What's new with HIPAA

By Olivia Wann, RDH, BA


President Obama signed into law last February The American Recovery and Reinvestment Act known as the "Stimulus Bill." The federal government included in this law $19.2 billion that is intended to increase the use of the Electronic Health Records (EHR) known as the Health Information Technology for Economic and Clinical Health Act, or HITECH Act.
What does this mean for patients? Having a national system for computerized health records will improve patient care, increase patient safety, and simplify compliance in the United States. Additionally, these records will save costs, minimize errors and maximize efficiency. Yet, the computerization of all health records by the end of 2014 means new regulatory requirements for the healthcare profession, including dental offices.

The HITECH Act increases the penalties for various HIPAA violations, which is significant to covered entities. Covered entities include dental offices who submit claims electronically or verify patient’s information online, such as insurance benefits. The act will also now require business associates to comply with many of HIPAA's rules and subject them to HIPAA's civil and criminal penalties. Business associates are individuals who have access to protected health information such as an independent contractor (i.e., software trainer, accountant, practice management consultant, computer technician).

Why all the fuss? Most hygienists readily agree that protecting patient’s health information is serious matter. Identity theft is on the rise. Furthermore, HIPAA outlines how and why individuals may file a complaint.

Consider that since April 2003 when HIPAA's Privacy Rule became effective, the Health and Human Services Office of Civil Rights has received over 27,000 complaints with over 4,500 cases investigated and resolved. There have been four criminal HIPAA violations prosecuted to date with over 350 complaints considered by the Department of Justice.

In providing HIPAA trainings across the country, some individuals having mistakenly thought that these regulations are more applicable to administrative employees who handle patient account information such as payments and insurance. Regardless whether an employee is considered "clinical" or "administrative," the privacy of protected health information may be breached. Simply look at your patient information screen and note how much information is gathered on patients which requires security measures. Thus, the entire team is responsible for launching a successful HIPAA program to avoid violations including criminal prosecutions.

A dentist contacted our office indicating that a hygienist disclosed the name and information of patient in need of periodontal services to a hygiene student without permission. On being contacted by the student who offered to treat the patient at the hygiene school, the patient contacted the dentist to a file a complaint for breaching his privacy. The dentist dismissed the hygienist.

The federal government prosecuted a phlebotomist at a cancer center who stole the social security number and date of birth of a patient (United States v. Gibson).1 Gibson had access to patient information such as date of birth and social security numbers. He used the information to obtain credit cards in the patient's name. The employee was charged as a criminal violation for the wrongful disclosure of individually identifiable health information with the intent to use the information for personal gain and sentenced to 16 months in prison. Gibson plea bargained and made restitution to the credit card companies and the patient who was the victim of identity theft. As noted here, a clinical employee accessed information and was held in criminal violation of HIPAA.

To commit a criminal offense, a person must "knowingly" violate a HIPAA rule, 42 U.S.C. § 1320d-6.2 Interestingly, the Stimulus Bill added to the Wrongful Disclosures Criminal Penalties "a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity..." Therefore, employees who knowingly violate a HIPAA rule may be subject to a criminal penalty, not simply the corporation or covered entity. Penalties may range up to $250,000 and 10 years imprisonment. 42 U.S.C. § 1320d-6(b)(3)

In response to a nurse pleading guilty to a HIPAA violation, Jane W. Duke, United States Attorney for the Eastern District of Arkansas stated, "What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated ... Long gone are the days when medical employees were able to snoop around office files for ‘juicy’ information to share outside the office. We are committed to providing real meaning to HIPAA. We intend to accomplish this through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA for economic or personal gain or malicious harm."3

Hygienists should thus seriously evaluate the level of HIPAA compliance in their practice to avoid practice interruptions, penalties and litigation. Modern Practice Solutions strongly suggests providing training for your staff, conducting a risk assessment of your patient's protected health information and incorporating the necessary Privacy & Security policies for compliance. A team approach to HIPAA compliance assures a more successful program and a smoother transition into the electronic health record era.

Olivia Wann, RDA, BS, joined the dental profession in 1985. She attended Tennessee Technology Center as a RDA and graduated from St. Joseph’s College with a BS in Health Care Administration. Currently, Olivia is a 2nd year law student at the Nashville School of Law. Olivia founded Modern Practice Solutions in the year 2000 providing in-office training, consulting and national seminars on compliance topics. Please visit www.modernpracticesol.com or contact Olivia at (615) 308-6695.

1 UNITED STATES OF AMERICA, Plaintiff, v. Richard W. GIBSON, 2004 WL 2237585
1 http://www.usdoj.gov/olc/hipaa_final.htm, accessed on July 14, 2009
1 "Nurse Pleads Guilty to HIPAA Violation," Department of Justice, www.littlrock.fbi.gov/dojpressrel/pressrel08/hipaaviol041508.htm


Did You Like this Article? Get All the Dental Industry News Delivered to Your Inbox

Subscribe to an email newsletter today at no cost and receive the latest news and information.

Related Articles

Vacation time: Can you dictate when dental employees use PTO?

Paul Edwards 08/21/2015

Can you require that your dental employees use their PTO when the practice is closed for the doctor’s vacation? Actually, yes, and here's why.

What NOT to do as boss of a dental practice


Does your boss of your dental practice want to be BFFs with the staff? Does the boss want to ask someone out on a date? Does he or she show the staff proper respect? Here are five tips for bosses that will make the dental office a better environment for everyone.

What women want … from their dental employer

Sally McKenzie 08/14/2015

It's not as difficult to please women employees as many dentist bosses may think. Helping people is many women's primary motivation, which coincides nicely with a dental practice. A little job security and teamwork doesn't hurt either.

Thursday Troubleshooter: How to get dental team member off the #%#@ phone!


This dental team member is concerned that her coworker is spending so much time on the phone she's neglecting her duties. How can she tactfully approach her coworker so production picks up again?

Stay Connected

Subscribe to Dentistty IQ's Newsletters

1421 S. Sheridan Road
Tulsa, Oklahoma 74112
PH: 800.331.4633