Step aside OSHA, CDC, EPA, FDA, and BDE. The federal law for the Health Insurance Portability and Accountability Act, known as HIPAA, has provided us yet another acronym to add to our bowl of alphabet soup. While this one has more letters than the rest, it could have more ambiguity than all others combined!
Before you begin to try to understand how to achieve compliance, let us first identify the 2 arms of HIPAA regulation. There is a Transactions and Code Set Arm and the Privacy Standards.
Step 1: Develop a Written Policy
Your written policy or plan should describe how you and your team will meet HIPAA compliance criteria and how PHI will be evaluated and monitored as it is obtained and provided by your office.
Step 2: Assign A Privacy Officer and Contact Person
Identify an individual who can be accountable for overseeing operations as your Privacy Officer. This individual should have a genuine interest in patient privacy. Of equal importance, they should be well organized, articulate, and willing to accept responsibility for supervision of compliance. The Privacy Officer would receive patient requests for obtaining access to their PHI or requesting an amendment to their PHI. The officer would be responsible for maintaining records for complaints and can act as (or appoint) a Contact Person to receive complaints. If the Privacy Officer shares the role of the Contact Person, then they must also be professionally mature and non-emotional. This is of particular importance when dealing with patient-related complaints.
Step 3: Team Training
Training is a very important aspect of HIPAA compliance. HIPAA requires that all employers and employees alike are provided training on HIPAA compliance by April 14, 2003, in Privacy Etiquette. If an employee violates compliance requirements, an incident report is to be filed, and disciplinary action should follow to ensure that the behavior is not repeated.
Step 4: Business Associate Safeguards
All business associates (BA) (a person or entity that performs or assists in the performance of a function or activity involving the use or disclosure of PHI, such as accountants, consultants, financial institutions, management consultants, advisors, computer software vendors, answering services, dental laboratories, and temporary employees) must provide healthcare providers safeguards that ensure PHI will not be abused or used for anything other than treatment payment or operational services (TPO). Employees and associates are not included, since they are members of your workforce.
This requirement can be met through a signed agreement with all BAs. Agreements must be signed by April 14, 2003. The agreement must stipulate that the BA is willing to “open the books” to Health and Human Services (HHS) if privacy has been suspected to be violated.
Step 7: Self Audits
Periodically, healthcare providers need to perform self audits. If at any time the healthcare provider or representatives find any violations, they are to be mitigated as soon as possible to limit further harm to PHI.
Step 8: Authorization and Record Keeping Logs for Use of PHI for Other Than TPO
In the event that a healthcare provider intends to use PHI for anything other than TPO (Treatment, Payment or Operational Services), the healthcare provider is required to obtain patient authorization. In addition, the healthcare provider is also required to keep a log that discloses who used the information, how it was used, and why it was used. The log, along with authorizations, are to be kept on file for 6 years from the time of use and/or authorization.
DEBUNKING HIPAA MYTHS
Use common sense! HIPAA can only require that you use reasonable safeguards and good faith efforts to secure patient acknowledgement of receipt of your privacy notice.
HOW DOES THE PRIVACY RULE BENEFIT PATIENTS?
The privacy rule enables patients to find out how their information may be used and what disclosures of their information have been made. Likewise, it calls upon healthcare professionals to use appropriate safeguards to protect healthcare information. In general, the privacy rule sets boundaries by limiting the release of information (to a reasonable minimum) for the specific purpose of the request.
The privacy rule also provides patients with the right to examine and obtain a copy of their own health records and request corrections.
HOW DOES THE PRIVACY RULE THREATEN HEALTHCARE PROVIDERS?
The privacy rule is enforced by Health and Human Services (HHS) Office of Civil Rights (OCR). The HHS can hold violators accountable, with civil (fines) and criminal (jail) penalties.
Government regulations affecting healthcare providers can admittedly add to the burden of managing a dental practice. However, in the case of HIPPA, aside from the inconvenience of posting notices and obtaining signed acknowledgements, those who are willing to employ reasonable safeguards and use good faith efforts to comply can only enhance their professionalism as it relates to patient privacy. Such compliance is an appropriate course of action for those who continue to support excellence in patient care.
•American Dental Association website: http://www.ada.org/goto/hipaa.
•AADS (charts and forms) website: http:www.aads.com.
•National Dental EDI Council website: http://www.ndedic.org/.
•US Department of Health and Human Services website: http://aspe.os.dhhs.gov/admnsimp/.