GOT HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was originally enacted to ensure portability of health insurance, simplify the admin­istration of health insurance coverage, and standardize elec­tronic transactions between healthcare providers and insurance companies. The section of HIPAA that concerns dentistry is the Privacy Rule, which addresses patient pri­vacy issues and regulates how private health information can be used and disclosed. Your mission will be to deter­mine what level of security must be undertaken in your office to ensure the highest level of patient privacy without compromising patient care.

 WHY IS THIS PRIVACY RULE NECESSARY?

When healthcare facilities began to use electronic means to access and disseminate private health information, it became obvious that uniform laws were needed to ensure the pro­tection of patients’ privacy. The Privacy Rule ensures that private health information is disclosed only when necessary, only to the extent necessary, and only to those who need the information in order to provide healthcare to the patient.

 WHEN DOES IT GO INTO EFFECT?

The Privacy Rule will go into effect April 14, 2003.

 WHAT TYPE OF INFORMATION IS COVERED?

Essentially, the Privacy Rule deals with all personal medical records and any other individually identifiable health infor­mation, either written or oral, that is created or received by a healthcare provider. This includes information about the patient’s past, present, or future health, as well as any payment information.

 DOES HIPAA APPLY TO MY OFFICE?

It applies to your office only if you submit or receive claims electronically or through a clearinghouse, if you check patients’ eligibility or claim status through electronic means, or if you send paper claims to a service to be converted into electronic claims.  (From a risk management perspective, posting privacy policies and having patients sign a consent form is proba­bly a good idea. It is very likely that this eventually will become the standard of care in dentistry, so you probably will have to make these changes anyway)

 WHAT IF I DON’T COMPLY WITH THE PRIVACY RULE?

There are severe civil penalties (up to $100 for each offense) and criminal penalties (up to $250,000 and/or 10 years in prison) for violations of the standard. Obviously, it is important to make a “good faith” effort to get your office into compliance.

 54 The Journal of Practical Hygiene Jan/Feb 2003

 WHAT ABOUT RUMORS REGARDING THE STRUCTURAL AND PROCEDURAL CHANGES RELATED TO HIPAA?

It’s not as bad as we once feared. You don’t have to sound­proof your offices, put doors on each operatory, or recon­figure the walls so that they reach to the ceiling. You don’t have to remove computers from your operatories or have special shields for your monitors-although passwords and screen savers should be used. Provided that your charts are located in an area that is inaccessible to non-employees, they don’t need to be kept in a locked cabinet. Yes, you can still call in a prescription for a new patient; you can mail appointment reminders; you can give out imprinted toothbrushes and magnets; and you can call patients by name in your reception area. You can also fax personal health information to another doctor if you are disclosing it for treatment purposes.

 HOW TO GET STARTED

Here are some basic steps to get started with HIPAA compliance:

·Buy and read the HIPAA compliance manual that offers samples of policies and forms.

• Designate one person in the office as the Privacy Officer who will ensure that the established privacy policies are enforced.
• Develop written privacy policies and post them in a conspicuous place.
• Inform your patients that you have adopted these pri­vacy policies and provide information as to how it affects their rights. Have your patients sign forms acknowledg­ing that they were informed of these rights and give per­mission for treatment under those parameters,
• Evaluate your relationships with business associates (eg, attorneys, dental labs, collection services, answering services, consultants) and determine which ones have access to your patients’ private health information. Have those associates sign a Business Associate Contract.

 Well, at least now you have an understanding of HIPAA so you can get started on your quest for compliance. Good luck!