It could be worse…

shutterstock_139688779About this time every year, I update my HIPAA research, including evaluating all of the large breaches that have occurred in the past year.  OCR (the Office of Civil Rights) is responsible for enforcing HIPAA regulations and their website has a list of all breaches that have occurred that include the private health information (PHI) of 500 or more patients in a single geographic area (HIPAA’s wall of shame).   I then check out HIPAA’s enforcement proceedings to see specific cases and what penalties were actually levied (HIPAA resolution agmts), and I also consider those incidents that I have personally encountered in the past year.

Since the 2013 changes, there are definite trends emerging.  First, I have noticed that the size of the entity does appear to affect the amount of the fine; in other words, hospitals and other large entities are generally fined more than individual offices for similar offenses.  That doesn’t mean that the fines for smaller organizations are insignificant.  (Well, they may be insignificant to the federal government, but I don’t find a $125,000 fine to be “insignificant” for any small business.  However, no one cares about my opinion on this, so, whatever.)

Secondly, it appears that the largest penalties are reserved for those entities who aren’t making a reasonable effort to comply with the regulations.  For example, although the HIPAA regulations do not absolutely require that encryption be used for all computers and electronic devices that contain patient PHI, they do make it clear that encryption must be considered as a reasonable precaution.  The resulting penalties to those who do not choose encryption also make it clear that, if there’s a chance that your computers and devices could be lost or stolen, then encryption is the proper choice. Those small entities that have not chosen encryption and have then been breached have received penalties ranging from $50,000 to $150,000 per incident.

It is also clear that all computer systems must be current, properly maintained, adequately secured, and all software must be up to date, especially security software.  Firewalls must be sufficient for the size of the system, all security software must be kept up to date and updates should be installed as they become available.  Software that cannot be supported and updated, such as Windows XP, should not be used because it allows hackers easy access to PHI.  (I know it sucks to have to upgrade computers and software, but that’s just a cost of doing business.  If you want to use computers in your dental office, they have to be adequate, or information can be accessible.)

Programs must be regularly maintained and updated, blah, blah, blah.  Check out previous blog posts, my website, and my articles to see information on how to get your office in compliance.

The point of all this is that it appears that making an effort can make a difference.  I have a friend whose office was burglarized and 1600+ paper records were stolen.  Because he had properly trained his people, regularly maintained his HIPAA program, and because he had properly secured the facility (the burglary didn’t result from any negligence on the doctor’s part) and properly reported the breach, he was neither fined nor penalized.  In other words, he did what he was supposed to do and the HIPAA folks didn’t punish him.

That’s huge.  It means that we may have some level of control over our own destiny.  We can do the best we can to regularly maintain our programs, document training, and properly secure our computers, and if something bad happens, we may be able to avoid a large fine or penalty.  That’s good to know.  (Now, let’s not go crazy here…I will still be renewing my HIPAA data breach insurance policy next year, and I still realize that I could get some freak HIPAA inspector that is totally unreasonable, but the bottom line is that the trend is positive).

Anyway, hope this info makes you feel a little better and a little less overwhelmed!  Have a great week!


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was originally enacted to ensure portability of health insurance, simplify the admin­istration of health insurance coverage, and standardize elec­tronic transactions between healthcare providers and insurance companies. The section of HIPAA that concerns dentistry is the Privacy Rule, which addresses patient pri­vacy issues and regulates how private health information can be used and disclosed. Your mission will be to deter­mine what level of security must be undertaken in your office to ensure the highest level of patient privacy without compromising patient care.


When healthcare facilities began to use electronic means to access and disseminate private health information, it became obvious that uniform laws were needed to ensure the pro­tection of patients’ privacy. The Privacy Rule ensures that private health information is disclosed only when necessary, only to the extent necessary, and only to those who need the information in order to provide healthcare to the patient.


The Privacy Rule will go into effect April 14, 2003.


Essentially, the Privacy Rule deals with all personal medical records and any other individually identifiable health infor­mation, either written or oral, that is created or received by a healthcare provider. This includes information about the patient’s past, present, or future health, as well as any payment information.


It applies to your office only if you submit or receive claims electronically or through a clearinghouse, if you check patients’ eligibility or claim status through electronic means, or if you send paper claims to a service to be converted into electronic claims.  (From a risk management perspective, posting privacy policies and having patients sign a consent form is proba­bly a good idea. It is very likely that this eventually will become the standard of care in dentistry, so you probably will have to make these changes anyway)


There are severe civil penalties (up to $100 for each offense) and criminal penalties (up to $250,000 and/or 10 years in prison) for violations of the standard. Obviously, it is important to make a “good faith” effort to get your office into compliance.

