By Olivia Wann, RDH, BA
President Obama signed into law last February The American Recovery and Reinvestment Act known as the "Stimulus Bill." The federal government included in this law $19.2 billion that is intended to increase the use of the Electronic Health Records (EHR) known as the Health Information Technology for Economic and Clinical Health Act, or HITECH Act.
What does this mean for patients? Having a national system for computerized health records will improve patient care, increase patient safety, and simplify compliance in the United States. Additionally, these records will save costs, minimize errors and maximize efficiency. Yet, the computerization of all health records by the end of 2014 means new regulatory requirements for the healthcare profession, including dental offices.
The HITECH Act increases the penalties for various HIPAA violations, which is significant to covered entities. Covered entities include dental offices who submit claims electronically or verify patient’s information online, such as insurance benefits. The act will also now require business associates to comply with many of HIPAA's rules and subject them to HIPAA's civil and criminal penalties. Business associates are individuals who have access to protected health information such as an independent contractor (i.e., software trainer, accountant, practice management consultant, computer technician).
Why all the fuss? Most hygienists readily agree that protecting patient’s health information is serious matter. Identity theft is on the rise. Furthermore, HIPAA outlines how and why individuals may file a complaint.
Consider that since April 2003 when HIPAA's Privacy Rule became effective, the Health and Human Services Office of Civil Rights has received over 27,000 complaints with over 4,500 cases investigated and resolved. There have been four criminal HIPAA violations prosecuted to date with over 350 complaints considered by the Department of Justice.
In providing HIPAA trainings across the country, some individuals having mistakenly thought that these regulations are more applicable to administrative employees who handle patient account information such as payments and insurance. Regardless whether an employee is considered "clinical" or "administrative," the privacy of protected health information may be breached. Simply look at your patient information screen and note how much information is gathered on patients which requires security measures. Thus, the entire team is responsible for launching a successful HIPAA program to avoid violations including criminal prosecutions.
A dentist contacted our office indicating that a hygienist disclosed the name and information of patient in need of periodontal services to a hygiene student without permission. On being contacted by the student who offered to treat the patient at the hygiene school, the patient contacted the dentist to a file a complaint for breaching his privacy. The dentist dismissed the hygienist.
The federal government prosecuted a phlebotomist at a cancer center who stole the social security number and date of birth of a patient (United States v. Gibson).1 Gibson had access to patient information such as date of birth and social security numbers. He used the information to obtain credit cards in the patient's name. The employee was charged as a criminal violation for the wrongful disclosure of individually identifiable health information with the intent to use the information for personal gain and sentenced to 16 months in prison. Gibson plea bargained and made restitution to the credit card companies and the patient who was the victim of identity theft. As noted here, a clinical employee accessed information and was held in criminal violation of HIPAA.
To commit a criminal offense, a person must "knowingly" violate a HIPAA rule, 42 U.S.C. § 1320d-6.2 Interestingly, the Stimulus Bill added to the Wrongful Disclosures Criminal Penalties "a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity..." Therefore, employees who knowingly violate a HIPAA rule may be subject to a criminal penalty, not simply the corporation or covered entity. Penalties may range up to $250,000 and 10 years imprisonment. 42 U.S.C. § 1320d-6(b)(3)
In response to a nurse pleading guilty to a HIPAA violation, Jane W. Duke, United States Attorney for the Eastern District of Arkansas stated, "What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated ... Long gone are the days when medical employees were able to snoop around office files for ‘juicy’ information to share outside the office. We are committed to providing real meaning to HIPAA. We intend to accomplish this through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA for economic or personal gain or malicious harm."3
Hygienists should thus seriously evaluate the level of HIPAA compliance in their practice to avoid practice interruptions, penalties and litigation. Modern Practice Solutions strongly suggests providing training for your staff, conducting a risk assessment of your patient's protected health information and incorporating the necessary Privacy & Security policies for compliance. A team approach to HIPAA compliance assures a more successful program and a smoother transition into the electronic health record era.
Olivia Wann, RDA, BS, joined the dental profession in 1985. She attended Tennessee Technology Center as a RDA and graduated from St. Joseph’s College with a BS in Health Care Administration. Currently, Olivia is a 2nd year law student at the Nashville School of Law. Olivia founded Modern Practice Solutions in the year 2000 providing in-office training, consulting and national seminars on compliance topics. Please visit www.modernpracticesol.com or contact Olivia at (615) 308-6695.
1 UNITED STATES OF AMERICA, Plaintiff, v. Richard W. GIBSON, 2004 WL 2237585
1 http://www.usdoj.gov/olc/hipaa_final.htm, accessed on July 14, 2009
1 "Nurse Pleads Guilty to HIPAA Violation," Department of Justice, www.littlrock.fbi.gov/dojpressrel/pressrel08/hipaaviol041508.htm