Join ADAMember Log In




ADA helps members comply with HHS rule

ADA guidance to help dentists comply with the Department of Health and Human Service's interim final rule effective this month is available to ADA members at www.ada.org/goto/HIPAA. The rule regulates when and how dentists must notify patients if their health care information has been exposed in a security breach.

"These resources are designed to help member dentists prevent breaches and take the appropriate actions should they become aware of a breach of protected health information," says Dr. Ronald L. Tankersley. Dr. Tankersley will be installed as the 146th president of the American Dental Association next month. "They demonstrate the ADA's strong commitment to helping members understand and comply with the regulatory environment."

Posted in the Federal Register August 24, the rule, which regulates when and how dentists must notify patients if their health care information has been exposed in a security breach, takes effect on Sept. 23. Hospitals, doctors and other health care organizations covered under HIPAA are covered by the new rule.

Posted at www.ada.org/goto/HIPAA, the ADA member guidance includes:

  • A breach notification decision tree;
  • A glossary;
  • Questions and answers about breach notification.

The Council on Dental Practice says the guidance can assist dentists in understanding the steps required to comply if a breach occurs. The question-and-answer formatted resources for the dentist and dental office staff determine applicability of the new rules in a number of scenarios. It guidance will also assist members and their employees who have questions about their current security needs, including encryption. Finally, there is a discussion of proper media and records disposal for breach notification compliance.

The ADA will release in January 2010 a new Complete HIPAA Compliance Kit for dentists that will feature updated HIPAA Privacy and Security information and incorporate HITECH changes. In addition, it will include a three-year update service assuring a resource that covers all pending changes. The kit will be available for purchase at www.adacatalog.org.

Developed by the HHS Office for Civil Rights, the breach notification rule requires health care providers who are HIPAA-covered entities to notify affected individuals of a breach of unsecured patient information without unreasonable delay but in no case later than 60 calendar days from when the breach was discovered. HHS must be notified annually of breaches, and if a breach affects more than 500 individuals, HHS must be notified within 60 days. If the breach involves 500 or more individuals in the same state or jurisdiction, prominent local media outlets serving that state or jurisdiction must be notified.

In the 30-page document, HHS offers guidance on what unsecured protected health information means and identifies technologies and methodologies that would secure patient protected health information sufficiently to obviate the need to notify patients of a data breach. The requirements provide detailed information about which incidents will require dentists to provide notification of a breach and how to provide it.

The rule is part of the increased privacy and security protections under the American Recovery and Reinvestment Act of 2009. The Federal Trade Commission released related regulations that cover breaches involving vendors of personal health-record systems and associated businesses not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.

Signed into law in February, the ARRA incorporates the Health Information Technology for Economic and Clinical Health Act, which seeks to develop a nationwide health information technology infrastructure for electronic dissemination of health records. HITECH expands on HIPAA's privacy and security protections for individuals' health information.

The regulations will also require business associates of covered entities to notify the covered entity of breaches that the business associate discovers so that the covered entity can provide the required notification. Employees are not business associates, nor are most referral or group practice relationships, as long as the information shared is related to the treatment of a referred or group practice patient. Examples of a dentist's typical business associates include (but are not limited to) claims processing companies, billing and practice management companies, information system vendors, electronic clearinghouses, lawyers, accountants and technical support companies.

To read the interim final rule visit www.hhs.gov/ocr. Click on the HHS press release, "HITECH Breach Notification Interim Final Rule," at the right of the page. The link to the Aug. 24 Federal Register posting is included at the bottom of the page.

Comments on the interim final rule, identified as RIN 0991-AB56, may be submitted on or before Oct. 23 at www.regulations.gov or sent to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Breach Notification, Hubert H. Humphrey Building, Room 509F, 200 Independence Ave., SW, Washington, D.C., 20201. Submit one original and two copies.