Join ADAMember Log In

ADA seeks clarification of HIPAA enforcement

Washington—Regulators taking a more proactive approach to protecting health care data "may impair a dentist's ability to effectively treat patients" depending on how they apply proposed HIPAA privacy, security and enforcement rules, the Association told the Department of Health and Human Services.

"The ADA is encouraged that the proposed rule would strengthen patient privacy, data security and enforcement of the law," the Association said in formal comments on the proposal.

In further comments on various sections of the proposal, the Association offered support for some provisions and expressed concern about others.

When regulators issued the notice of proposed rulemaking HITECH Notice, online at, the HHS Office for Civil Rights director said in a press release, "This proposed rule strengthens the privacy and security of health information and is an integral piece of the administration's efforts to broaden the use of health information technology in health care today."

The Office for Civil Rights enforces the HIPAA privacy rule, which protects the privacy of individually identifiable health information; the HIPAA security rule, which sets national standards for the security of electronic protected health information, and the confidentiality provisions of the patient safety rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

While generally supporting the HIPAA proposals, the Association sought clarification on some, disagreed with others and recommended changes based on input from the ADA legal division, department of dental informatics and councils on Dental Practice, Dental Benefit Programs and Government Affairs. The comments were signed by Dr. Ronald L. Tankersley, president, and Dr. Kathleen T. O'Loughlin, executive director, the Association’s top elected and staff officers.

With regard to a proposal that would require dentists to give patients the opportunity to opt out of receiving subsidized "treatment-related" "marketing" communications, the Association urged regulators to revise the proposal before issuing final rules. "The ADA is concerned that requiring a provider to give individuals the opportunity to opt out of receiving subsidized treatment communications may impair a dentist's ability to effectively treat patients by communicating appropriate information when the dissemination of such information will be underwritten by an entity such as a manufacturer, supplier or provider."

Provisions allowing patients to opt-out of certain "marketing" communications and opt-out processes created by the regulations as proposed could "impose undue burdens on health care practitioners" in several respects, the Association said.

"It may be unduly burdensome and time-consuming for the dental practice to determine which of the patients who received the treatment in question have opted out and with respect to which communications, and to ensure that any remuneration received does not apply to those patients who have opted out.

"The ADA therefore urges the Office for Civil Rights not to require covered entities to provide an opportunity for individuals to opt out of receiving communication related to treatment. In the alternative, the ADA urges the Office for Civil Rights to permit a practitioner to receive remuneration for treatment-related communications that, in the practitioner's professional judgment, are appropriate for the treatment of an individual."

The Association also called for clarification of such terms as "financial remuneration" and "direct or indirect payment" for "marketing" purposes. Under the proposed rules, there is treatment marketing and health care operations marketing, for example, and the Association says that "in many cases it will be burdensome and confusing for small covered entity health care providers to correctly identify communications that do and do not require prior authorization.

"We urge the Office for Civil Rights to select the alternative of excluding treatment communications altogether from the proposed restrictions on marketing communications, even if such communications involve financial remuneration from a third party.

"Excluding treatment communications from the proposed restrictions on marketing communications would also help reduce the record-keeping burden associated with soliciting, collecting and managing opt-out communications, which will have a disproportionate impact on dentists, who are more likely than other covered entity providers to keep paper records due to the unavailability of certified electronic health record technology for dentistry, and who are more likely than other providers to practice in solo or small group practices which [would] not be staffed to handle the burden of additional record-keeping responsibilities.

"We further urge the Office for Civil Rights to provide a clear test for a marketing communication that involves treatment and one that involves health care operations, to facilitate covered entity provider understanding and compliance."

With regard to a proposed change that would make a covered entity liable for certain acts of a business associate that is the covered entity's "agent," the ADA said the change would impose an undue and unfair burden on a HIPAA-compliant covered entity that was unaware the agent was in violation of HIPAA. The ADA also urged the Office for Civil Rights to provide a more exact test to determine which business associates were "agents," in order to help covered entities more effectively manage the risk.

The proposed regulations also requested comments regarding a HITECH Act provision that requires a covered entity provider to agree to an individual's request to restrict disclosure to a health plan of information pertaining to items or services for which the provider has been paid in full out-of-pocket.

The Association expressed concern that complying with this provision may complicate dental records and could create difficulties in complying with managed care contracts that allow access to certain patient records. The ADA also said this provision may create difficulties in situations where a patient undergoes more than one procedure in a single visit and asks that the dentist not disclose information to a health plan about one of the procedures.

In response to a proposed rule that would require a covered entity with electronic health records to provide individuals access to their records in the form and format that they request, the ADA expressed concern that providing access to individuals using removable electronic media that they provide (such as their own thumb drives or CD-ROMs) could introduce a virus into the practice's electronic system. The ADA urged the Office for Civil Rights to permit covered entities to refuse to provide access using an individual’s own electronic media and to permit covered entities to charge individuals for the cost of electronic media provided by the practice.

The Association also questioned certain record-keeping, use and disclosure and other proposals intended to modify HIPAA regulations to comport with the 2009 Health Information Technology for Economic and Clinical Act. The 1996 Health Insurance Portability and Accountability Act provided for the establishment of national standards for the electronic transmission of certain health information.