Step aside OSHA, CDC, EPA, FDA, and BDE. The federal law for the Health Insurance Portability and Accountability Act, known as HIPAA, has provided us yet another acronym to add to our bowl of alphabet soup. While this one has more letters than the rest, it could have more ambiguity than all others combined!
TWO-ARMED HIPAA
Before you begin to try to understand how to achieve compliance, let us first identify the 2 arms of HIPAA regulation. There is a Transactions and Code Set Arm and the Privacy Standards.
Dental procedures are to follow new CDT-4 codes, which took effect on Jan. 1, 2003. If you need a copy of the CDT-4 codes, they are available at ADA salable materials (800) 947-4746. The deadline for compliance was set for Oct. 16, 2002. However, dentists were given an opportunity to extend the deadline to Oct. 16, 2003, providing they filed an extension by Oct. 15, 2002.
Step 1: Develop a Written Policy
Your written policy or plan should describe how you and your team will meet HIPAA compliance criteria and how PHI will be evaluated and monitored as it is obtained and provided by your office.
Step 2: Assign A Privacy Officer and Contact Person
Identify an individual who can be accountable for overseeing operations as your Privacy Officer. This individual should have a genuine interest in patient privacy. Of equal importance, they should be well organized, articulate, and willing to accept responsibility for supervision of compliance. The Privacy Officer would receive patient requests for obtaining access to their PHI or requesting an amendment to their PHI. The officer would be responsible for maintaining records for complaints and can act as (or appoint) a Contact Person to receive complaints. If the Privacy Officer shares the role of the Contact Person, then they must also be professionally mature and non-emotional. This is of particular importance when dealing with patient-related complaints.
Step 3: Team Training
Training is a very important aspect of HIPAA compliance. HIPAA requires that all employers and employees alike are provided training on HIPAA compliance by April 14, 2003, in Privacy Etiquette. If an employee violates compliance requirements, an incident report is to be filed, and disciplinary action should follow to ensure that the behavior is not repeated.
Step 4: Business Associate Safeguards
All business associates (BA) (a person or entity that performs or assists in the performance of a function or activity involving the use or disclosure of PHI, such as accountants, consultants, financial institutions, management consultants, advisors, computer software vendors, answering services, dental laboratories, and temporary employees) must provide healthcare providers safeguards that ensure PHI will not be abused or used for anything other than treatment payment or operational services (TPO). Employees and associates are not included, since they are members of your workforce.
This requirement can be met through a signed agreement with all BAs. Agreements must be signed by April 14, 2003. The agreement must stipulate that the BA is willing to “open the books” to Health and Human Services (HHS) if privacy has been suspected to be violated.
Step 5: Posting of HIPAA Privacy Policy
All healthcare providers must post their HIPAA Privacy Policy Notice in a conspicuous place for patient viewing.
Step 6: Patient Acknowledgement of Privacy Policy
HIPAA requires healthcare providers to obtain patient acknowledgement (acceptance is not required, only acknowledgement) of the healthcare provider’s privacy policy. This requirement can be met by having each patient simply acknowledge receiving a copy of the written privacy policy by signing off to that effect. If the patient refuses, a note must be made in the patient’s record to indicate the refusal.
Step 7: Self Audits
Periodically, healthcare providers need to perform self audits. If at any time the healthcare provider or representatives find any violations, they are to be mitigated as soon as possible to limit further harm to PHI.
Step 8: Authorization and Record Keeping Logs for Use of PHI for Other Than TPO
In the event that a healthcare provider intends to use PHI for anything other than TPO (Treatment, Payment or Operational Services), the healthcare provider is required to obtain patient authorization. In addition, the healthcare provider is also required to keep a log that discloses who used the information, how it was used, and why it was used. The log, along with authorizations, are to be kept on file for 6 years from the time of use and/or authorization.
DEBUNKING HIPAA MYTHS
Use common sense! HIPAA can only require that you use reasonable safeguards and good faith efforts to secure patient acknowledgement of receipt of your privacy notice.
HOW DOES THE PRIVACY RULE BENEFIT PATIENTS?
The privacy rule enables patients to find out how their information may be used and what disclosures of their information have been made. Likewise, it calls upon healthcare professionals to use appropriate safeguards to protect healthcare information. In general, the privacy rule sets boundaries by limiting the release of information (to a reasonable minimum) for the specific purpose of the request.
The privacy rule also provides patients with the right to examine and obtain a copy of their own health records and request corrections.
HOW DOES THE PRIVACY RULE THREATEN HEALTHCARE PROVIDERS?
The privacy rule is enforced by Health and Human Services (HHS) Office of Civil Rights (OCR). The HHS can hold violators accountable, with civil (fines) and criminal (jail) penalties.
Training
Get your training program in order now! Train your team in HIPAA privacy and develop written privacy policies that describe how you and your team will handle PHI. Assign a Privacy Officer to ensure appropriate safeguards, audit transactions, and monitor patient related communications. Likewise, have the Privacy Officer act as a Contact Person for handling patient complaints. Be sure to post your Privacy Policy and obtain patient signature for acknowledgement of receipt of your Privacy Policy. Make sure all your business associates have signed a BA agreement by April 14, 2003, which stipulates that they are willing to comply with privacy of PHI. If you intend to use PHI for anything other than TPO, then be sure to get prior authorization from the patients also.
CONCLUSION
Government regulations affecting healthcare providers can admittedly add to the burden of managing a dental practice. However, in the case of HIPPA, aside from the inconvenience of posting notices and obtaining signed acknowledgements, those who are willing to employ reasonable safeguards and use good faith efforts to comply can only enhance their professionalism as it relates to patient privacy. Such compliance is an appropriate course of action for those who continue to support excellence in patient care.
*Privacy Policy Notices, Forms and Authorizations are available through ADA salable materials (800) 947-4746; and AADS (800) 927 6101.
Other Resources
•American Dental Association website: http://www.ada.org/goto/hipaa.
•AADS (charts and forms) website: http:www.aads.com.
•National Dental EDI Council website: http://www.ndedic.org/.
•US Department of Health and Human Services website: http://aspe.os.dhhs.gov/admnsimp/.
Ms. Simon is a certified management consultant, national speaker, published author, and president of Simon Says Solutions, which is a practice management firm based in Scottsdale, Ariz. As a member of the National Speakers Association and the Institute of Management Consultants USA, she has earned the mark of CMC, which represents evidence of her certification and the highest standards of consulting and adherence to the ethical canons of the profession. For over 2 decades, Ms. Simon has dedicated herself to coaching dental professionals in solution based practice management systems. She can be reached at (800) FON-TEAM, or e-mail risa@simonsayssolutions.com, or visit the Web site at www.simonsayssolutions.com.