HIPAA: Facts, fiction, and how to do it

HIPAA. Okay, you’ve heard of it, you understand a little of it, you’ve ignored it as long as possible, and now you have to do something about it before April 14, 2003. The good news is that HIPAA is truly not a big deal. It’s confusing, it’s boring, but it’s not really difficult, so settle in, get some coffee so you’ll stay awake, and let’s get this over with.

Let me introduce you to HIPAA, the Health Insurance Portability and Accountability Act. It is a huge piece of legislation that was intended to fix many aspects of health care and health insurance, and includes sections that ensure portability of health insurance, simplify the administration of health insurance coverage, and standardize electronic transactions between health care providers and insurance companies. This is also the law that sets up Medical Savings Accounts and requires insurers to cover patients with pre-existing conditions. The section of HIPAA that concerns dentistry is the Privacy Rule; it addresses patient privacy issues and regulates how private health information can be used and disclosed. This private health information includes all personal medical records and any other indi­vidually identifiable health information, either written or oral, that is created or received by a health care provider. This includes information about the patient’s past, present, or future health or physical condition, as well as any payment information.

Some dental offices are not affected by HIPAA at all. If you submit elec­tronic claims, if you verify insurance eligibility or coverage electronically, and/or if you submit paper claims to a billing service that converts them to electronic claims, then you are covered by HIPAA and mustcom­ply with its requirements. If you do not do any of these things, you are not cov­ered by HIPAA and you don’t have to do anything, at least not at this time.

Okay, on to some basics. Why was HIPAA enacted? Why are we having to take all these precautions to protect patients’ privacy?

Why Was HIPAA Enacted?

As with most legislation, the lawmakers had good intent. When Congress held hearings about patient privacy, hundreds of individuals came forward with horror stories about their private medical information being released without authorization. In Tampa, Florida, a disgruntled public health worker sent the names of more than 4,000 people who tested positive for HIV to two newspapers. Many large companies self insure their employees; employees of some of these companies had been fired without cause when their employers had discovered that these employees have a potentially expensive medical condition. Medical doctors had sold their patient lists to marketing and pharmaceutical companies without patient permission, thereby allowing this information to be easily accessed to the general public. Pharmacists and hospitals had disclosed personal information to friends and family members without first obtaining permission; one patient’s children found out that he had AIDS when they were informed by a pharmacy clerk.

No one would argue that medical information should be protected. We are all patients as well as health care professionals, so we have a vested interest in making sure that patients’ personal information remains private. Our goal is to determine what level of security must be undertaken to ensure the highest level of patient privacy without compromising patient care.

The good news is that the Privacy Rule considers the size and type of the facility when determining what level of security is needed to provide adequate privacy protection. For example, a hospital with a huge staff and thousands of records will have different security concerns than a small dental facility. As a result, because of the size and nature of our facilities, there is very little we have to do to satisfy the HIPAA requirements.

Compliance: Rumors and Truth

There were all kinds of rumors about the horrible things we would have to do to comply with HIPAA.

Fortunately, it’s not as bad as we once feared. You don’t have to soundproof your office. You don’t have to put doors that close on each operatory or reconfigure your walls so that they reach to the ceiling. So long as your charts are located in an area that is inaccessible to patients or other non-employees, you do not have to keep your charts locked in a cabinet. Although posting a schedule is probably fine because it helps ensure that care is being provided to the correct patient, try to minimize the amount of private information that appears next to the patient’s name and try to post it where it is not easily visible to any other patients. ( One method of protecting patients’ privacy would use abbreviations that are not obvi­ous to patients who might view the sched­ule; instead of writing” denture” next to “Mrs. Lisa Jones, ” you might write “LD” for “lower denture,” or “LCD” for “lower complete denture,” etc.). You don’t have to remove computers from your operatories or have special shields for your comput­ers; just make sure that you take reason­able precautions to protect your patients’ information. Use passwords and set your screen savers so that person­al information is visible only when in use.

You can call in a prescription for a new patient. You can send appointment reminder cards in the mail, you can give out imprinted toothbrushes and magnets, and you can call patients by name in your reception area. You can use sign in sheets, but limit the requested information to name, address, phone number, etc. You can fax personal health information to another doctor if you are disclosing it for treatment purposes.

These are not unreasonable demands. In fact, most of these pre­cautions are sensible and good business practice. It makes sense to do things like lowering your voice when you discuss private information with a patient, or going to a more private location if you’re discussing something that could be potentially embarrassing. Health care providers are allowed to make “incidental disclosures” which are disclosures that occur as a by-product of an otherwise permitted disclosure, but the general rule should always be to disclose the minimum amount of information necessary to accomplish your goal. (Examples of “incidental disclosures” would be a patient overhearing you talking to another patient as they walk by an open door, or other patients hearing a patient’s name when you call for him in the reception area.)

We also have to be careful when disclosing information to other business associates. Dental offices often work with dental labs, collection agencies, answering services, dental consultants, attorneys, and accountants, and all of these entities may have access to your patients’ person­al health information while performing their duties related to your office. (Employees, janitorial services, repair technicians, contractors, and delivery people are not considered to be business associates.) It is necessary to analyze your relationships with these business associates and determine whether they have access to your patients’ personal information. If they do, you need to enter into a formal business associate agree­ment in which they state that they are aware of your privacy policies and agree to abide by them.

It is very important to make a good faith effort to protect your patients’ private information. Civil penalties can be up to $100 for each offense (with a cap of $25,000 per year for multiple offenses), and criminal penalties can be up to $250,000 and/or 10 years in prison for deliberate, wrongful misuse of personal health information. The good news is that there’s no “HIPAA police” running around looking for violators, but that doesn’t mean we shouldn’t do whatever we need to do to get our office into compliance.

What Exactly Do We Need To Do?

The good news is that whipping your office into shape is pretty easy. First, buy a HIPAA compliance manual that offers samples of policies and forms. [Editor’s Note: The American Dental Association sells a HIPAA privacy kit for $125 that contains all the necessary forms and information for meeting the Privacy Standard. The ADA also sells a videotape/DVD of the privacy seminar the Association is conducting nationwide. The videotape/DVD is $99.95, or $200 when combined with the privacy kit. Call (800) 947-4746 to purchase.] Read the manual so you have an idea of the HIPAA requirements and evaluate your office to see where your office needs to improve its privacy policies. Designate one person in your office to be the privacy officer and develop and adopt written policies. Post a copy of your privacy policies in a prominent place. Meet with your employees and explain the need for protecting patients’ private health information, then explain the specific privacy policies that your office has adopted. Have your employees sign a form acknowledging their understanding of your office’s privacy policies and put the signed forms in your HIPAA notebook. Next, inform your patients that you have adopted specific privacy policies and offer them a copy. Have them sign two forms: one acknowledging that they received copies of your privacy policies; and one “consent” form that informs them of your practice’s privacy policies and states that they consent to treatment with those procedures in place. Place both of these forms in the patients’ charts.

That’s it. See, I told you it wasn’t a big deal! HIPAA’s privacy rule is much less invasive and much less demanding than we feared, and it does serve the purpose of protecting patients’ privacy. My advice is set a date, get busy, and get it over with! Happy HIPAA!

Laney Kay, JD has taught OSHA-related and regulatory courses across the Southeast since 1989. Her husband is a general dentist in Marietta, so she has had exposure to regulations’ effects on dentistry since the beginning. She has authored several articles on regulatory issues for this publication and others.