HIPAA Privacy and Security
2013 HIPAA Updates
Title II of the 1996 Health Insurance Portability and Accountability Act (HIPAA) has had broad implications in health care, including dentistry. It required the creation and enforcement of multiple regulations for various purposes. Among dentists, the best known of these regulations is the HIPAA Privacy Rule, which had an initial compliance date of April 14, 2003. In addition to the Privacy Rule, there is a HIPAA Security Rule (initial compliance date April 20, 2005) and the HITECH Breach Notification Rule (initial compliance date February 22, 2010).
Dentists and their staff will be most familiar with the HIPAA Privacy Rule, which had a compliance date of April 14, 2003. The HIPAA Privacy Rule gives patients certain rights over their health information, including dental records and billing records. For example, patients have the right to:
- ask for a change in their records
- ask a health care provider not to disclose their information
- ask a health care provider to communicate with them confidentially, at an alternative location or by an alternative means (the health care provider must accommodate reasonable requests).
The HIPAA Security Rule requires a dental practice to conduct a written risk assessment and develop safeguards to protect electronic patient information. These safeguards are divided into three categories: “administrative,” “technical” and “physical.” The purpose of the Security Rule safeguards is to protect the confidentiality, integrity, and availability of electronic patient information:
- Confidential means that people can’t access the information if they are not authorized to do so.
- Integrity means that the data is not corrupted, or changed without authorization.
- Availability means that authorized individuals may access information whenever it is needed.
The HIPAA Security Rule also requires ongoing maintenance of safeguards, periodic risk assessments, workforce training, and documentation.
In addition to subsidizing the adoption of EHRs for Medicare and certain Medicaid providers, the Health Information Technology for Economic and Clinical Health (HITECH) Act authorized the creation and enforcement of a Breach Notification Rule that amended parts of the HIPAA Privacy and Security Rules. The Breach Notification Rule requires dental practices to provide notification of breaches of unsecured patient information to affected individuals, the federal government, and in some cases, the media.
Finally, an Enforcement Rule has authorized enhanced civil monetary penalties for non-criminal violations of HIPAA rules since February 18, 2009.
Impact On Dentistry
HIPAA rules for Privacy, Security, and Breach Notification apply to a dental practice if it meets the definition of a “Covered Entity.” See “HIPAA-Covered Entities” below for more details. Assuming a dental practice is a covered entity, the practice will need to take steps to comply, starting with the appointments of a HIPAA Privacy Official and a HIPAA Security Official. Other steps include, but are not limited to: reading and understanding all of the requirements, creating a HIPAA compliance team, delegating tasks, performing a risk assessment, devising policies and procedures, training workforce members, and maintaining compliance in an ongoing manner. Achieving and maintaining compliance is a significant, ongoing effort that requires time, people, and resources.
A dental practice becomes a covered entity by transmitting an electronic “covered transaction,” such as submitting an electronic claim to a dental plan. A dental practice is also a covered entity if someone else (like a clearinghouse) sends an electronic covered transaction on behalf of the dental practice. Dental practices that are covered entities may be referred to as “covered entity dental practices” or “covered dental practices.” For more examples of covered transactions and information about covered entities, see the Covered Entity Charts from the Center for Medicare & Medicaid Services.
The 2013 HIPAA Omnibus Final Rule
On January 17, 2013, the US Department of Health and Human Services Office for Civil Rights announced the publication of the HIPAA Privacy and Security Omnibus Final Rule. The Final Rule has a compliance deadline of September 23, 2013. The Omnibus Final Rule strengthens and re-affirms HIPAA Privacy, HIPAA Security, and HITECH Breach Notification requirements. Covered dentists must comply with the new requirements by September 23, 2013. The Omnibus Final rule also strengthens and finalizes HIPAA provisions that mean more active and tougher enforcement of HIPAA Privacy and Security.
In addition, the HIPAA Omnibus Final Rule:
- Extends the requirements of the privacy and security rules to covered dental practices’ business associates and their contractors
- Establishes new limitations on the use of protected health information for marketing and fund-raising purposes
- Prohibits the sale of a patient's personal health information without individual authorization
- Expands patients' rights to request and receive electronic copies of their personal health information
- Broadens patients' ability to restrict disclosure of their personal health information to health insurance plans
HIPAA defines a “business associate” to generally mean an outside person or entity that does a service for a covered dental practice that involves patient information. Examples include a billing service, practice management or EHR system vendor, document storage company, collection agent, or shredding firm.
HIPAA does not permit a covered dental practice to let a business associate access patient information until the dental practice and the business associate have signed a written agreement containing certain required provisions. This agreement is called a “business associate agreement” or “business associate contract.”
A covered dental practice must identify each of its business associates and have a compliant agreement in place with each of them.
The 2013 HIPAA Omnibus Final Rule has significant impacts on business associate agreements and on business associates. The most significant impact for business associates is the extension of privacy and security rule enforcement to business associates themselves. Business associates may now be subject to the same enforcement actions as a covered dental practice.
The new rule also changes the provisions that must be in the business associate agreement. Covered dental practices must update their existing business associate agreements. In addition, they must also update any agreement template used when negotiating an agreement with a new business associate.
By September 23, 2013, covered dental practices must update all business associate agreements that were entered into on or after January 25, 2013.
By September 22, 2014, covered dental practices must update all business associate agreements that were entered into on or before January 24, 2013 and that were not modified or renewed after that date (if they were modified or renewed, the September 23, 2013 date applies).
Evergreen contracts: if a business associate agreement is entered into on or before January 24, 2013, and it is not modified after that date, but it renews automatically without any change in terms, it must be updated by September 22, 2014.
Oral agreements: if a dental practice does not have a written business associate agreement in place with a business associate, the dental practice must enter into a compliant written agreement without delay.
The ADA has resources to help dentists meet HIPAA requirements and reduce their HIPAA-associated business risks. Visit the ADA Catalog online at www.adacatalog.org or call the ADA Member Service Center at 800-947-4746 for information about HIPAA compliance resources.
The Office For Civil Rights also has a searchable database of HIPAA Frequently Asked Questions.
Most Recent HIPAA News
|July 15, 2013||CE Online course helps with new HIPAA rules|
|May 20, 2013||Never trust a photocopier|
|March 11, 2013||ADA updating HIPAA manual|
|January 28, 2013||New HIPAA rules issued|
American Dental Association
Department of Dental Informatics
ADA business hours are 8 a.m. to 5 p.m. US Central Time.