 54 The Journal of Practical Hygiene Jan/Feb 2003


It’s not as bad as we once feared. You don’t have to sound­proof your offices, put doors on each operatory, or recon­figure the walls so that they reach to the ceiling. You don’t have to remove computers from your operatories or have special shields for your monitors-although passwords and screen savers should be used. Provided that your charts are located in an area that is inaccessible to non-employees, they don’t need to be kept in a locked cabinet. Yes, you can still call in a prescription for a new patient; you can mail appointment reminders; you can give out imprinted toothbrushes and magnets; and you can call patients by name in your reception area. You can also fax personal health information to another doctor if you are disclosing it for treatment purposes.


Here are some basic steps to get started with HIPAA compliance:

·Buy and read the HIPAA compliance manual that offers samples of policies and forms.

  • Designate one person in the office as the Privacy Officer who will ensure that the established privacy policies are enforced.
  • Develop written privacy policies and post them in a conspicuous place.
  • Inform your patients that you have adopted these pri­vacy policies and provide information as to how it affects their rights. Have your patients sign forms acknowledg­ing that they were informed of these rights and give per­mission for treatment under those parameters,
  • Evaluate your relationships with business associates (eg, attorneys, dental labs, collection services, answering services, consultants) and determine which ones have access to your patients’ private health information. Have those associates sign a Business Associate Contract.

 Well, at least now you have an understanding of HIPAA so you can get started on your quest for compliance. Good luck!

HIPAA: Facts, fiction, and how to do it

HIPAA. Okay, you’ve heard of it, you understand a little of it, you’ve ignored it as long as possible, and now you have to do something about it before April 14, 2003. The good news is that HIPAA is truly not a big deal. It’s confusing, it’s boring, but it’s not really difficult, so settle in, get some coffee so you’ll stay awake, and let’s get this over with.

Let me introduce you to HIPAA, the Health Insurance Portability and Accountability Act. It is a huge piece of legislation that was intended to fix many aspects of health care and health insurance, and includes sections that ensure portability of health insurance, simplify the administration of health insurance coverage, and standardize electronic transactions between health care providers and insurance companies. This is also the law that sets up Medical Savings Accounts and requires insurers to cover patients with pre-existing conditions. The section of HIPAA that concerns dentistry is the Privacy Rule; it addresses patient privacy issues and regulates how private health information can be used and disclosed. This private health information includes all personal medical records and any other indi­vidually identifiable health information, either written or oral, that is created or received by a health care provider. This includes information about the patient’s past, present, or future health or physical condition, as well as any payment information.

Some dental offices are not affected by HIPAA at all. If you submit elec­tronic claims, if you verify insurance eligibility or coverage electronically, and/or if you submit paper claims to a billing service that converts them to electronic claims, then you are covered by HIPAA and mustcom­ply with its requirements. If you do not do any of these things, you are not cov­ered by HIPAA and you don’t have to do anything, at least not at this time.

Okay, on to some basics. Why was HIPAA enacted? Why are we having to take all these precautions to protect patients’ privacy?

Why Was HIPAA Enacted?

As with most legislation, the lawmakers had good intent. When Congress held hearings about patient privacy, hundreds of individuals came forward with horror stories about their private medical information being released without authorization. In Tampa, Florida, a disgruntled public health worker sent the names of more than 4,000 people who tested positive for HIV to two newspapers. Many large companies self insure their employees; employees of some of these companies had been fired without cause when their employers had discovered that these employees have a potentially expensive medical condition. Medical doctors had sold their patient lists to marketing and pharmaceutical companies without patient permission, thereby allowing this information to be easily accessed to the general public. Pharmacists and hospitals had disclosed personal information to friends and family members without first obtaining permission; one patient’s children found out that he had AIDS when they were informed by a pharmacy clerk.

No one would argue that medical information should be protected. We are all patients as well as health care professionals, so we have a vested interest in making sure that patients’ personal information remains private. Our goal is to determine what level of security must be undertaken to ensure the highest level of patient privacy without compromising patient care.

The good news is that the Privacy Rule considers the size and type of the facility when determining what level of security is needed to provide adequate privacy protection. For example, a hospital with a huge staff and thousands of records will have different security concerns than a small dental facility. As a result, because of the size and nature of our facilities, there is very little we have to do to satisfy the HIPAA requirements.

Compliance: Rumors and Truth

There were all kinds of rumors about the horrible things we would have to do to comply with HIPAA.

