HIPAA FAQ for Dental Offices

HIPAA FAQ for Dental Offices

The following questions are answered below:

• Are dental practices covered entities under HIPAA?
• How do I comply with HIPAA?
• What kind of information does HIPAA protect?
• What is a business associate?
• What was the September 23, 2013 deadline about?
• I’ve updated my Notice of Privacy Practices. What do I do with it?
• What changes should I consider to my business associate agreements?
• What kind of privacy policies should I have?
• What kind of training and documentation should practices be doing?
• What are the penalties for failure to not getting these policies and procedures in place or up to date?
• Can the Saalfeld Griggs Dental Industry Team help me get all of the forms and policies necessary for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule?

Are dental practices covered entities under HIPAA?

Most dental practices are considered covered entities under the Health Insurance Portability and Accountability Act (“HIPAA”) – meaning that you have to comply with its rules and regulations related to privacy, security, and breach notification. Any practice that electronically transmits certain defined “covered transactions” is covered by HIPAA (and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act). Those electronic transactions include a transmission to a health plan to determine relative payment responsibilities of the health plan for patient care (including claims, eligibility requests, and pre-determinations).

How do I comply with HIPAA?

Very generally, dental practices need formal written policies and procedures related to HIPAA’s three major rules. Those rules are:

The Privacy Rule related to limiting access, use and disclosure of patient health information;
The Security Rule related to administrative, physical, and technical safeguards for protection of electronic health information; and
The Breach Notification Rule requiring practices to make certain notifications when there has been a breach of protected health information, including to the patient and to the Department of Health and Human Services.
What kind of information does HIPAA protect?

HIPAA requires covered entities to protect their patient’s health information. This protected health information (“PHI”) includes individually identifiable health information that relates to the individual’s physical health, the provision of health care, or payment for the provision of health care. It includes demographic information identifies such as name, address, birth date, billing records, etc.

What is a business associate?

A business associate is an individual or entity that has access to a PHI of the practice’s patients. They are generally vendors that include consultants, IT providers, billing firms, or accountants.

You must have a business associate agreement with your business associate prior to disclosing PHI to that person.

What was the September 23, 2013 deadline about?

The Department of Health and Human Services (“HHS”) issued new regulations related to the Privacy Rule and the Breach Notification Rule. That deadline required covered entities to update their Notice of Privacy Practices that are distributed to patients, update their business associate agreements, and to update policies and procedures related to the Privacy and Breach Notification Rules in compliance with regulatory changes.

I’ve updated my Notice of Privacy Practices. What do I do with it?

You must post your revised Notice of Privacy Practices in a conspicuous place in the office (i.e., to your patient waiting area). You also need to post a notice to patients that your notice has been updated and make that notice available. You should be giving your new patients that notice and have them sign an acknowledgement of receipt of the notice. Finally, if you have a website, post it there in a place that is prominent and easy to access.

What changes should I consider making to my business associate agreements?

The regulations that took effect in September 2013 make your practice liable for the violations committed by your business associates. As a result, practices need to require business associates to meet the same privacy and security obligations that they have (and their subcontractors must also follow the same rules). Practices also should consider other items to ensure greater protection for the practice like an indemnification clause, a clause shortening the notification period in the event of a breach, and a provision allowing the practice to audit business associates.

What kind of privacy policies should dental practices have?

Although this list is not exhaustive, practices should have are policies that dictate:

• Who is allowed to access a patient’s health information;
• When personal health information can be distributed outside the practice for purposes of treatment, payment and operations;
• When personal health information can be released to family and friends;
• When and how to keep a log of disclosures of health information;
• Standard for the minimum necessary use of health information;
• Privacy requirements during disasters;
• Record retention; and
• Requests for amending a patient’s personal health information.

What kind of training and documentation should practices be doing?

HIPAA requires covered entities and their business associates to train their workforces on its HIPAA policies and procedures. Practices should document their training efforts and keep those training records for at least six years.

What are the penalties for failure to not getting these policies and procedures in place or up to date?

HHS has the authority to penalize covered entities for their own non-compliance as well as the non-compliance of their business associates. The amount of the penalties can range from $100 to $50,000 for each violation. The regulations provide HHS with discretion and authorizes the agency to use a number of factors in determining the amount of the penalty, including: the nature of the violation; the number of individuals affected; the time period of the violation; what the covered entity knew or should have known; and the extent of the harm resulting from the violation.

The lesson for all practices should be that it is better to work on complying now than never at all.

Can the Saalfeld Griggs Dental Industry Team help me get all of the forms and policies necessary for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule?

Yes we can. Please contact David Briggs or Wayne Kinkade for more information regarding your forms and policies.