The importance of privacy

HIPAA gives patients significant rights in controlling how medical professionals maintain and communicate individual health information. How well does your office comply with HIPAA guidelines? Because HIPAA compliance is not optional, every dental office should take the necessary steps to ensure it is HIPAA compliant.

About HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. HIPAA provides federal protections for patients’ health-care information. The HIPAA Privacy Rule does permit the disclosure of personal health information needed for patient care and other important purposes related to patient care.

The Security Rule under HIPAA specifies a series of administrative, physical, technical and security measures required for covered entities (dental offices that transmit patient information in electronic form) to use in order to assure the confidentiality, integrity and availability of electronic protected health information.

The main objective of the HIPAA legislation is to protect the privacy of individual health information by imposing strict security requirements on health-care providers with access to confidential patient information. As a part of HIPAA, Congress mandated the establishment of standards for the privacy of individually identifiable patient health information.

The HIPAA Privacy Rule requires that dentists (and other medical practitioners) obtain patient consent before using or disclosing a patient’s personal health-care information, which may be needed for treatment, payment and other health-care related purposes.

Private health information, also known as PHI, is any information relating to a patient’s health, treatment or payment for health care that identifies a patient. Private health information includes, but is not limited to names, addresses, phone numbers, fax numbers, e-mail addresses, credit card information, certificate numbers, license numbers, account numbers and birth dates. Many dental employees, including dental assistants, dental hygienists, lab technicians and front office staff, may come into direct contact with a patient’s PHI. PHI should be carefully secured and traced throughout the dental office to ensure patient confidentiality.

HIPPA does not require that dentists sound-proof rooms to ensure that confidential conversations are not overheard; however, dentists should make every reasonable effort to ensure that confidential conversations take place in areas away from other patients. Also, computers, printers, faxes and file cabinets or other containers where patient records are stored should be placed in secured areas without patient access.

Although compliance is mandatory only for “covered entities,” the American Dental Association suggests that dentists who are not covered entities adopt the same privacy practices that HIPAA mandates for covered entities. It is still possible that HIPAA privacy laws may establish an industry standard among dental practices, and the failure to comply with the industry standard may result in liability for the owner of a dental practice.

Understanding the value of PHI and its relationship with HIPAA, the owner of a dental practice should be able to answer some very important questions such as: How is PHI stored in our office? How is patient information secured? Who is authorized to access the information? How and when is this patient information destroyed? Where in the office is it appropriate to discuss personal health information? Have we implemented proper training procedures? Answers to these questions cannot be left to interpretation.

The owner of a dental practice must adopt and implement comprehensive privacy procedures for the office in order to ensure that patient records are kept in a secure space. In addition, employees in a dental office must comply with HIPAA policies and procedures that have been established.

Most of the information obtained regarding patients does require the implementation of security measures. If employees are not aware of HIPAA standards as established by the owner of a dental practice, a violation of HIPAA may be costly.

Patient rights

The HIPAA Privacy Rule gives patients considerable rights in controlling their identifiable health-care information. Covered entities must provide a Notice of Privacy Practices to each patient, which details how the practice can use and disclose confidential patient health-care information.

Under HIPAA, a health-care provider must obtain a patient’s authorization before releasing protected patient information. However, a health-care provider may release patient information for specified health-care related purposes, such as for remitting payment or for patient-related treatment.

As for patient records, patients are permitted access to their own records. In addition, patients may also request restrictions on the disclosure of their personal health-care information. Patients may also request an amendment to any information in their medical file that they believe is erroneous.

The HIPAA Privacy Rule also prohibits employers from using a patient’s personal health-care information as a factor in making employment decisions.

HIPAA violations

Failure to comply with HIPAA can result in both civil and criminal penalties, and the penalties can be stiff. These penalties vary based on the nature of the violation and the extent of the resulting harm.

Health-care entities and individuals who obtain or disclose individually identifiable health information face a penalty ranging from $50,000 to $100,000 per violation, as well as imprisonment for up to one year.

However, offenses committed with the intent to use the information for personal gain, harm or commercial advantage face fines up to $250,000 and imprisonment for up to 10 years. Because there is no private right of action for a patient to enforce his or her privacy rights, enforcement of the civil penalties will be processed through the Department of Health and Human Services Office of Civil Rights, and the criminal penalties will be enforced through the government.

It is important to note that the owner of a dental practice may be held liable for HIPAA violations. Employees who knowingly violate a HIPAA rule may also be subject to civil or criminal penalties as well (including dental hygienists, dental assistants, etc.) As a result, in order to avoid potential civil and criminal penalties, all members of a dental practice should be aware of HIPAA guidelines and procedures.

The HIPAA Privacy Rule does allow dentists to use patient sign-in sheets in their offices. However, requiring a patient to indicate the purpose of his/her appointment is a violation of HIPPA and should be avoided.

Reminder cards sent to a patient’s home with appointment dates on them are not considered a HIPAA violation because of the preventative nature of dental care. Still, if the cards mention the purpose of the appointment (i.e., “This is a reminder of your appointment for dental implants.”), it will be considered a violation of the HIPAA Privacy Rule.

In addition, schedules of patient appointments should not be placed in an area in the office that is visible to other patients. Finally, patient appointment calendars should never be placed on the Internet (yes, this has happened).

Conclusion

The owner of a dental practice must determine whether the office is HIPAA compliant. A failure to properly implement HIPAA security and patient privacy rules could result in potentially large civil and criminal penalties.

The employees of a dental practice must be trained in both HIPAA regulations and security measures. A patient’s individually identifiable health-care information is confidential and should be treated accordingly.

About the author

Stuart J. Oberman, Esq., has extensive experience in representing dentists during dental partnership agreements, partnership buy-ins, dental MSOs, commercial leasing, entity formation (professional corporations, limited liability companies), real estate transactions, employment law, dental board defense, estate planning and other business transactions that a dentist will face during his or her career. For questions or comments regarding this article, visit www.gadentalattorney.com.