by Curtis P. Hamann, MD
Confused about HIPAA? You don't need to be. HIPAA as a progressive dinner is actually digestible! The trouble is, most people prefer fast food, and then wonder why they suffer from indigestion! Health and Human Services gave health care a mandatory invitation to this HIPAA feast back in 1996.
The first course of this meal was immediately implemented and is the "P" of HIPAA. The "P" stands for portability. This refers to the mobility of insurance between jobs and despite pre-existing health conditions. This protects an individual from losing insurance or insurability as an artifact of changing employers.
The second course was the implementation of the Transactions and Code Set Standards by Oct. 16, 2002. A minority of dentists filed an extension to delay the compliance requirement by 12 months. This standard requires the use of the dental CDT-4 codes, together with the Dental Version 4010 transaction standards, to streamline electronic-insurance claims processing. What most practitioners do not realize is that the probability of serendipitous compliance is very high in dentistry because of better planning over the last decade in in the profession. So, on to the third course, which will be served in April!
The third course is the HIPAA Notice of Privacy Practices. This requires the development and implementation of the practices to protect patient privacy. You must notify your patients about your new policies with a "Notice of Privacy Practices!" When the the Notice of Privacy Practices courses is completed, it will be followed by the Security Standards to safeguard personal health information from unnecessary electronic disclosure. Finally, for dessert, the National Identifier Standards will create a unique code assigned to each provider and employer. That adds up to five distinct requirements, each with different timelines, yet all a part of the same legislation.
For now, let's return to the third course — compliance with the Notice of Privacy Practices — which must be done on or before April 14. Sorry, no doggie bags, so you can't finish this course later!
Etiology of the Notice of Privacy Practices
Somehow I find it easier to stomach "federally mandated" if I understand the reasons behind the mandate. So, why Privacy Practices? The bottom line is that personal health information is misused. If an employer or insurer can find out if an applicant has a chronic or fatal disease, it could influence a job offer, insurance rates, and/or insurability. Sadly, this happens. Leaked or stolen personal-health information is made available for a profit and used without the individual's knowledge ... and usually to his or her disadvantage. Personal health information also is bought and sold in the open market without the explicit permission (authorization) of the patient.
Have you ever wondered why you receive baby formula solicitations at home after the birth of your child? Or why a local cancer foundation solicitation is received by your father after his diagnosis of liver cancer? This is because the diagnosis, name, and address were sold! The invitation for government intervention has resulted from apathy and abuse. Sadly, the lack of appropriate protection of personal health information within health care has led to this legislation. Doesn't it seem reasonable that we should review our privacy practices, tune them up, and then let our patients know about them? I would challenge us to take the high road. Understand the spirit in which this law was born. Rather than rationalizing a loophole that would justify why your office is not a covered entity, develop a policy, formally implement it, and communicate it with your patients. If health care had done a good job of self-regulation, we wouldn't have the government forcing us to do it now. Develop your policies because it is the right thing to do for your patients, not just because it is the law.
Privacy practices
So what is expected of us in the context of our privacy practices? Simply, we need to vigilantly and intentionally protect individually-identifiable, protected health information (PHI). Begin by reviewing the flow of protected health information in your office today. Examine each step — from appointment reminders by phone and/or postcard to check in, pulling charts, hygiene appointments, dentist diagnoses, procedure preauthorizations, treatments, prescriptions, sending impressions to laboratories and biopsies to pathologists, consultations with specialists or associates, referrals, billing, payment receipts, and filings and record storage. Are reasonable safeguards in place as the PHI moves through each of these steps? Do each of the staff members and consultants understand these safeguards? Does the office culture understand that protected health information should only be accessed by those staff members who need this information as a part of doing their jobs? Are security codes to the facility and passwords to computer records appropriate in reasonably minimizing access to the PHI?
Does your practice-management software company, insurance clearinghouse, and answering service have similar safeguards in place? Have they signed a Business Associate Agreement with you to affirm this? Have you identified someone in the office to review your policies in this area and is that individual updating them and putting them in writing? This description of your new office procedures and policies in this area should be integrated into a regular training program for new and current employees. Add the designation "Privacy Officer" to this person's job description and title, and you will have completed. one of the legislation's objectives — having someone in every office who is responsible for "ownership" of the privacy practices and who ensures their sustained implementation. This individual would also be the contact person for patients with complaints or questions. It's not overly complicated. (See Table 2.)
Notice of Privacy Practices
So now you have a written privacy policy describing your practices that are designed to protect the PHI of your patients.The next step is to notify your patients of these privacy practices and simultaneously describe for them the patient rights that were legally affirmed in this legislation. This must be done with each patient, as well as posted in your office for your patients' review. The government expects the information to be communicated in combination with a good faith effort to obtain a written acknowledgement that patients have received it. Earlier versions of this legislation contemplated a mandatory written consent from all patients before the patients could be seen by the doctor.
