How to Implement a HIPAA Compliance Plan into a Practice

Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, all dental offices are required to formulate policies and procedures to ensure and secure patient privacy of health information. This article reviews the essential points of such a plan and makes recommendations for implementation.

For a practice to succeed today, practitioners must look toward their patients’ well-being in the office setting and outside as well. In the office setting, such care includes a thorough patient history as well as an impeccable clinical examination. Outside the office setting, the practitioner must safeguard the patient from a different type of threat—the invasion of privacy. Every patient has the right to privacy and security of his or her personal information. For this reason, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created. How does a practitioner ensure that his or her practice is compliant and that patient information is truly kept private? This article addresses these concerns and explores what a practice should include and undergo to ultimately become HIPAA compliant to better protect the patient in the office and out.

The Department of Health and Human Services has been given the responsibility of creating regulations to help practices become HIPAA compliant. These regulations may be divided into three main categories: the Standards for Electronic Transactions, the Security and Electronic Signature Standards, and the Standards for Privacy of Individually Identifiable Health Information (IIHI). By following these three regulations, a practice should be able to reduce the cost to become HIPAA compliant as well as simplify the process.

The Standards for Electronic Transactions oversee eight specific electronic transactions: (1) health care claims encounter information, (2) eligibility for a health plan, (3) referral certification and authorization, (4) health care claim status, (5) enrollment and disenrollment in a health plan, (6) health care payment and remittance advice, (7) health care premium payments, and (8) coordination of benefits. The fact that these transactions are electronic requires a practice’s current technology to be compliant; therefore, practitioners should contact their software vendors to confirm that their software is indeed HIPAA compliant. Also included in these standards is a specific code set for electronic transactions regarding health care, including Current Procedural Terminology-4 (CPT-4) codes, ICD-9-CM (International Classification of Diseases, 9th revision, clinical modification) diagnosis codes, Health Care Financing Administration Common Procedural Coding System (HCPCS) equipment and supply codes, and National Drug Codes (NDC). For those practitioners exposed to mental health disorders, Diagnostic and Statistical Manual IV (DSM IV) codes are not accepted.

The Security and Electronic Signature Standards have been put in place to prevent unauthorized parties from accessing protected health information (PHI). Examples of these standards are the requirement of a practice’s information technology systems to include firewalls, mechanisms to authenticate both the identity and E-mail address of anyone sending information, procedures to recover lost data, and staff limitations to access of information.

The Standards for Privacy of IIHI are an essential component of the regulations. They require that a covered entity (including health care providers transmitting health information in electronic form, private and federally funded insurers, and health care clearinghouses) create policy and procedure regulations to safeguard individually identifiable health information as well as those that come into contact with this information. An effective policy will enforce these guidelines as well as educate and notify employees and contractors.

Practitioners should be aware that a HIPAA compliance plan should be custom-made to fit their practice, but each plan should also contain the basic elements that have been included within the regulations. Depending on the offense, fines for the failure to comply with HIPAA regulations can range from $100 per person per violation to $250,000 with or without imprisonment of not more than 10 years. The HIPAA regulations preempt all state regulations unless it is determined that state law provides stricter protection of patients’ PHI.

HIPAA plan requirements

Before delving into the specifics of the HIPAA compliance plan, it is important to realize what basic elements should be covered within. A practitioner’s HIPAA compliance plan should discuss the following:

  • Privacy officer—appointed to oversee HIPAA privacy compliance efforts

  • Security officer—appointed to oversee HIPAA information systems security compliance efforts (may be same person as above and titled “compliance officer for HIPAA privacy and security”)

  • An HIPAA compliance committee chaired by above officers (compliance personnel)—should represent practitioners as well as staff from front desk, billing, nursing, and medical records

  • Baseline audit of current procedures and determination of potential or current leaks of PHI

  • Development and implementation of plan for maintaining privacy—should include written standards, policies, and procedures

  • Development of open lines of communication—should include, but not be limited to, the following: adding HIPAA issues to staff meeting agendas, updates regarding practice HIPAA compliance activities, and so on

  • Regular staff training/education to cover practice standards and procedures

  • Establishment and use of written agreements with business associates

  • Development and posting of a “notice of privacy practices”

  • Development of forms for consent and authorization

  • Detection of current violations and investigation of any allegations, followed by disclosure of incidents to proper government entities

  • System for reporting complaints

  • Enforcing publicized disciplinary standards

  • The practice’s own specific needs

It is expected that the needs of an individual practice will differ from that of another and will also change as time passes; therefore, it is important to continually update the practice’s compliance needs and identify and address potential areas of risk and exposure of information.

