HIPAA FAQ

1. Do I have to comply with HIPAA

HIPAA directly applies only to covered entities. A health care provider becomes a covered entity by conducting HIPAA standard transactions electronically and/or by having someone do so on the provider’s behalf. (See the next question for a description of those transactions.)

The biggest HIPAA trigger in dentistry is the submission of electronic claims. HIPAA applies to dentists who submit claims electronically. It also reaches entirely paper offices that submit paper claims to a billing service that converts the paper into electronic format and submits the claims electronically for the dentist. The simple use of an old-fashioned, stand-alone fax machine by an otherwise all paper office does not trigger HIPAA, because faxes are not HIPAA standard transactions (more on that below!).

HIPAA empowers the government to prosecute charges of violation against covered entities. In other words, only covered entities are directly subject to government sanctions, in the form of fines and penalties (including jail time), for violation of the law.

But that does not mean that non-covered entity providers are HIPAA free and clear. Paper-only offices may wind up binding themselves contractually to abide by HIPAA, e.g., by signing a participating provider agreement with an insurance company that requires HIPAA compliance. There is also the possibility that HIPAA may be viewed by the courts as a standard of care with which all providers must comply, although the jury is still out on whether private suits by patients will be allowed. Even if HIPAA does not become a standard of care, enhanced awareness of privacy rights caused by HIPAA might lead some patients to sue alleging violation of state privacy laws.

2. What are the standard transactions?

There are several electronic transactions for which HHS has adopted standards. As stated above, the transaction that would be most likely to render a dentist a covered entity is electronic claims submission. Also included in the definition of this transaction is the electronic submission of "encounter information," if the doctor's reimbursement from a health plan is not based on claims for specific services. There are also separate standards for electronic inquiries about the status of a claim.

Another common electronic transaction for which HHS has adopted a standard is an inquiry from a health care provider to a health plan about a patient's eligibility to receive health care under the plan, a patient's coverage under the plan, or benefits associated with the plan. Similarly, HHS has adopted standards for the electronic transmission of claims or payment information from any entity to a health plan for purposes of determining coordination of benefits.

Other relevant electronic transactions for which HHS has adopted a standard include electronically transmitted requests for authorizations for health care or for authorization to refer a patient to another provider. These transactions generally will be used by doctors who are under contract with an insurance company or health plan which requires them to obtain pre-authorizations for certain procedures, or authorizations to refer a patient to a specialist.
Finally, HHS has developed standards for the electronic transmission of payment, information about the transfer of funds or payment processing information from a health plan to a health care provider's financial institution. HHS also has developed standards for the electronic transmission of an explanation of benefits form or a remittance advice from a health plan to a health care provider.

3. What do I have to do in order to comply?

Among the key steps to take are:

• Adopt a written office privacy policy;
• Develop the forms needed to implement your policy;
• Prepare and prominently post one of those forms: your Notice of Privacy Practices;
• Provide a copy of your Notice to patients;
• Make a good faith effort to secure written acknowledgement from patients that they received your Notice;
• Protect patient privacy by taking reasonable precautions to prevent against inadvertent disclosure of protected information and adhering to HIPAA’s “minimum necessary” rule regarding the use and disclosure of such information;
• Train your staff about your office’s privacy policy and practices; and
• Enter into necessary Business Associate agreements

4. What forms must I give to patients or have them sign?

The key forms for patients are the Notice and Acknowledgement forms.

5. Does my HIPAA Notice have to be so long? And what about state law?

The Notice must contain certain specified federal language, and additional information in unspecified format about a variety of issues, e.g., patient rights under HIPAA. It can be amended to take into account more strict state privacy law.

6. Must I give copies of my Notice to all patients to take home?

While it is safest to give hard copies of your Notice to all patients to take home, you should at the very least give them to patients who request one to take home. We have asked the government to confirm whether it is acceptable to allow patients to simply read hard copies in the office, e.g., laminated versions that could be handed back for use by the next patient, and to provide individual “take home” copies of the notice only to those patients who request them.

7. If a patient won’t sign the Acknowledgement, can I refuse treatment?

Your obligation is to make a good faith effort to secure patient Acknowledgment of receipt of your Notice. If the patient signs the form you are good to go. However, patients have a right not to sign the form, and you should not refuse treatment simply because they exercise that right. That said, if the patient refuses to sign the Acknowledgement form, you are still good to go – of course documentation of your good faith effort is sound risk management.

8. Do I need to have patients sign a Consent form?

Although proposed versions of the HIPAA privacy regulation contained a privacy consent requirement, the final version did not – only your good faith effort to secure patient Acknowledgment of your Notice is required. However, some dentists may wish to secure consent as well. And some states have more strict state laws that require consent before releasing health information. A consent form is needed only in those states. Check with your state dental society about what may be required in your state.

