Th 134908

Are you prepared for HIPAA?

Jan. 1, 2003
HIPAA, the Health Insurance Portability and Accountability Act of 1996, will be a real factor in every dental office by April 16, 2003. In its essence, the Act provides for three main issues:

Changes are on the horizon for your office procedures and policies

By Sheri Doniger, DDS

HIPAA, the Health Insurance Portability and Accountability Act of 1996, will be a real factor in every dental office by April 16, 2003. In its essence, the Act provides for three main issues:

  1. healthcare insurance be portable (patients can move from one place of employment to another and maintain coverage);
  2. privacy standards be attached to transmission of personal identifiable health information; and,
  3. the procedures put in place will allow for simplification of submissions and receipt of payments for procedures.

By the compliance date, healthcare providers will be required to give patients written notice of information and privacy practices. Offices that transmit claims electronically will be required to follow provisions covered for transactions, such as utilizing current standardized CDT-4 codes.

Policies and procedures need to be in place concerning the two main categories of HIPAA — Standards for Electronic Transmission and Privacy Policies. Each component has several protocols that must be established in the dental office. Foremost is the protection of personal health information (PHI). PHI is the personal and identifiable health information concerning the past, present, and future care for a patient. We will be issuing our patients documents concerning transmission of this information, our privacy rules, acknowledgment of receipt of these forms, and consent to use their PHI in relation to treatment, payment, and healthcare operations (TPO). We will briefly discuss the components.

Click here to enlarge image


The Standards for Electronic Transmission — which went into effect on Oct. 16, 2002 — applied to electronic transmission of dental claim forms. Any office that transmitted claims electronically was affected by this rule. The goal of this portion was to streamline the transfer, receipt, and payment of healthcare claims. Eight standard transactions were covered by HIPAA (see Table 1). The dental office would be concerned with only three — claims, remittance, and claim status. These transactions occur electronically between covered entities, which are healthcare plans, healthcare clearing houses, or healthcare providers that transmit any health information in electronic format in connection with a transaction covered by HIPAA. The use of the ADA 2000 claim form and CDT-4 code system is now the standard. In speaking with a dental insurance company, one of their implementations will be "no homegrown codes." Only dental coding that is uniform will be accepted. Other claims may be returned and unpaid.

The Privacy Rule protects the "patient's privacy without creating unanticipated consequences that might harm patient's access to health care or quality of health care."2 The rule is intended to protect the patient's health information and limit the amount of information that is shared. The implementation of the Privacy Rule involves several components, which the author discusses as "Protocol for HIPAA Compliance."

The Privacy Act requires that consent be obtained from the patient prior to release of any personal identifiable health information. The key here will be the disclosure of only the minimum necessary information to achieve the desired goal — for treatment, payment, and healthcare operations. Notice of the office privacy policy should be given to patients and they must sign a consent form that they received this notice. This will be required of all patients as of April 14, 2002. Good faith efforts must be made for the patients to receive the information in these policies.

Several protocols need to be in place for the carrying out of the privacy act. All aspects of the office will be affected. Measures are scalable to the risks inherent in your particular practice. (See Table 2)

The privacy policy and procedure manual will document the office's commitment to legal and ethical procedures concerning patient care and transactions. Risk analysis of the office needs to be made. Measures must be scalable to risk inherent in the particular practice. How the office conducts its communications will be spelled out. This all needs to be available for the patient to see.

Every office will be required to write its own privacy notice. "Under the Privacy Rule, [these] healthcare providers are required to distribute their notice of privacy practices no later than the date of the first service delivery after the compliance date."2 The document will cover several main points:

  • The patient's PHI will only be used for treatment, payment, and healthcare operations (TPO);
  • The patient's rights regarding his or her access to and amendment of health records;
  • The avenue for questions or complaints about the privacy notice; and,
  • The notification that the policy may change.

The patient should acknowledge, dated and in writing, the receipt and reading of the privacy notice that will allow the use of his or her PHI for TPO. A one-time consent will be required or, as stated, a "good faith attempt to obtain a written Acknowledgement of Receipt of Notice of Privacy Practices"1 is requested and shall be kept in the patient's chart. Where state law is stricter, it will supercede the privacy rules governed by the act.

Authorizations will be required from patients to disclose any PHI beyond the TPO. This type of consent will have a specific expiration date, state a specific use for the information requested and permission to use the PHI for the specific reason requested. These will allow the release of information for marketing, research, or advertising, but are limited in use and scope.

In addition to healthcare providers, healthcare clearing houses, and health plans, business associates also will be affected as entities covered under the privacy act. These are people such as accountants, collection agencies, laboratories, consultants, other insurers, third-party administrators, or any person who may come in contact with the patient's PHI. An accountant, who only reviews the "numbers" may not need a contract, but one who issues refund checks to patients will need one, as the patient's name will be known. Contracts must be administered to these groups as a precaution that the private information that we are given the privilege to safeguard will remain private. Direct employees of the practice, such as office staff, assistants, hygienists, or dental associates will not need a contract as they are considered to be a part of the office workforce. Procedures and consequences concerning infractions of privacy rules will all be spelled out in the contracts issued to the business associates. The contracts need to protect the healthcare entity, in addition to the patient's PHI.

