Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the electronic exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.

HIPAA imposes stringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term “healthcare provider” includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.

HIPAA administrative simplification includes requirements regarding transaction and code set standards; information security; and patient information privacy.

In general, HIPAA aims to improve efficiency in patient care delivery by establishing the standardization necessary to facilitate electronic transactions and information system development. The Department of Health and Human Services (HHS) realized that this approach would prompt concerns about confidentiality and integrity of sensitive health information. So these regulations also address the security of electronic systems and networks and the privacy of patient data in all forms. Specific objectives of the regulations are:

•Standardizing the format and content of primary commercial and administrative electronic healthcare transactions.

•Developing standards to protect confidential patient information from improper use or disclosure and establishing patients’ rights to control such uses.

•Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.

HIPAA compliance is not solved solely by a technical upgrade of existing clinical information systems or patient management systems. Over two thirds of HIPAA compliance is operational in nature, and only one third technical. HIPAA compliance will dictate major changes in how dental clinics and dental care providers operate, and will require integration and adaptation of organizational compliance culture.

While HIPAA will impact all healthcare organizations, there are three types of organizations to which the regulations apply directly (designated as “covered entities”): health plans, healthcare clearinghouses, and healthcare providers including dentists who conduct any electronic transactions specified in the legislation.

Table 1. HIPAA Objectives
• Curtail healthcare fraud and abuse
• Enforce standards for health information
• Guarantee the security and privacy of health information
• Assure health insurance portability for employed persons

As listed in Table 1, the major objectives of HIPAA are curtailing healthcare fraud, enforcing standards for healthcare information, assuring the privacy of protected health information, and security of health information.

Table 2. HIPAA Standards Rule Release and Implementation Deadline

Standard Final rule release Implementation deadline
Transaction code set 8/17/2000 10/16/2002 – Extension 10/16/2003
Security Standard Expected 2002  
Privacy Standard 12/28/2000 4/14/2003

HHS is coordinating implementation of administrative simplification. HHS began by establishing rules for electronic transactions, privacy, and security. HHS began releasing final rules starting with electronic transactions on August 17, 2000. After publishing the first set of rules, HHS incorporated comments from healthcare organizations. The HIPAA standards final rule release dates and implementation deadline are shown in Table 2.

TRANSACTION AND CODE SET STANDARDS

HIPAA required the Secretary of HHS to adopt transaction and code set standards agreed upon by Congress and the healthcare industry. The standard will enable electronic exchange of administrative and financial healthcare transactions and can improve efficiency and effectiveness of the healthcare system.1

National standards for electronic healthcare transactions will encourage electronic commerce in the healthcare industry and ultimately simplify processes for conduct of electronic transactions. Today, healthcare providers and health plans that conduct business electronically use many different formats for electronic transactions. For example, about 400 different formats exist today for healthcare claims including dental claims. With a national standard for electronic claims and transactions, healthcare providers will be able to submit an electronic transaction to any health plan in the United States. Health plans will be able to send standard electronic transactions such as remittance advices and referral authorizations to healthcare providers. These national standards will make electronic data interchange (EDI) a viable and preferable alternative to paper processing for providers and health plans alike.

The electronic transactions final rule stipulates standards for EDI for efficient and effective exchange of healthcare financial transactions. These standard formats will cover all healthcare providers who submit health claims, encounter information, treatment payment, remittance advice, referral certification, and authorization from a third-party payer. These regulations establish national standards for electronic transaction and data content for administrative functions conducted between covered entities. HIPAA does not require providers to conduct these transactions electronically, but it does require payers to accept any covered transactions electronically if a provider chooses.

All private sector dental health plans and government health plans (including Medicare and State Medicaid programs), all healthcare clearinghouses, and all dental healthcare providers that choose to submit or receive these transactions electronically are required to use these standards. Internet transactions are treated the same as other electronic transactions. However, there are certain transmission modes in which the format portion of the transaction standard can be unsuitable. For example, a “direct data entry” process, where treatment-related data from a dental clinic are directly keyed by an administrative person into a health plan’s computer using Unix system-based terminals or computer browser screens over a network, would not have to use the transaction standard, but data transmitted must be consistent. On the other hand if data are directly entered into a practice management system that is outside the health plan’s system, (with an intent of transmission to a health plan), the transaction must then be sent using standard format and content.

