Eight Steps to HIPAA Privacy Compliance

Dentistry Today


Step aside OSHA, CDC, EPA, FDA, and BDE. The federal law for the Health Insurance Portability and Accountability Act, known as HIPAA, has provided us yet another acronym to add to our bowl of alphabet soup. While this one has more letters than the rest, it could have more ambiguity than all others combined!

The primary objective of the HIPAA law (which was enacted back in 1996) was to provide United States citizens better access to health insurance. To that end, it assures portability when employees switch employers. Likewise, it attempts to control healthcare fraud and abuse. Bottom line, the law claims to theoretically reduce administrative costs while controlling the privacy of electronic health information. 
That said, you may be questioning how this law can possibly affect your professionally run dental office, which does not share patient information openly with others. As with most government related laws, HIPAA does not discriminate (or favor anyone for that matter). In fact, as healthcare providers, everyone gets the same recognition and automatic acceptance into their private club of compliance, unless your office does not submit or receive electronic transactions. In other words, if you do not transfer information via electronic media (dial-up Internet, magnetic tape or disks, a clearinghouse, or through a vendor of practice management software or billing service), you do not have to comply. However, you must keep in mind that offices that retrieve patient benefit information over a company’s Web site or transmit patient benefit information (even on paper, via fax) are considered a covered entity!
If you currently do not submit patient information electronically, but plan to do so in the future, smart money says to do it now, while the information is easy to access and educational resources are more readily available to coach you through the process.

Before you begin to try to understand how to achieve compliance, let us first identify the 2 arms of HIPAA regulation. There is a Transactions and Code Set Arm and the Privacy Standards.

The transaction and code set standards require health plan clearinghouses and healthcare providers to use HIPAA-compliant diagnosis and procedure codes for electronic transmission of medical procedures. The CDT codes are believed to provide greater accuracy, which will (theoretically) expedite EOB payments. 

Dental procedures are to follow new CDT-4 codes, which took effect on Jan. 1, 2003. If you need a copy of the CDT-4 codes, they are available at ADA salable materials (800) 947-4746. The deadline for compliance was set for Oct. 16, 2002. However, dentists were given an opportunity to extend the deadline to Oct. 16, 2003, providing they filed an extension by Oct. 15, 2002.

The Privacy Sector of HIPAA will require dental practices to implement a plan that in essence protects patient confidentiality and prohibits the misuse of Protected Healthcare Information, known as PHI. The plan can be categorized into the following 8 action steps to simply the compliance process.

Step 1: Develop a Written Policy
Your written policy or plan should describe how you and your team will meet HIPAA compliance criteria and how PHI will be evaluated and monitored as it is obtained and provided by your office.

Step 2: Assign A Privacy Officer and Contact Person
Identify an individual who can be accountable for overseeing operations as your Privacy Officer. This individual should have a genuine interest in patient privacy. Of equal importance, they should be well organized, articulate, and willing to accept responsibility for supervision of compliance. The Privacy Officer would receive patient requests for obtaining access to their PHI or requesting an amendment to their PHI. The officer would be responsible for maintaining records for complaints and can act as (or appoint) a Contact Person to receive complaints. If the Privacy Officer shares the role of the Contact Person, then they must also be professionally mature and non-emotional. This is of particular importance when dealing with patient-related complaints.

Step 3: Team Training
Training is a very important aspect of HIPAA compliance. HIPAA requires that all employers and employees alike are provided training on HIPAA compliance by April 14, 2003, in Privacy Etiquette. If an employee violates compliance requirements, an incident report is to be filed, and disciplinary action should follow to ensure that the behavior is not repeated.

Step 4: Business Associate Safeguards
All business associates (BA) (a person or entity that performs or assists in the performance of a function or activity involving the use or disclosure of PHI, such as accountants, consultants, financial institutions, management consultants, advisors, computer software vendors, answering services, dental laboratories, and temporary employees) must provide healthcare providers safeguards that ensure PHI will not be abused or used for anything other than treatment payment or operational services (TPO). Employees and associates are not included, since they are members of your workforce.
This requirement can be met through a signed agreement with all BAs. Agreements must be signed by April 14, 2003. The agreement must stipulate that the BA is willing to “open the books” to Health and Human Services (HHS) if privacy has been suspected to be violated.

Step 5: Posting of HIPAA Privacy Policy
All healthcare providers must post their HIPAA Privacy Policy Notice in a conspicuous place for patient viewing.

