The Importance of Privacy

Privacy is something we all value.  It should not come as a surprise to anyone that dental patients want to ensure more than ever that their personal information will not be shared with anyone without a legitimate need to know.  Under the U.S. Department of Health and Human Services (HHS.gov), HIPAA Rules were created to ensure that all healthcare professionals respect and protect a patient’s privacy.   HIPAA gives patients significant rights in controlling how medical professionals maintain and communicate individual health information.  How well does your office comply with HIPAA guidelines?  Since HIPAA compliance is not optional, every dental office should take the necessary steps to ensure they are HIPAA compliant.  

About HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996.  HIPAA provides federal protections for patients’ health care information. The HIPAA privacy rule does permit the disclosure of personal health information needed for patient care and other important purposes related to patient care.  The Security Rule under HIPAA specifies a series of administrative, physical, technical, and security measures required for covered entities (dental offices that transmit patient information in electronic form) to use in order to assure the confidentiality, integrity, and availability of electronic protected health information. 

 A main objective of the HIPAA legislation is to protect the privacy of individual health information by imposing strict security requirements on healthcare providers with access to confidential patient information. As a part of HIPAA, Congress mandated the establishment of standards for the privacy of individually identifiable patient health information.  The Privacy Rule requires that dentists [and other medical practitioners] obtain patient consent before using or disclosing a patient’s personal healthcare information which may be needed for treatment, payment, and other healthcare related purposes. 

Private Health Information, also known as PHI, is any information relating to a patient’s health, treatment, or payment for healthcare that identifies a patient.  Private health information includes, but is not limited to: names, addresses, phone numbers, fax numbers, e-mail addresses, credit card information, certificate numbers, license numbers, account numbers and birth dates. Many dental employees, including dental assistants, dental hygienists, lab technicians and front office staff, may come into direct contact with a patient’s PHI.  PHI should be carefully secured and traced throughout the dental office to ensure patient confidentiality. 

HIPPA does not require that dentists sound-proof rooms to ensure that confidential conversations are not overheard; however, dentists should make every reasonable effort to ensure that confidential conversations take place in areas away from other patients.  Also, computers, printers, faxes and file cabinets or other containers were patient records are stored should be placed in secured areas without patient access. 

Although compliance ismandatory only for “covered entities”, the American Dental Association suggests that dentists who are not covered entities adopt the same privacy practices that HIPAA mandates for “covered entities”.  It is still possible that HIPAA privacy laws may establish an industry standard among dental practices and the failure to comply with the industry standard may result in liability for the owner of a dental practice.

Understanding the value of PHI and its relationship with HIPAA, the owner of a dental practice should be able to answer some very important questions such as: how is PHI stored in our office, who is authorized to access the information, how is the information stored and how is  patient information secured, how and when is this patient information destroyed, where in the office is it appropriate to discuss personal health information, and have we implemented proper training procedures?  Answers to these questions cannot be left to interpretation. 

The owner of a dental practice must adopt and implement comprehensive privacy procedures for their office in order to ensure that patient records are kept in a secure space.  In addition, employees in a dental office must comply with HIPAA policies and procedures which have been established.  Most of the information obtained regarding patients does require the implementation of security measures.  If employees are not aware of HIPAA standards as established by the owner of a dental practice, a violation of HIPAA may be costly! 

Patient Rights

The HIPAA Privacy Rule gives patients considerable rights in controlling their identifiable healthcare information.  Covered entities must provide a Notice of Privacy Practices to each patient which details how the practice can use and disclose confidential patient healthcare information.  Under HIPAA, a healthcare provider must obtain a patient’s authorization before releasing protected patient information.  However, a health care provider may release patient information for specified health care related purposes, such as for remitting payment or for patient related treatment.   

As for patient records, patients are permitted access to their own records.  In addition, patients may also request restrictions on the disclosure of their personal healthcare information.  Patients may also request an amendment to any information in their medical file that they believe is erroneous. The Privacy Rule also prohibits employers from using a patient’s personal healthcare information as a factor in making employment decisions. 

HIPAA Violations

Failure to comply with HIPAA can result in both civil and criminal penalties, and the penalties can be stiff.  These penalties vary based on the nature of the violation and the extent of the resulting harm.  Healthcare entities and individuals who obtain or disclose individually identifiable health information face a penalty ranging from $100.00 to $50,000.00 per violation, as well as imprisonment for up to one year.  However, offenses committed with the intent to use the information for personal gain, harm, or commercial advantage face fines up to $250,000.00 and imprisonment for up to ten (10) years.  Because there is no private right of action for a patient to enforce his or her privacy rights, enforcement of the civil penalties will be processed through the Department of Health and Human Services Office of Civil Rights, and the criminal penalties will be enforced through the government. 

It is important to note that the owner of a dental practice may be held liable for HIPAA violations. Employees who knowingly violate a HIPAA rule may also be subject to civil or criminal penalties as well (including dental hygienists, dental assistants, etc.)  As a result, in order to avoid potential civil and criminal penalties, all members of a dental practice should be aware of HIPAA guidelines and procedures.

The Privacy Rule does allow dentists to use patient sign-in sheets in their offices.  However, requiring a patient to indicate the purpose of their appointment is a violation of HIPPA and should be avoided.  Reminder cards sent to a patient’s home with appointment dates on them are not considered a HIPAA violation, because of the preventative nature of dental care.  However, if the cards mention the purpose of the appointment (i.e., “This is a reminder of your appointment for a dental implants”), it will be considered as violation of the HIPAA Privacy Rule.  In addition, schedules of patient appointments should not be placed in an area in the office that is visible to other patients.  Finally, patient appointment calendars should “never” be placed on the internet [yes, this has happened]. 

Conclusion

The owner of a dental practice must determine whether their office is HIPAA compliant.  A failure to properly implement HIPAA security and patient privacy rules could result in potentially big civil and criminal penalties.  The employees of a dental practice must be trained on both HIPAA regulations and security measures.  A patient’s individually identifiable healthcare information is confidential and should be treated accordingly.