The transaction standards will apply only to EDI when data are transmitted electronically between a dentist and a dental health plan as part of a standard transaction. Data may be stored in any format as long as it can be translated into a standard transaction when required. To comply with the transaction standards, dental healthcare providers and dental health plans may exchange standard transactions directly, or they may contract a clearinghouse to perform this function. Clearinghouses can receive nonstandard transactions from a dental provider, and they must convert these into standard transactions for submission to a health plan.

The law gives the Secretary of HHS authority to impose monetary penalties for failure to comply with a standard. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person or entity who fails to comply with a standard except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement.

A “code set” is any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes, or medical procedure codes. Medical data code sets used in healthcare include coding systems for diseases, impairments, and other health- related problems and their manifestations; actions taken to prevent, diagnose, treat, or manage diseases; injuries; and impairments. Code sets for medical data are required data elements in administrative and financial healthcare transaction standards adopted under HIPAA for diagnoses, procedures, and drugs. These provisions mandate use of CDT-3 (Current Dental Terminology); ICD 9 (International Classification of Diseases, 9th ed, Clinical Modification); and CPT (Current Procedural Terminology) for diagnoses and services in conjunction with the specified transactions. Dental care providers generally only use CDT-3 issued by the ADA.

For HIPAA compliance each dental care provider should evaluate their clinical information system or practice management system that sends transactions and receives them.2 Dental providers will have to work with application system vendors to evaluate and test their system for compliance. Electronic transaction standard compliance should be a priority as the deadline for compliance is October 16,  2002. If a dental healthcare provider will not be compliant by this date, that provider must file for an extension by submitting a compliance plan. An extension for a year can be obtained by submitting a model compliance plan through the Centers for Medicare & Medicaid Services website at www.cms.gov/hipaa/hipaa2/ASCAForm.asp#HowToFile. All clinical system vendors and clearing houses dealing with dental providers will also have to be HIPAA transaction standard compliant.

PRIVACY RULE

Privacy relates to an individual’s desire to control access to personal health information. An individual should have control of their health record, and release of information should be based upon consent. As a part of HIPAA, Congress mandated establishment of standards for privacy of individually identifiable health information. The standard (Privacy Rule) became effective on April 14, 2001.3 Most dental healthcare providers are covered by this rule and must comply with new requirements by April 2003. The proposed privacy rule establishes standards to protect the privacy of individually identifiable health information maintained or transmitted electronically in connection with certain administrative and financial transactions or such information maintained in a computer system. The final rule provides standards, requirements, and implementation guidelines.4

CONSENT

The Privacy Rule establishes a federal requirement that most physicians, dentists, hospitals, or other health care providers obtain patient consent before using or disclosing a patient’s personal health information for treatment, payment, or healthcare operations. The rule requires dentists to provide patients with notice of patients’ privacy rights and privacy practices. It also requires dentists to make a good faith effort to obtain patients’ written acknowledgement of privacy rights notice and practices. The modification to the final rule released on August 9, 2002 removes mandatory consent requirements that would inhibit patient access to healthcare while providing covered entities with an option of developing a consent process that works for that entity, and it allows consent requirements already in place to continue.

PRIVATE HEALTH INFORMATION 

Table 3. Private Health Information Inclusions
• Names • Credit card information
• Addresses • Certificate numbers
• Cities and countries • License numbers
• Phone numbers • Zip codes
• Fax numbers • Account numbers
• E-mail addresses • Birth dates

Private health information (PHI) is any information that relates to an individual’s health, healthcare treatment, or payment for healthcare and that identifies an individual (Table 3). This information is protected as long as the data remain under the control of a dental healthcare provider. Paper versions of PHI, such as computer printouts, are also protected.

A dentist should determine what information has to be protected under the Privacy Rule and ascertain how it is stored and transmitted.2 In order to do this, PHI flow should be mapped as it travels inside and outside a dental clinic. Flow charts can be used to understand how PHI is managed, stored, and transmitted from or through a dental office.