Step 6: Patient Acknowledgement of Privacy Policy
HIPAA requires healthcare providers to obtain patient acknowledgement (acceptance is not required, only acknowledgement) of the healthcare provider’s privacy policy. This requirement can be met by having each patient simply acknowledge receiving a copy of the written privacy policy by signing off to that effect. If the patient refuses, a note must be made in the patient’s record to indicate the refusal.

Step 7: Self Audits
Periodically, healthcare providers need to perform self audits. If at any time the healthcare provider or representatives find any violations, they are to be mitigated as soon as possible to limit further harm to PHI.

Step 8: Authorization and Record Keeping Logs for Use of PHI for Other Than TPO
In the event that a healthcare provider intends to use PHI for anything other than TPO (Treatment, Payment or Operational Services), the healthcare provider is required to obtain patient authorization. In addition, the healthcare provider is also required to keep a log that discloses who used the information, how it was used, and why it was used. The log, along with authorizations, are to be kept on file for 6 years from the time of use and/or authorization.

Use common sense! HIPAA can only require that you use reasonable safeguards and good faith efforts to secure patient acknowledgement of receipt of your privacy notice.

HIPAA cannot enforce office design for soundproofing and/or chart lock-up or elimination. The law does suggest, however, that you should not leave charts out on display for patient access. Likewise, sign-in sheets are discouraged, and reminder cards must not detail diagnosis or PHI.

The privacy rule enables patients to find out how their information may be used and what disclosures of their information have been made. Likewise, it calls upon healthcare professionals to use appropriate safeguards to protect healthcare information. In general, the privacy rule sets boundaries by limiting the release of information (to a reasonable minimum) for the specific purpose of the request.
The privacy rule also provides patients with the right to examine and obtain a copy of their own health records and request corrections.

The privacy rule is enforced by Health and Human Services (HHS) Office of Civil Rights (OCR). The HHS can hold violators accountable, with civil (fines) and criminal (jail) penalties.

To avoid such penalties, you simply need to make a good faith effort and take reasonable steps to maintain patient privacy. This would include a good faith effort in creating written policies, posting written policies, and securing patient acknowledgement of receipt of your privacy policy before disclosure of PHI. 
Likewise, employers and employees must be trained in privacy etiquette by April 14, 2003. To that end, the office must use common sense by talking quietly and/or using curtains or partitions (if necessary) to minimize the chance of inadvertent disclosures. Furthermore, minimum necessary standards must be followed (which means you cannot disclose anything other than the information that is needed to accomplish the intended purpose). Of course, if PHI is used for anything other than TPO, the patient must be informed, and prior consent must be obtained.

Get your training program in order now! Train your team in HIPAA privacy and develop written privacy policies that describe how you and your team will handle PHI. Assign a Privacy Officer to ensure appropriate safeguards, audit transactions, and monitor patient related communications. Likewise, have the Privacy Officer act as a Contact Person for handling patient complaints. Be sure to post your Privacy Policy and obtain patient signature for acknowledgement of receipt of your Privacy Policy. Make sure all your business associates have signed a BA agreement by April 14, 2003, which stipulates that they are willing to comply with privacy of PHI. If you intend to use PHI for anything other than TPO, then be sure to get prior authorization from the patients also.

Government regulations affecting healthcare providers can admittedly add to the burden of managing a dental practice. However, in the case of HIPPA, aside from the inconvenience of posting notices and obtaining signed acknowledgements, those who are willing to employ reasonable safeguards and use good faith efforts to comply can only enhance their professionalism as it relates to patient privacy. Such compliance is an appropriate course of action for those who continue to support excellence in patient care.

*Privacy Policy Notices, Forms and Authorizations are available through ADA salable materials (800) 947-4746; and AADS (800) 927 6101.

Other Resources

•American Dental Association website: http://www.ada.org/goto/hipaa.
•AADS (charts and forms) website: http:www.aads.com.
•National Dental EDI Council website: http://www.ndedic.org/.
•US Department of Health and Human Services website: http://aspe.os.dhhs.gov/admnsimp/.

Ms. Simon is a certified management consultant, national speaker, published author, and president of Simon Says Solutions, which is a practice management firm based in Scottsdale, Ariz. As a member of the National Speakers Association and the Institute of Management Consultants USA, she has earned the mark of CMC, which represents evidence of her certification and the highest standards of consulting and adherence to the ethical canons of the profession. For over 2 decades, Ms. Simon has dedicated herself to coaching dental professionals in solution based practice management systems. She can be reached at (800) FON-TEAM, or e-mail risa@simonsayssolutions.com, or visit the Web site at www.simonsayssolutions.com.