QUESTION: Recently our office had a staff meeting. We were told that with new HIPAA rules, dental assistants should not have the rights to look at ledger and treatment plans for patients in the office computer program because there are fees associated with it. I have a hard time believing this is true when assistants use those tools to see when treatment was performed. We can do this instead of having to scan back through literature to find when something was done. This takes a lot longer than using the other methods. Is this correct? Is this what HIPAA is saying?
ANSWER FROM LINDA HARVEY, MS, RDH, HRM, Compliance/Risk Management Specialist, Linda Harvey Group:
The HIPAA Privacy Rule does not explicitly state that clinical staff cannot look at or have access to treatment plans or fees. However, there is a provision under the Privacy Rule called the Minimum Necessary Rule (45 CFR 164.502(b), 164.514(d)) that requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary provision is not new; it’s been in effect since 2003 when the Privacy Rule became effective.
Yet, the US Health and Human Services (HHS) website states, “The Privacy Rule’s requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.” That being said, how covered entities apply the Minimum Necessary Rule may vary from practice to practice depending upon the intended purpose. For example, we know of offices where patient payments are taken in the operatory, so clinical staff need access to fee information to complete the transaction.
Workforce access to patient information is required to be monitored and audited under the Security Rule. If clinical staff are cross-trained and expected to assist at the front when the office is short-handed, it makes sense that those team members may have a legitimate reason to access treatment plans and fees. It can also be seen as reasonable for clinical staff to confirm the treatment scheduled with the patient as part of the "time out," which ensures everyone is verifying the treatment to be provided and reduces medical errors.
The Minimum Necessary information needed to fulfill each role on the team should be defined in both the practice’s HIPAA policies and procedures as well as in the corresponding job descriptions. Then practice management software access rights should be set up accordingly. Please also be aware that both the Privacy and Security Rules require covered entities to have and apply appropriate sanctions against workforce members who violate its [the office] policies and procedures. This means that if your office policy states you do not have rights to look at the patients’ ledgers or treatment plans, then you must abide by that.
Don't be shy! If YOU have a tough issue in your dental office that you would like addressed, send it to [email protected] for the experts to answer. Remember, you'll be helping others who share the same issue. Responses will come from various dental consultants, as well as other experts in the areas of human resources, coding, front office management, and more. These folks will assist dental professionals with their various issues on DentistryIQ because they're very familiar with the tough challenges day-to-day practice can bring. All inquiries will be answered anonymously each Thursday here on DIQ.