Table 4. Security Questions Used for Mapping Private Health Information8

PAPER

At what sites is the chart stored?

How is the storage area secured?

Who accesses the chart at each location?
•Is the person authorized to read it?
•Is the person authorized to modify it?
•Does the person clearly sign/date access?
•Who determines authorized access?

By what media does information leave the chart room while in storage?

How and when and by whom is PHI destroyed?

How are data aggregated for quality assurance studies and surveys?

ELECTRONIC

Where are the computer terminals?

How are the computer terminals secured?

Who accesses the terminals at each location?
•Is the person authorized to read it?
•Is the person authorized to modify it?
•Does the person clearly sign/date access?
•Who determines authorized access?

By what media does information leave the chart room while in storage?

How and when and by whom is PHI destroyed?

How are data aggregated for quality assurance studies and surveys?

ORAL

Where are the conversations held?

How secure are conversation areas?

Are only authorized personnel involved in
the conversation?

 

Are only authorized personnel involved in
the conversation?

 

Information regarding management, storage, and transmission of PHI should be determined and documented. Table 4 will assist dentists in determining adequacy of current security policies and procedures.5 These questions should cover all forms of PHI transmitted by paper, electronic, and oral means. It should be known that many individuals can come in contact with PHI: dental assistants, dental hygienists, lab technicians, and front office staff that are involved with scheduling and billing. In addition business associates such as attorneys, collection agencies, billing agencies, and system vendors may have access to these data, and they should be identified and documented. Business contracts are needed when an associate provides services to the clinic and when these services involve the disclosure of PHI by the clinic to an associate who will use the information on behalf of the clinic.4 The business associate requirements do not apply to those with whom the clinic shares PHI for treatment purposes.6

The rule also provides new rights for individuals with respect to PHI and gives details on the obligations of healthcare providers. Patients have a right to receive written notice that details the types of uses and disclosures that the dentist will make with PHI. Patients also have a right to access  their own health information, including a right to inspect and obtain a copy of PHI.6

As a part of HIPAA compliance, a dentist should develop a notice of information practices. This notice should be provided to patients at their first visit, and a copy of the notice should be posted in every dental office. On the other hand, PHI can be used or disclosed without patient authorization for purposes of treatment, payment, and healthcare operations. Patients must be informed of their right to request restrictions concerning use of protected health information for treatment, payment, or healthcare operations. Under specific conditions, dentists are permitted to disclose protected health information for federal, state, and other health oversight activities; public health activities and emergencies; judicial and administrative proceedings; and to a law enforcement official with a warrant or subpoena.

SECURITY REGULATIONS

The proposed security regulations consist of administrative procedures, physical safeguards, technical security services, and technical security mechanisms that a dental healthcare provider must address in order to safeguard the integrity, confidentiality, and availability of electronic data.7

Unlike the proposed transaction and code set regulations, the proposed security regulation does not require specific standards, and is flexible enough to take advantage of state-of-the-art technology. Under current HIPAA regulations security implementation should be technology neutral, so as to meet current and future requirements. It also does not address the extent to which a particular entity should implement specific features. Instead, it requires assessment of needs, and development, implementation, and maintenance of appropriate security polices and procedures to address the business requirements of an organization. The measures adopted must be documented and kept current.

The HIPAA security standard requires that each healthcare provider (including dental healthcare providers) engaged in electronic maintenance or transmission of health information assess potential risks and vulnerabilities to individual health data in their possession, and develop, implement, and maintain appropriate security measures. HIPAA’s security provisions apply to all individually identifiable health information or PHI that is electronically maintained or used in an electronic transmission. The key words here are “individually identifiable” and “electronically maintained or transmitted.” Every dental office, including those that use paper forms or stamps and envelopes for mailings, and print bills from a practice management system, are subject to HIPAA’s security requirements.

The security standards require a two-phased program: security assessment and management. A dentist should assess potential risks and vulnerabilities of individually identifiable health information. Management of information security is an ongoing process in which security measures are developed and implemented,  infringements are documented, and security policies are updated.

