Frequently Asked HIPAA Questions

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
  • Reduces health care fraud and abuse;
  • Mandates industry-wide standards for health care information on electronic billing and other processes; and
  • Requires the protection and confidential handling of protected health information
When must a covered dental practice's staff receive HIPAA training?

All members of a covered entity's workforce are required to receive training in HIPAA Privacy, HIPAA Security, and HITECH Breach Notification required policies and procedures. The frequency of training sessions is up to the individual covered dental practice to determine, but training should be ongoing and timely, with updates, notices, and reminders issued in a manner that reduces risks associated with

newly identified threats. An annual training session may or may not be sufficient, depending on your Security Official's ongoing risk analysis.

When my dental practice staff needs to leave a message for one of its patients, how specific a message may be left on a patient's voicemail?

Your staff should limit the information left on a voicemail to the practice name, the caller’s name and phone number, appointment date and time, and the name of the person you are attempting to contact. Avoid leaving any health or finance-related information, including patient account information, on a voicemail. If a patient requests a restriction against leaving voice messages, document the request and honor the patient’s wishes. See the Office for Civil Rights’ FAQ on this topic.

Which form do I ask my patients to sign?

The form is called “Acknowledgement of Receipt of Notice of Privacy Practices.” The HIPAA Privacy Rule requires covered health care providers to make “good faith efforts” to obtain written verification that patients have received an opportunity to review a Notice of Privacy Practices. Covered entities should have patients sign an acknowledgement form when they receive a copy of the Notice of Privacy Practices.

If a patient refuses to sign an acknowledgement form, can I refuse to treat the patient?

In general, you cannot condition treatment upon receipt of a signed acknowledgement form.  If a patient refuses to sign, you should document the refusal, the date, and a reason for the refusal, if known. You may still use or disclose patient information for your normal treatment, payment, and health care operations activities unless the patient requests a restriction and you agree to it. If you are unfamiliar with the definitions of Treatment, Payment, and Healthcare Operations activities, please visit the Office for Civil Rights Guidance.

Do returning patients have to sign a HIPAA form every single time they visit, or is it once a year, or how often do we really need to have them sign it?

The HIPAA Privacy Rule requires that you ask a new patient to sign an Acknowledgement of your Notice of Privacy Practices not later than the patient’s first face-to-face visit.  After that, the regulation requires that you retain any signed Acknowledgement until six years after the patient is no longer active in your practice. Some facilities ask all returning patients to sign an Acknowledgement on subsequent visits to reduce the risks of missing new patients and lost paperwork, but this is not a requirement specified in the published regulations.

May we discuss a patient’s treatment, medication, or condition in front of family members or friends?

Generally speaking, yes, provided the patient has been present with this other person and has voiced no prior objections. If in doubt, ask! In addition, train your workforce members to know how to handle situations involving family members and friends.  The Office for Civil Rights has published some helpful Guidance on Communicating with Family Members and Friends.

The Business Associate Agreement template in the ADA HIPAA Kit has a blank space in the "Recitas" section on its first page that we don't know how to complete. What should we write there?

The sample Business Associate agreement in the ADA HIPAA Kit is styled as an amendment to an existing agreement. If you have an existing service, purchase, license, lease, or other agreement with the business associate that does not contain HIPAA Business Associate Agreement language and it needs to be amended to include the HIPAA language, you may enter something like “service,” “purchase,” “license,” etc. as applicable, or you can simply delete the blank space. Additional information regarding business associates and business associate agreements can be found at FAQ on HIPAA Business Associates.

I have begun hearing that using email to send X-rays is not HIPAA compliant. Is this true?

If you are sending identifying information along with the image, including any part of the patient’s name, address, date of birth, phone number, or other data elements that constitute Protected Health Information, it does puts patients’ information at risk of a breach.

Please consider using PBHS Securemail or a Direct Accredited Health Information Service Provider (HISP) for sending Protected Health Information (PHI).

You may send unsecured email containing PHI if a patient has been informed of the risks and directs you to do so regardless. Document the request carefully and honor your patient’s wishes.

My IT tech support and/or colleagues are telling me to encrypt my servers, workstations, laptops, tablets, etc. Is this a HIPAA requirement?

Storage encryption for your practice’s computer hardware, handhelds, mobile devices, and removable media is strongly recommended whenever a dental practice’s ongoing risk analysis determines a risk of unauthorized access to Electronic Protected Health Information (ePHI) as a result of loss or theft exists.

To mitigate risk of a serious breach and avoid Breach Notification requirements, your storage encryption needs to be consistent with Guidance issued by the US Department of Health and Human Services (HHS).

My technology vendor is telling me that my operating system in not HIPAA compliant. Is this true?

There is no such thing as a “HIPAA Compliant” operating system, but there are such things as “supported” and “unsupported” operating systems. It is not advisable to use unsupported software products, including operating systems, due to their increased vulnerability to security problems. This increased vulnerability puts a covered dental practice at greater risk of breaches and possible federal enforcement actions.  When support for an operating system is pulled, that means the vendor will no longer provide security patches for that product, and the operating system will become increasingly insecure.  It is best to plan migration to the next version of an operating system before support for your current system is pulled.