Fortunately, it’s not as bad as we once feared. You don’t have to soundproof your office. You don’t have to put doors that close on each operatory or reconfigure your walls so that they reach to the ceiling. So long as your charts are located in an area that is inaccessible to patients or other non-employees, you do not have to keep your charts locked in a cabinet. Although posting a schedule is probably fine because it helps ensure that care is being provided to the correct patient, try to minimize the amount of private information that appears next to the patient’s name and try to post it where it is not easily visible to any other patients. ( One method of protecting patients’ privacy would use abbreviations that are not obvi­ous to patients who might view the sched­ule; instead of writing” denture” next to “Mrs. Lisa Jones, ” you might write “LD” for “lower denture,” or “LCD” for “lower complete denture,” etc.). You don’t have to remove computers from your operatories or have special shields for your comput­ers; just make sure that you take reason­able precautions to protect your patients’ information. Use passwords and set your screen savers so that person­al information is visible only when in use.

You can call in a prescription for a new patient. You can send appointment reminder cards in the mail, you can give out imprinted toothbrushes and magnets, and you can call patients by name in your reception area. You can use sign in sheets, but limit the requested information to name, address, phone number, etc. You can fax personal health information to another doctor if you are disclosing it for treatment purposes.

These are not unreasonable demands. In fact, most of these pre­cautions are sensible and good business practice. It makes sense to do things like lowering your voice when you discuss private information with a patient, or going to a more private location if you’re discussing something that could be potentially embarrassing. Health care providers are allowed to make “incidental disclosures” which are disclosures that occur as a by-product of an otherwise permitted disclosure, but the general rule should always be to disclose the minimum amount of information necessary to accomplish your goal. (Examples of “incidental disclosures” would be a patient overhearing you talking to another patient as they walk by an open door, or other patients hearing a patient’s name when you call for him in the reception area.)

We also have to be careful when disclosing information to other business associates. Dental offices often work with dental labs, collection agencies, answering services, dental consultants, attorneys, and accountants, and all of these entities may have access to your patients’ person­al health information while performing their duties related to your office. (Employees, janitorial services, repair technicians, contractors, and delivery people are not considered to be business associates.) It is necessary to analyze your relationships with these business associates and determine whether they have access to your patients’ personal information. If they do, you need to enter into a formal business associate agree­ment in which they state that they are aware of your privacy policies and agree to abide by them.

It is very important to make a good faith effort to protect your patients’ private information. Civil penalties can be up to $100 for each offense (with a cap of $25,000 per year for multiple offenses), and criminal penalties can be up to $250,000 and/or 10 years in prison for deliberate, wrongful misuse of personal health information. The good news is that there’s no “HIPAA police” running around looking for violators, but that doesn’t mean we shouldn’t do whatever we need to do to get our office into compliance.

What Exactly Do We Need To Do?

The good news is that whipping your office into shape is pretty easy. First, buy a HIPAA compliance manual that offers samples of policies and forms. [Editor’s Note: The American Dental Association sells a HIPAA privacy kit for $125 that contains all the necessary forms and information for meeting the Privacy Standard. The ADA also sells a videotape/DVD of the privacy seminar the Association is conducting nationwide. The videotape/DVD is $99.95, or $200 when combined with the privacy kit. Call (800) 947-4746 to purchase.] Read the manual so you have an idea of the HIPAA requirements and evaluate your office to see where your office needs to improve its privacy policies. Designate one person in your office to be the privacy officer and develop and adopt written policies. Post a copy of your privacy policies in a prominent place. Meet with your employees and explain the need for protecting patients’ private health information, then explain the specific privacy policies that your office has adopted. Have your employees sign a form acknowledging their understanding of your office’s privacy policies and put the signed forms in your HIPAA notebook. Next, inform your patients that you have adopted specific privacy policies and offer them a copy. Have them sign two forms: one acknowledging that they received copies of your privacy policies; and one “consent” form that informs them of your practice’s privacy policies and states that they consent to treatment with those procedures in place. Place both of these forms in the patients’ charts.

That’s it. See, I told you it wasn’t a big deal! HIPAA’s privacy rule is much less invasive and much less demanding than we feared, and it does serve the purpose of protecting patients’ privacy. My advice is set a date, get busy, and get it over with! Happy HIPAA!

Laney Kay, JD has taught OSHA-related and regulatory courses across the Southeast since 1989. Her husband is a general dentist in Marietta, so she has had exposure to regulations’ effects on dentistry since the beginning. She has authored several articles on regulatory issues for this publication and others.