The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was introduced into health care to protect patient privacy while navigating the ever-changing electronic landscape. Following the initial Act, HIPAA has initiated the Privacy, Security, Enforcement, Omnibus, and Breach Notification Rules. Since then, it has become more complex and, shall we say, complicated. So, how does this affect our daily patient care activities in the dental office?
Protected health information
The HIPAA Privacy Rule’s goal is to keep patients’ health information protected while that information moves throughout electronic systems. Covered entities (the dental office) who electronically transmit health data are subject to the Privacy Rule. Third-party companies that do business with covered entities, such as a dental billing company, and function on behalf of a covered entity must enter a written contract that protects the use and disclosure of private health information.
Protected health information (PHI) is considered any “individually identifiable health information.”1 Instances when you can disclose health information without authorization are limited to the individual and for treatment, payment, health-care operations, and, more broadly, when the law requires. The Privacy Rule also allows individuals more access to their PHI, such as to amend and copy it. Regarding authorizations for sharing patients’ PHI, all state and federal laws must be followed.
Electronic protected health information
The Security Rule consists of many documents and security guidelines that pertain to all types of electronic transmissions that take place on a patient’s behalf. Electronic protected health information (ePHI) is protected by administrative, technical, and physical safeguards.2 Maintaining strong security measures with office devices and online presence keeps you and your patients safe. When the “minimum necessary” rule is applied appropriately, office staff should not have unrestricted access to patients’ entire records. Unauthorized access to the practice’s server can cause security weaknesses, leading to improper behavior.
If there’s a breach
If a dental office discovers a breach in their patient’s health information security, the incident could constitute a report to the US Department of Health and Human Services (HHS). Today, it is common to hear about large companies that were hacked and are allowing their customer’s credit scores to be monitored. “PH is widely shared and sold unlawfully.”3 HIPAA’s Breach Notification Rule was a result of the final Omnibus Rule and the HITECH Act, allowing for stronger consequences for those who do not comply with the regulations.
Train your staff
Dental health care providers should be trained annually and thereafter when starting a new job. Offices are required to keep updated and accurate policies and procedures documenting the security measures that are in place. If the HHS should issue updated guidelines, staff members must have new training provided. State law can be more stringent than the federal Privacy Rule; nevertheless, HIPAA can preemptively make decisions regarding the health and safety of the public.
Editor’s note: This article first appeared in Clinical Insights newsletter, a publication of the Endeavor Business Media Dental Group. Read more articles and subscribe.
References
- 45 CFR § 160.103 – Definitions. Cornell Law School Legal Information Institute. Department of Health and Human Services. December 28, 2000. https://www.law.cornell.edu/cfr/text/45/160.103
- Summary of the HIPAA Security Rule. Office for Civil Rights. U.S. Department of Health and Human Services. Reviewed October 19, 2022. Accessed August 17, 2024. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- Wood A. Why HIPAA sucks and what your practice can and should do. PowerPoint slides. 2013.