Key terms

HIPAA uses the following terminology in their legislation:

  • Business associate—a person/entity acting on behalf of a covered entity (not as an employee) to assist in any function involving actual/potential disclosure of IIHI (ie, independent contractor providers [eg, physicians, dentists, contract managers, billing services], accountants, lawyers, software vendors, and any person/entity that does business with a covered entity when IIHI can be exchanged or disclosed)

  • Covered entity—any person/organization that transmits (or has a business associate who transmits on their behalf) any IIHI, whether in an electronic format or not (eg, health plans, health care clearinghouses, health care providers)

  • Health care provider—includes physicians and dentists and their respective practices, hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospices, and those providing any medical, dental, nursing, or allied health services; health care providers transmitting health information in electronic format considered covered entities, with privacy regulations applying to electronic and non-electronic information

  • Health information—any information created/received by a health care provider that relates to (1) the past, present, or future health condition of an individual; (2) the provision of health care to an individual; or (3) the past, present, or future payment for provision of health care; includes anything transmitted or recorded in any medium (eg, orally, electronically, by tape)

  • IIHI—any information that (1) is created/received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to the past, present, or future physical/mental health or condition of an individual, including the past, present, or future payment for provision of health care to an individual; (3) may actually or reasonably identify an individual; includes, but is not limited to, demographic information, patient name, address, E-mail, phone/fax numbers, social security numbers

  • PHI—IIHI that can be associated with an individual and transmitted/maintained electronically or in another medium, such as benefit management information, claims/encounter forms, claim status information, coordination of benefits or information, eligibility for a health plan, explanations of benefits, reports of injury, health claim attachments, health data analysis (specific to individuals, not the practice), payment/remittance forms, referral forms, or other transactions as may be prescribed by regulation

Key terms

HIPAA uses the following terminology in their legislation:

  • Business associate—a person/entity acting on behalf of a covered entity (not as an employee) to assist in any function involving actual/potential disclosure of IIHI (ie, independent contractor providers [eg, physicians, dentists, contract managers, billing services], accountants, lawyers, software vendors, and any person/entity that does business with a covered entity when IIHI can be exchanged or disclosed)

  • Covered entity—any person/organization that transmits (or has a business associate who transmits on their behalf) any IIHI, whether in an electronic format or not (eg, health plans, health care clearinghouses, health care providers)

  • Health care provider—includes physicians and dentists and their respective practices, hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospices, and those providing any medical, dental, nursing, or allied health services; health care providers transmitting health information in electronic format considered covered entities, with privacy regulations applying to electronic and non-electronic information

  • Health information—any information created/received by a health care provider that relates to (1) the past, present, or future health condition of an individual; (2) the provision of health care to an individual; or (3) the past, present, or future payment for provision of health care; includes anything transmitted or recorded in any medium (eg, orally, electronically, by tape)

  • IIHI—any information that (1) is created/received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to the past, present, or future physical/mental health or condition of an individual, including the past, present, or future payment for provision of health care to an individual; (3) may actually or reasonably identify an individual; includes, but is not limited to, demographic information, patient name, address, E-mail, phone/fax numbers, social security numbers

  • PHI—IIHI that can be associated with an individual and transmitted/maintained electronically or in another medium, such as benefit management information, claims/encounter forms, claim status information, coordination of benefits or information, eligibility for a health plan, explanations of benefits, reports of injury, health claim attachments, health data analysis (specific to individuals, not the practice), payment/remittance forms, referral forms, or other transactions as may be prescribed by regulation

Applicability and standards for protected health information

General standards

The advancement of technology continually creates new opportunities for the potential compromise of the integrity and confidentiality of PHI. Providers are responsible for how PHI is, and could potentially be, used by others, including business associates; therefore, they are required to terminate business relations with those who inappropriately use it. Otherwise, the Department of Health and Human Services should be contacted. Only the minimum amount of information necessary for the task should be released.