Physical and technical data safeguards need to be put in place. These security systems must be reasonable and appropriate to ensure data integrity and confidentiality against anticipated risks. Documented formal policies concerning the management of data and staff who have access to data needs to be in place. A security check of your office's computer and network needs to be performed. Who has access? Does everyone need access? Remembering the minimum necessary disclosure, an adjustment may be needed in the number of staff members who have access to records. "The Privacy Rule must not impede essential healthcare communications and practices."2 Reasonable precautions need to be established for all practices. Passwords are recommended for office computers with multiple users. Various levels of access to computer PHI also are recommended.

Mandatory staff training will be required to first inform and then instruct the members of the office in policies, procedures, and protocols that will be in place. A security or compliance officer and a contact person who will receive complaints must be designated. Staff training is key to implementation. Periodic auditing procedures should be in place to assess the office's implementation of the protocol and policies.

Sanctions against staff who violate the privacy rules must be in place. Both civil and criminal punishments will be taken against the practice for violations of the Privacy Act. Fines from $100 (single act) to $25,000 (multiple infractions) may be assessed for knowing failure to comply. Criminal violations will incur jail time in addition to monetary damages if misuse of individual identifiable health data occurs.

Office communications will need to be addressed. To prevent accidental dissemination of PHI, "quiet voices" will be needed to discuss patients, treatment plans, and payment information. Private conversations should be held in private areas of the office. All attempts must be made to minimize overhearing of conversations. Mistakes unfortunately do happen; staff members should try to minimize the mistake and the amount of information that is conveyed.

Additional day-to-day office communications will be affected. Day sheets will need to be posted in private areas, such as inside a cabinet door, out of the sight of patients coming and going through the office space. Computer terminals will need to be facing away from patient view. Faxes need to be sent to a terminal where the recipient will be waiting. Minimum necessary information only will be sent.

Notification may be given to the patient that the office does send reminder cards concerning appointments by mail. Preventive-care reminder cards do not have a negative connotation. In reality, it is a good thing to visit your dentist! Patients also will be able to opt out of certain modes of telephone acknowledgement for their appointments. They may decide not to have an answering machine message left at work or home. This will have to be addressed at the initial appointment or within the acknowledgement of the notice of privacy. If a patient decided to have his or her reminders by e-mail, e-mails will need a disclaimer — as faxes have on them already — that the information is confidential and for viewing by the person intended.

Implementation of these rules will be different for every office. Depending on the size of the practice, the privacy compliance officer may be the front desk person or the dentist. Additionally, some offices are so small that the entire dental workforce will require access to all information. Limiting access of PHI to certain staff members may impede healthcare delivery. The act is not to interfere with effective health care; it is supposed assist in streamlining treatment and access to care.

HIPAA is not deciding how to implement the goals it sets forth; it is giving a framework. Risk assessment must be made for the individual practice. Every office, no matter what size, will be required to have a privacy notice, consent forms, authorization forms, and a privacy policy and procedure manual in place. It will not be necessary to "reinvent the wheel." Several entities will offer guidance on implementation for the special needs of large or small offices. The ADA is offering a kit with an update and CD-Rom that will be mailed out once the rule is finalized. Additionally, several seminars discussing HIPAA will be available. Most likely, in addition to the ADA, state and local constituent dental and dental hygiene societies will be offering programs.

The rules are here and all healthcare offices will need to be compliant by April 14, 2003. In addition, HIPAA has authorized the Department of Health and Human Services to modify the standards if necessary, but limiting the changes made to every 12 months. Being proactive is the best plan. Office assessment, policy and procedure formulation, document preparation, and staff training are all keys in compliance. We are all affected by these new rules. The best plan is early preparedness and preparation.

Editor's Note: The author wishes to thank Dr. Petra von Heimburg, DDS, JD, for her gracious assistance.


  1. American Dental Association's HIPAA Privacy Kit
  2. Department of Health and Human Services, Office of the Secretary: Standards for Privacy of Individually Identifiable Health Information; Final Rule. Federal Register, Vol 67, No. 157/Wednesday, August, 14, 2002/Rules and Regulations; 53182-53273

Purposes of HIPAA

  • To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use or disclosure of that information
  • To improve the quality of healthcare in the U.S. by restoring trust in the healthcare system among consumers, healthcare professionals, and the multitude of organizations and individuals committed to the delivery of care
  • To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states' health systems, and the individual organizations and individuals

Note: Taken from the ADA manual "HIPAA Privacy for Dentists"

Click here to enlarge image