mandated by the regulations.
The first question to consider is whether you will be required to comply with the HIPAA privacy regulations. Compliance is mandatory only for "covered entities." If a dentist transmits certain patient health information in electronic form, either directly, or indirectly through a vendor or billing service, he or she would be a covered entity. The type of electronic transactions that would make a dentist a covered entity include claims submissions and electronic communications regarding referrals, transmitted in a format specified by the U.S. Department of Health and Human Services, or HHS. Keep in mind that transmitting patient health information over a stand-alone fax machine or sending an e-mail containing patient health information are not the type of transactions that would make a dentist a covered entity.
If you are not a covered entity, then you will not be legally obligated to comply with the HIPAA privacy regulations. However, the American Dental Association suggests that dentists who are not covered entities still may want to consider adopting some or all of the privacy practices mandated by the regulations. There are several reasons for this. First, your patients likely will see that other health care providers, such as their physicians, have implemented the HIPAA privacy requirements, and they may wonder why you have not done so. Second, it is possible that the federal HIPAA privacy regulations may establish a "standard of practice" for all dentists. If a dentist who is not a covered entity were to be sued in state court for an alleged violation of state law, the patient might try to argue that since many other dentists have implemented the HIPAA privacy requirements in their practices, those regulations became the "standard of practice" for protecting patient privacy in the dentist’s community, and the dentist consequently failed to meet that community standard. Finally, some dental provider contracts require participating dentists to comply with the HIPAA privacy regulations, regardless of whether the dentist is a covered entity.
While the HIPAA privacy regulations do not give patients the right to file lawsuits against dentists for alleged violations of the federal regulations, patients will have the right to complain to HHS if they believe their dentists have failed to comply with the privacy requirements. Such complaints will be investigated by HHS’s Office for Civil Rights. A dentist could face fines of up to $100 for each privacy violation, with an annual cap of $25,000 for repeated violations of the same requirement. Moreover, a dentist could incur higher fines and/or imprisonment for intentional violations of the privacy regulations. If a dentist sells patient health information for profit or acts maliciously in violating the privacy regulations, he or she could be fined up to $250,000 and face up to 10 years in prison. Thus, while it is a good idea for all dentists to familiarize themselves with the HIPAA privacy regulations, it is especially important for dentists who are covered entities to do so.
The HIPAA privacy regulations govern the use and disclosure of "protected health information." Protected health information, or PHI, is any information that relates to a person’s health or health care, and specifically identifies that person. The HIPAA requirements apply to any uses or disclosures of PHI through electronic, written or oral communications. Thus, although a dentist must transmit certain PHI electronically to become a covered entity, once the dentist becomes a covered entity, the HIPAA requirements will apply to all of his or her communications of PHI, not just electronic transactions.
Although an earlier version of the HIPAA privacy regulations would have required covered entities to obtain consents from patients before using or disclosing their PHI, that requirement was eliminated from the final version of the privacy regulations. The mandatory consent was replaced with a requirement that covered entities make a good-faith effort to obtain patients’ acknowledgment that they have received the entities’ notice of privacy practices. Covered entities may make this good-faith effort by mailing a copy of their notice of privacy practices, along with an acknowledgement form, to each of their patients and asking the patients to return the signed form to the office. Covered entities also may meet this obligation by giving patients an opportunity to review the notice when they come into the office and then asking the patients to sign the acknowledgment forms.
A dentist could incur fines and/or imprisonment for intentional violations of the privacy regulations.
Once this good-faith effort has been made, covered entities are free to use and disclose their patients’ PHI for purposes of treatment, payment and the practice’s health care operations (also known as "TPO"). Under some circumstances, covered entities may be required to limit these disclosures to the "minimum necessary" amount to cover the intended purpose. For example, in recent guidance issued by HHS, it was made clear that covered entities may continue to use patient sign-in sheets at their reception desks. However, HHS also indicated that covered entities should not ask patients to disclose, in full view of other patients, information that was not necessary to alert office staff to the patient’s arrival, such as the health problem that prompted the patient’s visit.
If a covered entity wants to use or disclose a patient’s PHI for a purpose that does not fall under the TPO umbrella, then the entity will, subject to certain exceptions, have to obtain a written authorization from the patient to use or disclose the PHI. For example, if a dentist who is a covered entity wants to sell his or her patient list to a company that markets encyclopedias, the dentist first would have to obtain a written authorization from each patient permitting the dentist to release the patient’s name and address. Under the HIPAA privacy regulations, an authorization must include a description of the information to be used or disclosed, the people or entities authorized to make the use or disclosure and to receive any disclosed PHI, and an expiration date. The expiration date for the authorization can be a specific date, or expiration can be triggered by an event, such as the patient’s departure from the practice.
Although authorizations would be required for most uses or disclosures of PHI for marketing purposes, the privacy regulations state that health care providers do not need to obtain authorizations from their patients before discussing products or services related to treatment offered by that provider. In addition, covered entities will not need to obtain authorizations before having face-to-face communications with those patients about products of nominal value, such as toothbrushes.
