Th 100679


Aug. 1, 2002
Let's have a private moment, please, while you figure out how to protect your patients' privacy - an issue regulated by the government.

by Sheri B. Doniger, DDS

Let's have a private moment, please, while you figure out how to protect your patients' privacy - an issue regulated by the government.

HIPAA is the Health Insurance Portability and Accountability Act of 1996. In its essence, it covers the electronic transfer of any transaction, privacy of individuals' identifiable health information or protected health information (PHI), and security standards - both electronic and on paper. HIPAA has generated a privacy rule, which will be mandatory as of April 14, 2003.

Dental offices are included in the regulation, which governs any transmission of information electronically - in connection with standard transactions. The main purpose is to disclose the minimum amount of information necessary for treatment, payment, or health-care operations.

We are all aware of signing releases at the beginning of a patient's tenure with a dental office and for patients who have dental insurance. This act, though, contains the requirement for all patients to sign additional documents concerning their privacy rights, which cover the tenure of their treatment in the office. I will briefly explain the major points of HIPAA and the pertinence to our offices.

Guarding privacy

The goals of HIPAA are to improve the efficiency of health care and reimbursement, protect the consumer's right to privacy concerning access to their PHI, and to increase security of electronic transfers of PHI. Penalties could be assessed for noncompliance with the provisions, prohibitions, or requirements of the privacy rules act. A fine of $100 could be charged for each knowing failure to comply, with an annual cap of $25,000 for multiple failures. Penalties are not limited to civil (only monetary) judgments, but can be criminal as well if misuse of individual identifiable health data occurs. Criminal penalties include both monetary and jail time. No penalty will be applied if reasonable attempts have been made to comply, learn, and implement the requirements and there is a reasonable cause for noncompliance, as well as if correction occurs within 30 days.

This act, therefore, will be a very vital component of every dental practice in the country.

These privacy rules came out of the public's concern for lack of privacy. Surveys have demonstrated the apprehension for the amount of information requested - not only to receive care but also to receive payment. Additionally, a vast majority felt they lost control over their personal information.

All of us may have experienced this trepidation in one way or another. We have received faxes from unknown sources, soliciting calling plans or stock market news. In your private life, how many times have you received a mailing or a catalog and thought, "How did they get my name?" Many entities sell their lists of clients, patrons, and/or patients. In dental offices, it is not uncommon for patients to withhold information due to privacy concerns (even though it could be deleterious to their treatment). When the abuses reached the Internet and personal information was shared in random generic e-mails, Congress decided to act. HIPAA was signed into law in 1996 and will be mandatory for all practices in April 2003.

Click here to enlarge image

HIPAA is far-reaching. Although it mainly concerns electronic transfer of data, all offices will be required to follow specific procedures in relation to security and confidentiality of private information. There are eight standard transactions that are covered (see Table 1). Usually, dental offices are only concerned with claims or equivalent encounters, remittance and payment advice, and claims status. On occasion, we will be concerned with eligibility and enrollment.

The goal of the program will allow one standardized format for each of these specific transactions, along with a set standard of procedure codes. For dentistry, we will be using the CDT codes. This simplifies transaction processing.

For many offices, software upgrades may be necessary. Vendors are highly aware of HIPAA and its impending impact. They should be in the process of making alterations in their systems. New standards may require new forms, but currently no change is seen for the standard dental claim forms utilizing the CDT codes being sent via the mail. The form will remain the same, but the substance may alter slightly.

The paperwork

Click here to enlarge image

Several protocols will be required for entity compliance (see Table 2). I will briefly describe the components. This is by no means a complete assessment - merely an overview of the rules that will be enacted. Future articles will go into more detail.

The privacy notice - a written notice to patients or prospective patients - states that the office will not use or disclose PHI except as otherwise required for treatment, diagnosis, and billing, the individual's rights, the practice's obligations, and complaint procedures. Health information includes any information - oral, written, or electronic - relating to the patient's past, current, or future physical conditions. This includes information created by a health-care provider, health plan, public health authority, employer, school, university, or clearinghouse that is covered by HIPAA. Additionally, demographic data (name, address, Social Security number, phone numbers, e-mail, etc.) is also included. HIPAA will allow the disclosure of these for treatment, payment, and health-care operations, as well as in the case of research or public need. Treatment can include one or more dentists or health-care providers, and referral to other practitioners.

