Under HIPAA, dentists meet the definition of “covered entity,” since they are healthcare providers. All covered entities, regardless of practice type, are subject to the same specific HIPAA regulations. HIPAA for Dentists, therefore, consists of compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule. HIPAA issues common to dental offices are discussed below:
HIPAA for Dentists: What is Protected Health Information?
Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.
To qualify as PHI, this information must:
Relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage.
‘Protected’ means the information is protected under the HIPAA Privacy Rule.
HIPAA for Dentists Common Issue Number One: Training for Staff
The workforce of a covered entity must receive training in the dental practice’s policies and procedures.
According to the Privacy Rule, HIPAA training is required for each new member of the workforce within a reasonable period of time after the person joins the covered entities workforce and also when “functions are affected by a material change in policies or procedures” – again within a reasonable period of time.
The Security Rule requires that training be provided “periodically.” Such training should be provided:
- Whenever there is a change in work practices or technology
- Whenever DHHS issues new rules or guidelines.
HIPAA for Dentists: How Should Dental Practice Privacy Officers and Security Officers assess whether HIPAA training is required?
Privacy and Security Officers should not “wait for HIPAA news to happen.” Rather, in assessing whether and when HIPAA training is required, privacy and security officers should take these proactive measures:
- Monitor HHS and state publications for notice of rule changes in advance. Advance notice can be obtained, for example, by signing up for news release updates on the HHS news website.
- When new rules or guidelines are issued, conduct a security risk analysis.
- Coordinate with HR and IT managers, to determine the impact of the advanced notices of proposed changes, on Privacy Rule and Security Rule compliance.
HIPAA training must be provided to the employees whose roles will be affected by the changes.
HIPAA for Dentists Common Issue Number Two: Use of Voicemail
Another issue common to HIPAA dental offices is that of the use of voicemail – specifically, how much and what kind of information a provider may leave on a patient’s voicemail to remind the patient of an upcoming appointment. The HHS Office for Civil Rights (OCR) has provided guidance on this topic. According to OCR, staff should limit the information left on a voicemail.
The following information may be left on voicemail to remind a patient about an appointment:
- Name of the dental practice
- Name of the person calling
- Phone number of the person calling
- Appointment date and time
- Name of the individual that the practice is attempting to contact.
The following information should not be left on a voicemail:
- Health-related information
- Finance-related information
- Patient account information
HIPAA for Dentists Common Issue Number Three: Notice of Privacy Practices
Under the HIPAA Privacy Rule, dental practices must make good faith efforts to obtain written verification that patients have received notice of the dental practice’s Notice of Privacy Practices. The notice must describe how the dental practice may and may not use protected health information (PHI), and what the patient’s rights and obligations with respect to the PHI are. Cove
Covered entities should have patients sign a written acknowledgment that they have received the Notice of Privacy Practices.
HIPAA for Dentists Common Issue Number Four: What if a Patient Won’t Sign the Acknowledgment?
Under HIPAA, dental practices are prohibited from conditioning treatment upon receipt of the signed acknowledgment. If a patient refuses to sign the acknowledgment, the dental provider should document the refusal, the date of the refusal, and a reason for the refusal (if one was given). Even if the patient refuses to sign the acknowledgment, the provider may still use or disclose PHI for payment, treatment, or healthcare operations; the acknowledgment form is not a consent form. However, if a patient requests a restriction to the amount or type of PHI may be used or disclosed, and the provider agrees to that request, the provider must honor the request going forward.