A more pragmatic good faith effort to obtain written acknowledgement became the final law. Your patients are acknowledging that they understand how you will be using their PHI and what their rights are with respect to their PHI.
The acknowledgement is only sufficient to the extent that the office uses the PHI for purposes described by HIPAA. If the PHI will be used for purposes beyond the scope described by HIPAA, then an authorization form, specifically describing how the PHI will be used, must be signed by the patient. For most clinical dentists, the acknowledgement will be adequate. HIPAA specifically describes three general categories where PHI can be used if the Notice of Privacy Practices has been acknowledged. They can be used without the need for additional authorization: for 1) treatment, 2) obtaining payment, and 3) health-care operations. Together, these three categories are abbreviated as "TPH." This is actually the nomenclature the government mandates for communication with patients about how their PHI will be used.
Treatment was intended to encompass the use of the PHI in the context of providing your patients with optimal treatment.
This would include searching your database for anyone needing a preventive visit and using the PHI to generate either a phone call or postcard reminder; use of the PHI to determine appropriate length of an appointment or to optimize coordination between the dentist and hygienist; use of the PHI to describe a biopsy differential diagnosis to a laboratory; and X-rays for an oral surgeon who will be removing third molars. It is impossible to create a comprehensive list.
Secondly, PHI will be needed to obtain payment for services provided. This will involve use of the PHI with an invoice or as a part of the insurance forms you file for your patients.
Finally, the PHI can be used to conduct health-care operations. This category was intended to assist the patient in understanding that PHI might need to be disclosed during quality audits by the government and insurance companies; in the context of training students or employees, and during a performance review or during the routine processes of certification, licensing, and credentialing activities. Other examples of legitimate PHI disclosure outside the boundaries of these three categories that your patients should acknowledge and agree to would include situations required by law to report evidence of abuse, for the good of public health, law enforcement, national security, or a caregiver's instructions.
If the PHI will be used for purposes other than those described in TPH or required by other state or federal laws, then authorization in writing is required. For example, if you intend to sell addresses of perio patients to the manufacturer of a new over-the-counter halitosis mouthwash or give names and addresses to a colleague recruiting patients for an apthous-ulcer-treatment clinical trial, then you will need patients' written authorization.
Patient rights
In addition to communicating your Privacy Practices, you also need to communicate your patients' rights to their PHI. These rights include the right to request reasonable restrictions on the disclosure and use of their health information. For example, they have the right to ask that they be communicated within a certain way — such as only leaving messages at the paatient's office or mailing an appointment reminder in an envelope, rather than sending it as a postcard (OCR HIPAA Privacy Dec 3, 2002 http://www.hhs.gov/ocr/hipaa guidelines/incidentalu&d.pdf, Page 6). These would be reasonable accommodations the law would support. In addition, patients have the right to review and, for a reasonable fee, obtain timely copies of their PHI. They have the right to ask you to update or amend their PHI. They have the right to know where their PHI was disclosed for any reason other than TPH. If an authorization was signed that allowed your office to disclose your patients' names, then a list of the recipients must be made available to patients for their review. Finally, patients have the right to request a copy of your Notice of Privacy Practices. This information needs to be communicated with all patients and a good-faith effort be made to obtain written acknowledgement that they have received it. This also needs to be prominently posted in the office.
HIPAA hysteria has led to onerous interpretations of this legislation, which is fast becoming a distraction from the original intentions. This is not about eliminating sign-in sheets or sound-proofing your operatories.
This is not about purchasing new filing cabinets or removing chart-holders from the wall. This is not about refraining from making phone calls reminding patients about their appointments, nor is it about abandoning the mailing of postcards to remind them it is time for their prophy appointments.
I have spoken with both dental consultants and dentists who are choosing hysteria rather than prudence. This is about reasonable safeguards to protect the PHI of your patients, intentionally described in policies and procedures and communicated to your patients. The Office of Civil Rights of the Department of Health and Human Services has attempted to attenuate the hysteria with a Web site answering the most frequently asked questions. (See Table 3.)
Implementation of the Notice of Privacy Practices
How should you implement the Notice of Privacy Practices? There are basically two strategies: 1) Either email or mail your notice to all current patients-of-record on or before April 14, or 2) Wait until the next visit of each of your patients and provide them with a copy of your Notice of Privacy Practices at that time. What are the advantages and disadvantages of each of these methods? If all patients-of-record are emailed or sent a notice prior to April 14, requesting a return email or business-reply card acknowledging receipt, then the PHI can be used in the office for TPH without concern of any theoretical exposure. If everyone has received the notice, you can continue TPH activities with a "business as usual" confidence that there will not be a "gotcha!"
