HIPAA Revisited

“Recently I came across a colleague who was dealing with a complaint regarding a breach in privacy among a patient in his practice. How can I be sure that all of the HIPAA Guidelines are being followed in my office? What systems do I have in place that could jeopardize the Privacy Act?”

This is a timely question, as Susan and I had the opportunity to visit healthcare facilities including hospitals, emergency clinics, specialty physicians, and physical therapy clinics for both our daughters this past summer (Rose’s split-open knee has healed nicely, and Mary’s torn ankle ligament is on the mend). During our visits, we witnessed multiple violations of HIPAA, and wondered how often this is occurring in dental offices.

The Health Insurance Portability and Accountability Act of 1996, the privacy provisions of the federal law, applies to health information created or maintained by health care providers. This Act went into effect on April 14, 2001, with a Rule of Compliance deadline on April 14, 2003.

In dental and medical offices, back in 2002-2003, there were analyses and well thought out plans in order to become compliant with the new HIPAA regulations. Five years later, how sure are you that your office has remained compliant? Sure, it is easy to push the Notice of Privacy Practice Sheet and Acknowledgement Form under the rest of the new patient paperwork, make sure the form is signed and dated, and clip it into the chart. But what happens beyond this initial step? How careful is the office to keep faithful to the rest of the privacy stipulations? Has your office become lax in following the “letter of the law” or have policies been instituted in your office that make patient privacy turnkey?

Dental offices that transmit any health information in electronic form, either directly or indirectly through a vendor or billing service, need to appropriately safeguard and disclose protected health information in compliance with federal requirements.

Failure to comply with the Privacy Rule can subject dentists to severe sanctions for violations, including both civil (fines) and criminal penalties. Civil penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated. Federal criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under “false pretenses”; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

What should my office be doing?

•  Be vigilant that privacy practice policies and procedures are being followed
• Have in place a privacy compliance program that includes internal auditing of privacy procedures, with training of new employees so that the staff understands the practice’s privacy procedures
• Designate a “Privacy Officer” (can be the office manager or a spouse) to be responsible for overseeing that privacy procedures are adopted and followed
• Maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of patient health information
• Protect against reasonably anticipated threats to the security or integrity of patient health information
• Protect against unauthorized uses of disclosures of patient health information
• Make sure that patients cannot see each other’s health information
• Ensure that only those employees who need to see patients’ health information in the course of their jobs can do so
• Take “reasonable precautions” to minimize the chance of inadvertent disclosure of a patients’ personal health information via oral communication to others who may be near
• Establish “Business Associate” contracts with labs, consulting firms, e-claims clearinghouses, collection agencies, and computer software/hardware vendors to protect private health information
• Provide information to patients about the privacy rights and how their personal health information can be used.

What will HIPAA privacy regulations not allow me to do?

• Prohibit dentists from talking to each other and to their patients (Health and Human Services guidance recognizes that providers understand the sensitivity of oral information, and acknowledge the importance of oral communications occurring freely and quickly in treatment settings)
• Prevent an insurance carrier from verifying patient eligibility when contacted by a dental office
• Prevent an insurance carrier from reporting the status of a pending claim to a dental office when contacted by the office
• Prevent a dentist from sending appointment reminder cards to patients
• Prevent dentists from having a sign-in sheet at the front desk, however the reason for the appointment should not be listed on the sign in sheet
• Prevent dentists from engaging in billing and collections activities, including the use of collection agencies
• Require dentists to obtain written consent from patients for disclosure of health information. Dentists and other providers will be required only to make a good-faith effort to give patients written notice of privacy practices and patients’ privacy rights.

Where am I now?

1. Make sure all existing consent and authorization forms are up to date and continue to comply with the regulation. Continue to have patients read and sign visually separate consents for assignment of benefits and use of healthcare information.
2. If you’re using protected health information for any purpose other than treatment, payment, or operations, make sure you have a special authorization form that conforms to the requirements of the privacy regulation.
3. Draw a diagram of your facility and plot each point where consent for information use might be obtained in your organization. Make certain that you provide an environment where patients can privately review and ask questions about the consent and how you will use their personal health information.
4. Draw another diagram of your facility and plot the locations where protected information could be inadvertently released by paper, phone, fax, and computer. Implement strict policies and processes for employees who work in these locations. Besides mail, fax, and electronic communications, don’t forget about wired and wireless phones as a high-risk medium. Make sure that your staff protects phone conversations from being overheard by patients and visitors in reception areas and corridors.
5. Inventory all of your business associates whom you disclose protected health information to, describe the information you disclose, and explain the business purpose for which disclosures are made. Execute business associate agreements with those business associates.
6. Determine that your policy and process for documenting and tracking any disclosures of health information for reasons other than payment, treatment, and healthcare operation is being followed and secure.

After doing a thorough check that your policies and procedures are intact, it would be wise to have an office meeting to revisit HIPAA regulations, discuss the following insert as well as have each employee sign and keep this form in the permanent employee record:

Patient & Records Confidentiality

We make available to each employee certain information, including patients’ names, dental history and addresses, communications, files, bills and payment records, office forms or manuals, etc. These items are of substantial value, highly confidential, constitute the professional and trade secrets of the doctor and are provided and disclosed to the employee solely for use in connection with your employment. We ask our employees to:

• regard and preserve practice information as highly confidential and the trade secrets of the employer. Such information must not be discussed away from the premises or within hearing distance of any patient or unauthorized person.
• not disclose, or permit to be disclosed, any of this information to any person or entity
• not photocopy or duplicate, and not permit any person to photocopy or duplicate, any of the information without the employer’s consent and approval.
• not make use of the information for your own benefit or the benefit of any person or entity other than the employer.
• continue to keep any information confidential even after termination of employment with the office.
• release personal information about other team members-phone num­ber, address etc.- only with the team member’s specific and prior approval in writing.

Employees who handle confidential information are responsible for its security. Extreme care should be exercised to ensure it is safeguarded to protect the practice, each team member, the suppliers, the patients, and the employer. Any employee who violates this confidentiality and disclosure policy is subject to disciplinary action up to and including discharge and in extreme cases, legal action.

It is very easy to become complacent in the day-to-day operation of any workplace. But it is wise to be on the look out for possible gaps in a seemingly well run practice and safeguard against unfortunate events that could arise.