The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was signed by President Clinton August 21, 1996 as Public Law 104-191. Included in the law is a separate section intended to reduce the administrative costs of health care. Final regulations on transactions and code sets were released on August 17, 2000 for implementation by October 16, 2002.
The law requires all health plans, including ERISA, health care clearinghouses and any dentist who transmits health information in an electronic transaction to use a standard format. Those plans and providers that choose not to use the electronic standards can use a clearinghouse to comply with the requirement. Providers' paper transactions are not subject to this requirement.
What is HIPAA?
HIPAA has four main elements:
- Portability of coverage
- Security of health information
- Consents for uses of health information
- Electronic transmission of health information
Key things to remember
HIPAA regulations require you to make a "good faith effort" to secure patient receipt of your privacy practices notice before you disclose protected health information (PHI).
- Adhere to the "minimum necessary standard." You are required to use or disclose only the information needed to accomplish the purpose intended.
- The key word to remember is "reasonable" when reviewing changes in your office to comply with HIPAA standards.
What do we need to do to comply?
Whether or not you transmit electronic claims, patient confidentiality is key in any dental practice. Check with your liability carrier regarding confidentiality laws. Confidentiality laws have been in existence long before Federal HIPAA regulations. HIPAA regulations dictate that healthcare providers and payers must safeguard the privacy of patient health information. Effective April 14, 2003 mandatory compliance with the privacy part of the HIPAA rule is required, especially in the areas of how patient health information is handled and secured.
If your office must implement HIPAA Privacy rules, follow steps to implement and train staff. Even if you do not have to implement privacy policy and rules, you may have to implement HIPAA Security. Check with the American Dental Association or the HHS Office of Civil Rights for information on whether these rules apply to your office.
No liability policy will protect you for violating federal law. Compliance with the Federal Privacy rule became effective April 14, 2003. If you are a new office implementing HIPAA privacy rules, the following are helpful:
- Become knowledgeable about the requirements of the rule. There is no way around this. You may find the resources below to be helpful. The American Dental Association has a HIPAA Privacy Manual and a HIPAA Security Manual, both of which can be purchased through ADA 1-800-947-4746 online www.adacatalog.org.
- Assign a Privacy Officer. Someone in your office should be assigned the responsibility for the Privacy program and for being the contact for questions, concerns and complaints related to privacy.
- Make a list of the policies and procedures that you will need and develop a timeframe for completion of the same.
- If your office already has policies and procedures around patient privacy, review them with the requirements of the HIPAA Privacy Rule and make revisions as needed.
- In some cases, your office might follow ‘understood’ or ‘spoken’ rules around maintaining patient confidentiality. Write those policies down.
- Where the requirement of the rule is ‘brand new’ to you, try to understand the requirement, how it applies to your office and then generate the policy and/or procedure.
- Make a list of the forms that are required under the Privacy Rule. The forms should also be referenced in your written policies and procedures. For instance, you will most likely need an authorization form. The description of the form, how and when to use it, etc. will need to be documented in the policies and procedures.
- Train your employees. Everyone who is in an office will need to be trained in your privacy practices. Under the rule, ongoing training is also required. This must be documented to show compliance. You may contact the ODA Director of Government Affairs with questions should you need assistance. 503-218-2010 Ext. 102
- Develop an audit program to monitor that the office privacy policies and procedures are being adhered to. Follow the audit criteria and the results of the same. This will allow your office to identify areas for improvement as well as where your office is doing a superb job of continued compliance.
Additional Resources