Federal regulations allow patients the right to inspect, copy, or request changes to their medical records. Dentists and physicians require permission to share patient information for billing and treatment purposes, and health care providers must disclose how this information will be used and disclose only the minimum information necessary to accomplish these tasks. HIPAA compliance agreements must exist between covered entities and business partners, and appropriate business practices must exist within these organizations. Otherwise, criminal or civil penalties may result.

Notice of privacy practices

A written notice of the practice’s policies and procedures regarding the use and disclosure of PHI must be provided for the patient, including the patient’s rights and the practice’s legal duties. This notice must be clear and include the following:

  • A description of how PHI may be disclosed (including treatment, payment, health care operations) with at least one example

  • A description of instances in which the provider may use/disclose PHI without the patient’s consent/authorization

  • Provisions of state law, if more stringent

  • A statement that authorization must be obtained for any other uses

  • A description of the patient’s right to access, inspect, copy, and amend their own records, including the procedure to do so

  • A description of the patient’s right to request restrictions on the provider’s policies as contained in the notice and the procedure to do so

  • A description of the patient’s right to receive an accounting of any disclosures

  • A description of the patient’s right to receive a paper copy of the notice

  • A procedure for filing a complaint with the practice and the Department of Health and Human Services if it is believed that privacy rights have been violated

  • A statement that the practice is required by law to protect PHI and is bound by terms of the notice

  • If applicable, a statement that the practice may contact the patient for appointment reminders or to transmit relevant information about treatment alternatives

The notice of privacy practices must be clearly visible in a prominent location, and paper copies of the notice must be given to patients upon request. Practice Web sites also must have the notice on prominent display. If the notice is lengthy, a summary may be provided in addition to the notice, not instead. The summary should be one or two pages in length with the notice underneath it. This combination is called a “layered notice.”

Consent versus authorization

A written acknowledgment of a patient’s receipt of the notice or authorization must be obtained. If the PHI is to be used for treatment, payment, or health care operations (TPO), only a written acknowledgment is required. All other uses (eg, research, fundraising, marketing) require a more specific authorization.

Written acknowledgment/consent

If PHI is to be used for TPO purposes only, the patient must sign a written acknowledgment that he or she has received the notice. If the patient refuses, the attempt must be documented. The patient’s PHI may still be used for TPO purposes. Currently, there is no prescribed form for the written acknowledgment; a consent may be used instead. Consents should be separate from the notice, written in plain language, and include the following:

  • A statement that PHI may be used for any of the TPO purposes

  • Reference to the notice while providing patients the chance to review it

  • Reservation of the right to change the practice’s privacy policies and how the patient may be notified

  • The right of patients to restrict PHI use beyond the practice’s policies, with a statement that the practice does not have to agree to additional restrictions; should the practice agree, the patient’s additional limitations become binding

  • A statement that the patient may revoke the consent in writing at any time

  • The patient’s signature and date

Authorizations and accounting

Typical authorizations involve disclosures for research, marketing, or fundraising. The practice may not condition any provision of health care based on these authorizations. Authorizations must include the following:

  • A specific description of the information to be used or disclosed

  • The identification of specific individuals who may use/disclose the information as well as those who may receive and use the disclosed information

  • A description of each purpose of requested use or disclosure

  • The expiration date of the use or disclosure

  • A statement of the patient’s right to revoke the authorization in writing at any time along with the procedure to do so

  • A statement that the PHI used/disclosed may be subject to redisclosure by the receiving party and may no longer be protected

  • The patient’s signature and date

A separate authorization must be completed for each use or disclosure. An account must be recorded of all non-TPO use of PHI for 6 years. This accounting must be provided at any time per the patient’s request.