The implementation of the proposed security requirements can be divided into three categories: administrative safeguards, technical safeguards, and physical safeguards. Administrative safeguards are documented, and formal practices are implemented to manage selection and execution of security measures to protect data and the conduct of personnel involved with the protection of data. These relate to chain-of-trust agreements, audits, logging of information exchange, and contingency plans for data recovery in case of disasters.

Physical safeguards are intended to guard data integrity, confidentiality, and availability. These relate to the protection of physical computer systems and the facilities that house them from fire and environmental hazards, as well as from intrusion. Physical safeguards also cover use of locks, keys, and administrative measures used to control access to computer systems and facilities.

Technical security services are intended to guard data integrity, confidentiality, and availability. These services include processes put in place to protect, control, and monitor information access, and to prevent unauthorized access to data that are transmitted over a communications network.

The proposed information security rules specify 61 specific conditions that must be met, and 6 or 7 additional conditions if a network is present.8 The categories are indistinguishable, and some of the conditions appear redundant. For a small dental office these requirements can appear to be overwhelming. The Notice of Proposed Rule Making (NPRM) addresses this question specifically in a section explaining how a small healthcare provider office might implement the security requirements.9 The Centers for Medicare and Medicaid services suggest evaluation and certification by a consultant or a practice management system vendor during assessment and policy/procedure development. Even a small office will need personnel security policies, assigned security responsibility, compliant hardware, software with internal audit trail capability, and physical plant changes such as locked rooms and closets to secure equipment. Employees must also be trained and oriented with regard to information security, and chain-of-trust agreements with claims processors must be executed. These measures must be documented, maintained, and kept current.

CONCLUSION

HIPAA will change the way dental healthcare is documented, compensated, communicated, and policed. Until recently the spotlight of HIPAA has been fraud and abuse provisions that result in huge fines and the threat of incarceration. Nevertheless, the security and privacy implications of the act may be of even greater consequence.


Acknowledgment

The authors would like to thank Dr. Ira B. Lamster, Dean of Columbia University School of Dental and Oral Surgery, for his valuable advice and help in the preparation of this manuscript.


References

1. US Department of Health and Human Services administrative simplification of transactions and code set standard. www.aspe.hhs.gov/admnsimp/bannertx.htm. Accessed on 8/2/2002.

2. Newton T. Hippa best practices. www.himss.org/Templates/Content Redirector.asp?ContentId=6328. Accessed on 8/2/2002.

3. US Department of Health and Human Services administrative simplification of privacy standard. www.aspe.hhs.gov/admnsimp/bannerps.htm#privacy. Accessed on 8/2/2002.

4. Federal Register: Rules and regulations. Standards for privacy of individually identifiable health information, 45 CFR parts 160 through 164, volume 65, number 250, page 82461-82561. www.aspe.hhs.gov/admnsimp/final/pvcpre01.htm. Accessed on 8/2/2000.

5. Walker R. A HIPAA Strategy for dental schools. J Dent Educ. 2002;66:624-33.

6. Office for Civil Rights. Standards on privacy of individually identifiable health information. www.aspe.hhs.gov/admnsimp/final/pvcguide1.htm. Accessed on 8/2/2000.

7. US Department of Health and Human Services administrative simplification of security standard. www.aspe.hhs.gov/admnsimp/bannerps.htm#security. Accessed on 8/2/2002.

8. Hellerstein D. HIPAA’s impact on healthcare. Health Management. 2000:4; www.healthmgttech.com/archives/bus0499.html. Accessed on 8/2/2000.

9. Notice of proposed rule making for security and electronic signature standards. www.aspe.hhs.gov/admnsimp/nprm/sec05.htm. Accessed on 8/2/2002.



Dr Pai is an assistant professor of clinical dentistry and director of clinical information systems at the Columbia University School of Dental and Oral Surgery in New York, NY.

Dr Zimmerman is an associate professor of clinical dentistry and assistant dean for information resources at the Columbia University School for Dental and Oral Surgery in New York, NY.