New HIPAA rules stem from federal recovery act provisions
"The ADA will be the profession's prime resource for complying with these regulations," said Dr. Robert A. Faiella, 1st District trustee. Dr. Faiella heads the Association's Electronic Health Record Workgroup.
Signed into law in February, the ARRA incorporates the Health Information Technology for Economic and Clinical Health Act. That act seeks to develop a nationwide health information technology infrastructure that allows for electronic dissemination of health records.
To protect the rights of individuals whose information will be stored and exchanged in the electronic health record environment, HITECH expands upon HIPAA's privacy and security protections for individuals' health information. This includes some expansion of the applicability of HIPAA (Health Insurance Portability and Accountability Act of 1996) standards, but a dentist whose practice is still entirely paper-based will not be subject to its rule, at least in most circumstances and state law permitting.
HITECH rules, which the U.S. Department of Health and Human Services are developing, will place added responsibilities upon both covered entities and their business associates. Examples of a dentist's typical business associates include (but are not limited to) information system vendors, electronic clearinghouses, lawyers, accountants, technical support companies and others. Employees are not business associates, nor are most referral or group practice relationships as long as the information shared is related to the treatment of a patient.
The first major regulation, due from HHS Aug. 18 will require covered entity practices and their business associates to provide notice of any breaches or unauthorized disclosures of protected health information within 60 days. Practices covered by HIPAA would have to notify the breached individual(s), HHS and in some cases (where records of 500 or more people are affected), media outlets. Practices will have 30 days to comply with the regulation. According to HHS, entities subject to the regulations that apply specified technologies and methodologies to secure information will not be required to provide the notifications required by the regulations in the event of a breach. There will be a safe harbor in place.
The ADA will provide guidance for dental practices after reviewing the interim final rules. The requirements should provide detailed information about which incidents will require dentists to provide notification of a breach and which will not. ADA.org postings will provide compliance information as it becomes available.
The ADA plans to release in January 2010 a new Complete HIPAA Compliance Kit for Dentists. The kit will feature updated HIPAA Privacy and Security information and incorporate HITECH changes. In addition, it will include a three-year update service assuring members will have a resource that covers all pending changes.
Regardless of the changes in the rule, Dr. Faiella says it is important to remember that careless record-keeping was always a threat to privacy and security and that has not changed with the new rule.
"For covered dentists, it's going to be a very good idea to review their current privacy and security policies, procedures and documentation, advised Dr. Faiella. "Many dentists have great confidentiality safeguards, great people working for them, and their system vendors provide them with data integrity and accessibility tools. However, in spite of having these safeguards in place, their documentation of how all those things work together as a cohesive security plan may be lacking. You can still be fined for neglecting some area of required documentation, even if everything else is in order."
A few common ways a breach may result include:
- discussion of patients with anyone who is not involved in that person's care or payment for that person's care;
- removal of paper or electronic files containing PHI from the practice without the dentist's or manager's knowledge or approval;
- lack of written policies and procedures for removing PHI from a practice in paper or electronic form;
- insufficient data protections on removable media and devices (a stolen laptop may require notification of a breach);
- use of patient data to market non-health care related products; (If the data is removed from the practice via electronic means, it may be a security violation as well as a privacy violation.)
By August 2010, HHS says it will publish 14 modifications to HIPAA guidance and regulations which will expand protections of electronically transmitted patient health information. Each of the rules will take effect 30 days after issuance. They include regulations and/or guidance about:
- added accounting responsibilities for disclosures under the HIPAA Privacy Rule;
- extending certain HIPAA Security Rule provisions to business associates;
- modifying the HIPAA Privacy Rule's accounting of disclosure provisions;
- tighter restrictions on the disclosure of PHI for marketing and fundraising;
- detailed technical safeguards for security;
- providing electronic health records to patients who request access.
Most of the changes will go into effect in February 2010. The ADA will be providing additional resources as the new regulations and guidance become available.
Visit www.ada.org/goto/HIPAA after the regulations are released on Aug. 18 for the latest on how the regulations apply to the dental practice.