Payment submissions must include the absolute minimum amount of information to accomplish the intended purpose. This category includes eligibility determination, preauthorization, collection, and medical necessity and fee justification. Health-care operations include quality assurance activities and audits, which may be more applicable to larger entities. The minimum necessary limitation applies to health-care operations as well. The patient should acknowledge - dated and in writing - their reading of the privacy notice. If the patient does not see the privacy notice, it must be documented that "good faith efforts" were made to have the patient see the notice. This is kept in the medical record or patient's chart for six years or until the law changes.

The consent form may be signed as well. HIPAA consent for disclosure is permission from patients that this is what the office is going to do with their information. The consent forms will allow the specific practice to use/disclose their personal health information for the purposes of treatment, payment, or health-care operations.

Treatment may be conditional upon the signing of this form. The consent form, as with the privacy notification, must be kept in the record for six years or until the law changes. The consent forms are separate entities from the "consent to treat;" these two forms should not be confused.

The authorization forms are "consenting" beyond the consent forms. These forms will be required if the practice needs to disclose information beyond the scope of treatment, billing, and health-care operations. An example of this is when children's dental forms are sent to the school, rather than directly to the parent. Authorization forms must have a signature, date, and expiration date or expiration event. These forms are for specific purposes.

No prying eyes

Data safeguards need to be in place to ensure the confidentiality of the electronic or paper PHI. Risk assessment for each individual practice will be needed to determine the level of security required.

Safeguards must be in place to protect patients' PHI from any intentional or unintentional use or disclosure that would violate the privacy rules. The office needs reasonable physical, and technical safeguards to ensure the safety and confidentiality of patients' data.

The office may not have computer terminals in plain sight of the patient. Firewalls should be erected if working off of a network. Passwords should be implemented and changed often.

Staff management will be key. Training will need to be in force constantly. Staff will need to be trained on the privacy policies prior to implementation and compliance date; new staff should be trained as soon as possible. This must be documented for six years. Additionally, staff should be sanctioned if they violate these policies.

A privacy policy and procedure manual will need to be written and in place. It will be required to have written policies and procedures on the privacy, confidentiality, and training for the specific office. Again, HIPAA rules are scaled to the individual offices and evident inherent risks. All staff will need to be aware of specific security and confidentiality issues.

Practices will also have to evaluate their inherent risks. Various "privacy checklists" are available. Offices must set security standards that include physical safeguards, technical (computer) mechanisms, and a successful plan for constant monitoring, in addition to any contingency plans in case of individual health data loss due to computer failure or physical plant damage.

A privacy officer needs be designated as the key point person. Access may be limited to all or a few personnel, depending on the practice size. Sensitive oral communication should be in private or semiprivate areas. Offices need not be reconfigured, but all possible attempts to have quiet, private conversations will be critical to minimize the risk of being overheard.

These rules are not in their finalized state. Alterations have already been made to the original language. Regardless, HIPAA will be here to stay.

Every office, no matter what size, will be required to have a privacy notice, consent forms, authorization forms, and a privacy policy and procedure manual in place.

It will not be necessary to reinvent the wheel. Several organizations will offer guidance on implementation for the individuality of large or small offices. The ADA is offering a kit with an update and CD that will be mailed out once the rule is finalized. Additionally, several seminars will be available for the discussion of HIPAA. In addition to the ADA, state and local constituent dental and dental hygiene societies more than likely will be offering programs.

Some Internet resources include the following:; html; html;; and

HIPAA will affect everyone. From the smallest office with three staff members using only mail-in claims, to the largest, multiteamed business. Awareness is the key to readiness. Let's start now!

The author wishes to thank Bruce and Carol Keplinger and Pat Clark for their invaluable assistance.

Sheri B. Doniger, DDS, practices in Lincolnwood, Ill. She graduated from the University of Illinois College of Dentistry in 1983 and obtained her bachelor's degree in dental hygiene from Loyola University of Chicago in 1976. She can be reached at (847) 677-1101 or [email protected].