However, there are some uses or disclosures of PHI that will be permitted without an authorization, or even a good-faith effort to obtain the patient’s acknowledgment of receipt of notice of privacy practices. Some of these uses or disclosures include reports of child abuse or neglect, as mandated or permitted under applicable state law; and reviews of patient records by governmental bodies that are otherwise permitted under federal or state law, such as audits of patient records by state Medicaid agencies.
In addition to observing restrictions on the use and disclosure of PHI, covered entities also will be obliged to respect patient rights granted under the HIPAA privacy regulations. Those rights include the right to review and obtain copies of their patient records, the right to request amendments to their records and the right to an accounting of certain disclosures of their PHI. Dentists should keep in mind that although a patient will have the right to ask a covered entity to change his or her records, the entity will not have to grant his or her request if the change would render the record inaccurate. However, the entity would have to note the requested change in the patient’s record. The entity also would have to record the denial of the request, any patient response to the denial, and any rebuttal by the covered entity to the patient’s response.
Other patient rights granted by the HIPAA privacy regulations include the right to request restrictions on the use or disclosure of their PHI, and the right to complain to the dentist or HHS about perceived violations of their rights. Patients also will have the right to request reasonable alternative means for receiving PHI. For example, if a covered entity’s standard practice is to leave appointment reminder messages on patients’ home answering machines, but a particular patient would prefer to receive those calls at work, the covered entity would have to honor that request. However, a covered entity would not have to honor an unreasonable request, such as a patient’s demand that he or she be reminded of an upcoming appointment via a telegram delivered precisely 47 hours before the scheduled appointment.
Although a patient will have the right to ask a covered entity to change his or her records, the entity will not have to grant his or her request if the change would render the record inaccurate.
Keeping in mind applicable restrictions on the uses and disclosure of PHI, and the rights granted to patients under the HIPAA privacy regulations, all covered entities must develop written policies describing how their offices will implement these privacy requirements. The policies also should incorporate any state laws that provide additional protections for the privacy of patients’ PHI, or grant patients any additional privacy rights with respect to their PHI. A key concept to remember is that while HIPAA establishes a federal "floor" of privacy regulations that must be followed by covered entities, the HIPAA regulations do not supersede any state laws that establish stronger protections for patient privacy or greater access for patients to their health information.
After drafting its privacy policy, a covered entity should summarize this policy in a notice of privacy practices. This notice must be posted in the entity’s office and made available to patients who request it. The notice must contain a description of the uses and disclosures of PHI that the covered entity may make for purposes of TPO, along with other uses or disclosures of PHI that the entity may be legally required or permitted to make without the patient’s authorization. If the covered entity may contact the patient with appointment reminders or to provide treatment alternatives, the notice must cover this information. The notice also must state that other uses and disclosures of PHI will be made only with the patient’s written authorization. In addition, the notice must summarize patients’ rights with respect to their PHI, describe the covered entity’s obligations to protect the privacy of patients’ PHI, and discuss procedures for filing complaints with the covered entity or with HHS.
As noted earlier, before using or disclosing a patient’s PHI, covered entities must make a good-faith effort to obtain a patient’s acknowledgment of receipt of notice of the entity’s privacy practices. It is important to remember that only a good-faith effort is required. If a patient refuses to sign, or is incapable of signing, the acknowledgment form, the entity may record the efforts made to obtain the signature, either on the form or in the patient’s record, and proceed to use and disclose the patient’s PHI as permitted by the privacy regulations. Keep in mind that covered entities may provide necessary emergency treatment before making the good-faith effort to obtain the acknowledgment, and that a parent or other appropriate personal representative may sign the acknowledgment on behalf of minors.
Once all of the necessary privacy policies and procedures have been drafted, a dentist who is a covered entity will need to train his or her staff to ensure that the practice complies with the HIPAA privacy regulations. At a minimum, the covered entity must provide a copy of the privacy policy to all staff members and document that the policy was distributed. In addition, the covered entity must select a privacy officer, who will make many of the decisions involved in implementing the office’s privacy policy, and a contact person to receive complaints. One person may handle both tasks, if this would be appropriate for the practice. Finally, the covered entity should establish procedures for disciplining staff members who violate the office’s privacy policy.
This article has highlighted most of the HIPAA privacy requirements applicable to dentists. There is one additional key requirement—that covered entities enter written "business associate" agreements with certain outside parties who have access to PHI maintained by the entity. Owing to the complex nature of this requirement, I will devote my next column to the topic of business associate agreements.
For more information on the HIPAA privacy regulations, dentists may purchase the American Dental Association’s HIPAA Privacy Kit, designed by the ADA to meet the specific needs of dentists. The kit, which contains a CD-ROM and forms that can be used by dentists to comply with the HIPAA regulations, is available by calling 1-800-947-4746.