For example, you would be able to continue with phone or postcard reminders because your Notice would describe this as a part of the use of PHI for treatment recall permitted by HIPAA. Use of the PHI for the completion of billing and monthly invoicing on Treatment provided prior to April 14 would be under stood to be a part of Payment allowed by HIPAA. If any audit of charts in the office occurs where the PHI is disclosed, patients who have yet to be seen in the office will understand this could be a part of Health Care Operations prior to their next visit. Communicating with all patients-of-record at one time will make it possible to easily document a simple good-faith effort to obtain acknowledgement from everyone.
All new patients would then be provided with the notice in the mail or at the time of their first appointment. This will have the simultaneous benefit of identifying patients whose addresses are no longer correct (use an "address correction requested" envelope) and whose chart should be inactivated.
There will be some serendipitous reactivation as a result of a professional communication of your privacy practices. Some offices will combine the notice with a marketing effort, such as a regular newsletter or to announce the addition of air abrasion or light-accelerated bleaching.
If optimally implemented, I believe sufficient patient reactivation will make the mailing of the Notice profitable, rather than an an economic drain. Unfortunately, a majority of health-care providers remain convinced that meeting this requirement can only be a cost center. For them, this opinion will likely be reinforced.
Waiting for the next visit will certainly minimize the expense and distraction of a single-consolidated effort. Prior to receiving treatment at the time of the next visit, a copy of the policy would be provided and a good-faith effort would be made to obtain written acknowledgement.
A sticker should be placed on the chart of each patient to indicate to staff in the future that this patient has received the notification. The notice would be progressively presented to the patients over the next several years as they arrive for treatment.
Use of the PHI information for TPH prior to the patient acknowledging the notice creates a 'no man's land' should a patient want to be opportunistic. Patients might say they did not understand their rights or how their PHI could be used prior to their next visit. I believe the risk is very low, but abuse is nonetheless possible.
Have you survived the third course of this HIPAA progressive dinner? Start now to develop the procedures to protect your patients' PHI. Choose a Privacy Officer to whom you can delegate the ongoing management of your policy. Secure written agreements from your business partners to whom you must disclose PHI as a part of TPH. Notify your patients of your Privacy Practices and their rights to their PHI. Make a good-faith effort to obtain written acknowledgement from each patient that he or she has received your Notice of Privacy Practice
It's business as usual. Are you ready for some sorbet before the Security Standard course is served?
Protected Health Information (PHI): The HIPAA privacy standards apply to written, oral, or electronic personal health information that can be linked to the individual by name, address, phone number, email address, social security number, chart number, insurance number, etc.
Treatment, Payment, Health Care Operations (TPH): Three categories used by HIPAA describing where PHI can be used after you have made a good faith effort to obtain an acknowledgement from your patients that they have received your Notice of Privacy Practices.
Acknowledgement: Written confirmation of receipt and review of the Notice of Privacy Practices. This can be obtained as an electronic message, a signed form, or a business-reply card. As proof of mailing, the notice can be documented, together with a response vehicle. This is sufficient evidence of the good faith effort expected by HIPAA, even if the reply is not returned.
Authorization: Written document describing the specific use of PHI outside of the TPH categories where only an acknowledgement is required. Patient grants permission to use their PHI for a specific time period.
ResourcesFinal Draft of the HIPAA Notice of Privacy Practices Law: http://www.hhs.gov/ocr/hipaa/final master.html
General Overview: http://www.hhs.gov/ocr/hipaa/ guidelines/overview.pdf
Department of Health and Human Services Latest Information: http://www.hhs.gov/ocr/hipaa/ whatsnew.html
American Dental Association: www.ada.org/goto/ HIPAA
Here are some frequentlyasked questions, answered by HIPAA authors, found on the Office of Civil Rights, Department of Human Services' HIPAA Web site.
Q: Can you use sign in sheets? A: Yes
Q: Can you place charts in a holder on the wall or door outside the operatory? A: Yes
Q: Do you need to remodel to provide soundproof private operatories? A: No
Q: Can you call out patient names in the reception area? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/incidentalu&d.pdf, Pages 6-8
Q: Are prior authorizations required for a dentist to give a patient a toothbrush? A: No
Q: Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/marketing.pdf, Page 10
Q: Can recall messages be left on patient answering machines or mailed by postcard? A: Yes
Q: If a patient wants you to send reminders in an envelope should you accommodate their request? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/incidentalu&d.pdf, Page 6
Q: Can you use information regarding specific clinical conditions of individuals in order to communicate about products or services for such conditions without a prior authorization? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/marketing.pdf, Page 12
Q: If a patient wants copies of their dental records and x-rays may you charge them a reasonable fee? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/miscellaneous.pdf, Page 1
Q: Does your entire Notice of Privacy Practice need to be posted in the office for patients? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/notice.pdf,Page 9
Q: Can you mail a copy of PHI to a specialist without authorization? A:Yes *http://www.hhs.gov/ocr/hipaa/guidelines/sharingfortpo.pdf page 10
Q: Can a patient have a friend or family member pick up a prescription? A: Yes *http://www.hhs.gov/ocr/hipaa/guidelines/sharingfortpo.pdf,Page 7
