Privacy is something we all value. Especially with new discoveries in the link between good oral hygiene and overall medical health, it should not come as a surprise to anyone that dentistry patients want to ensure more than ever that their personal information will not be shared with anyone without a legitimate need to know. Under the US Department of Health and Human Services (HHS.gov), HIPAA Rules were created to ensure that all healthcare professionals respect and protect a patient’s privacy. How well does your office comply with HIPAA guidelines?
The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. HIPAA provides federal protections for personal health information held by patients. The HIPAA privacy rule does permit the disclosure of personal health information needed for patient care and other important purposes related to a patient’s care. The Security Rule under HIPAA specifies a series of administrative, physical, and technical safeguards or security measures required for covered entities (dental offices that transmit patient information in electronic form) to assure the confidentiality, integrity, and availability of electronic protected health information.
The Privacy Rule establishes a federal requirement that dentists and other medical practitioners obtain patient consent before using or disclosing a patient’s personal health information for treatment, payment, or healthcare operations.
Private health information, also known as PHI, is any information relating to a patient’s health, treatment, or payment for healthcare that identifies a patient. Private health information includes, but is not limited to: names, addresses, phone numbers, fax numbers, e-mail addresses, credit card information, certificate numbers, license numbers, account numbers and birth dates. Many dental employees, including dental assistants, dental hygienists, lab technicians and front office staff, may come into contact with PHI. PHI should be carefully secured and traced throughout the dental office.
Although compliance ismandatory only for “covered entities”, the American Dental Association suggests that dentists who are not covered entities adopt the same privacy practices. It is still possible that the HIPAA privacy laws may establish an industry standard among dental practices and failure to comply with the industry standard may result in liability.
How is PHI stored in our office? Who is authorized to access the information? How is the information stored and how is it secured? How and when is this information destroyed? Where in the office is it appropriate to discuss personal health information? Do we have an adequate and recorded procedure for training?
Answers to these questions cannot be left to interpretation; healthcare providers must adopt privacy procedures for their offices, ensuring that patient records are kept in a secure space and that employees are trained on privacy policies, making records inaccessible to those who do not have a legitimate need to view them. Most of the information gathered on patients requires these security measures. Thus, the entire dental office must be aware and held responsible to avoid costly violations.
Failure to comply with HIPAA can result in both civil and criminal penalties. These penalties vary based on the nature of the violation and the extent of the resulting harm. Healthcare entities and individuals who obtain or disclose individually identifiable health information face a penalty ranging from $100 to $50,000 per violation, as well as imprisonment up to one year. However, offenses committed with intent to use the information for personal gain, harm, or commercial advantage face a more serious fine of $250,000 and imprisonment for up to ten years. Also, if a state has privacy laws more stringent than the federal regulations, the state laws will supersede HIPAA.
It is important to note that not only are employers held liable – employees who knowingly violate a HIPAA rule may be subject to a criminal penalty as well.