When authorization is not required

PHI may be released without authorization in the following situations:

  • If the information is used for TPO purposes, for a marketing communication that is face-to-face, or a promotional gift of nominal value

  • For research purposes when an authorization is independently approved by a privacy board or institutional review board

  • In judicial/administrative proceedings, in limited law enforcement activities, or in investigations of abuse/neglect

  • For identification of a deceased person or cause of death

  • For activities related to national defense

Authorization is also not required for health care information with no individually identifiable information.

Opportunity to agree or object situation

A patient’s verbal consent, agreement, or objection to the use or disclosure of PHI may be permitted as long as the patient is informed of how it will be used. Another instance includes hospital verification of admittance and the provision of a room number or the general condition of a patient. Failure to object in this case will also suffice.

Patient access to information

At all times, a patient may view, request a copy of, amend, or receive a list of those entities that have seen their medical information within the past 6 years. Upon a reasonable request to do so, the practice will honor this obligation, unless the practice feels that doing so will endanger the life or physical safety of said individual. Generally, providers have 30 days from the request date to provide the appropriate information. A summary may suffice and a reasonable fee may be charged as well. There is no requirement to provide data from another provider or that which is believed to be inaccurate.

Special issues related to psychotherapy notes

Under extremely limited exceptions, specific authorizations are always required for the use or disclosure of psychotherapy notes.

Research

Unless the research is included under the waiver of authorization provisions including medical treatment, approval of valid waivers of authorization must be obtained by a provider, by an institutional review board established in accordance with applicable federal law, or by a privacy board comprised of members with varied backgrounds and appropriate professional competencies including at least one member. To obtain approval, the research must not be able to be completed without the PHI. There must also be limited risk of loss of privacy, and it must be shown that it is not practicable to perform the research unless a waiver is granted.

De-identification and re-identification

De-identified information is no longer PHI, that is, it is not subject to the privacy regulations, whereas re-identified information becomes PHI and is subject to the rules. PHI may be de-identified in one of two ways. First, a covered entity may use a person or entity with appropriate knowledge or experience of the generally accepted statistical and scientific principles or methods for rendering information not individually identifiable. The same is true for those anticipating receipt of said information. Second, any identifiers of the individual or the relatives, employers, or household members of the individual may be removed from the data by the covered entity. A method of re-identifying the information may be assigned by the covered entity as long as certain security criteria are met.

Minimum necessary rule

The minimum amount of PHI necessary to accomplish a certain task must be disclosed. Situations in which covered entities are not required to make a minimum necessary determination are as follows:

  • When the disclosure is made to/requested by a health care provider for treatment

  • When the uses/disclosures are made to the individual who is the subject of PHI

  • When the subject of PHI requests accounting of disclosures of PHI

  • When the disclosure of PHI is requested by the Secretary of Health and Human Services to determine the covered entity’s compliance with the rule, or is required from compliance with applicable requirements of the rule

  • When the use/disclosure is required by law and the use/disclosure complies with, and is limited to, the relevant requirements of such law

Staff training

All staff must be educated in the practice’s privacy and security policies and procedures and must be notified of policy and procedure changes, as well as changes in the law. New employees must be trained shortly after employment begins.

Security concerns

Practices need to be able to verify the recipients of PHI that is sent. They also need to authenticate the source of any PHI that is received, and they must be able to encode information to prevent unintended interceptions of PHI. Security of the system from outsiders using firewalls and the like is mandatory. Covered entities should also create chain of trust agreements with whomever the PHI is exchanged, requiring those contacting the practice’s PHI to be bound by the same security requirements as the practice. Computers should be in private secure locations and should have a secure password to limit access to the computer and potential PHI. Practices should regularly evaluate their current software and information systems and update them to remain compliant with current regulations.

Only gold members can continue reading. Log In or Register to continue

Stay updated, free dental videos. Join our Telegram channel

Jun 15, 2016 | Posted by in General Dentistry | Comments Off on How to Implement a HIPAA Compliance Plan into a Practice

VIDEdental - Online dental courses

Get VIDEdental app for watching clinical videos