9. Who are my Business Associates?

Under HIPAA, dentists must have written contracts with their Business Associates (BAs) to protect patient privacy. The universe of a dentist's potential Business Associates begins with all those third parties with whom the dentist shares protected patient health information (PHI), usually for what HIPAA calls treatment, payment or healthcare operations (TPO); i.e., the routine parts of the practice of dentistry. While that is the starting point, there are some key, big exceptions.

The following are not HIPAA BAs, and no BA contract with them is required:

• members of the dental practice’s team, including employed dental assistants, hygienists, associates and even temporary agency staff under the dentists supervision and control
• other health care providers, including specialists, physicians, pharmacies, dental labs, etc.
• other covered entities, in most cases, including insurance plans
• banks, credit card companies and other institutions processing patient for patients service providers with whom the dentist is not intentionally sharing PHI for TPO but may inadvertently see patient information, including cleaning services, copy machine repair services, etc.

To identify your BAs, start with all third parties who are performing a service for your office and have access to protected health information you maintain in the course of providing that service. Excluding from that list thee exceptions noted above. Voila – you now know with whom you must have a BA agreement!

Most dentists will find that their BAs encompass a wide range of individuals or entities, including their attorneys, accountants, collection agencies, practice management consultants, computer software vendors and others. This may vary from practice to practice. When assessing which of these or other third parties is your BA, come back to the question of whether you are giving that service provider or vendor access to PHI.

10. Do I need a BA agreement with my dental lab?

Under most circumstances, no. The HIPAA privacy regulations contain an exception to the business associate contract requirement for communications with a health care provider about a patient's treatment. Since dental laboratories appear to follow under the definition of "health care provider" contained in the regulations, you will not need to enter a business associate agreement with your lab, as long as you are disclosing a patient's PHI to the lab for purposes of the patient's treatment.

11. Do I need a BA agreement with a company providing financing to patients?

It depends. Recall that a business associate is a person or entity who is performing a service for your office, and who has access to or may need access to PHI maintained by your office in the course of providing that service. So, the answer to this question will depend on the particular circumstances. If the patient financing company is providing services primarily to the patient, and your office merely assists the patient by helping them send their PHI to the company in order to obtain financing, then you likely will not need a business associate agreement with that company. If, however, the financing company is providing services to your office, and needs or may have access to PHI in the course of providing those services, then you may need a business associate contract with the company.

12. What should I do if my BA won’t sign the BA form or negotiate?

Not surprisingly, some BAs have their own BA agreements, are refusing to sign the BA form, and say they will not negotiate. In that case, sample BA language provided by the government may provide a middle ground. If not, and the BA insists on its own BA agreement, a dentist will want at the very least to be sure that the BA’s proposal satisfies the requirements set forth in HIPAA.

We are also hearing that some BA’s are refusing to sign BA agreements. They are non-covered entities and free to do so. In such cases, the dentist needs to secure a more HIPAA friendly vendor or service provider – one who will sign on a BA agreement dotted line – to provide the BA services in question.

13. How specific can I be when sending reminder cards or leaving messages on answering machines?

You can still remind patients of appointments – HIPAA intends to promote privacy without impeding patient care. Your Notice form should specifically let patients know that you may send reminder cards, leave reminder messages on answering machines, etc.

Keep in mind that under HIPAA, you must protect patient privacy by taking reasonable precautions to prevent against inadvertent disclosure of protected information and adhering to HIPAA’s “minimum necessary” rule regarding the use and disclosure of such information. The safest course is thus to be discreet in reminders.

Name, date and time of appointment are certainly fine. There’s no need to be so HIPAA-phobic as to leave a voice mail that only says “Someone in this household has an appointment, please call this office at [phone number].” True story. Was it a doctor? A time-share sales pitch?

On the other hand, getting specific about treatment, health conditions, pre-medication, etc. is more likely to be problematic. Someone other than the patient may see the recall card or pick up the answering machine message. If there’s a need to reveal such information, why not put it in an envelope or call the patient back? Another approach: have the patient sign a HIPAA authorization in advance giving you permission to leave specific messages about appointments, even if they may be seen or overheard by others. The authorization would, of course, be in addition to your good faith effort to have the patient acknowledge receipt of your privacy notice – the step that frees you to relate basic recall information (name, date, time) in the first place.

14. How does HIPAA affect dealing my dealings with patient surrogates or representatives, e.g., non-custodial parents, grandparents, nannies, friends?

First, if you are dealing with minor children, the HIPAA privacy regulations essentially defer to state law in determining who will be the child's "personal representative" authorized to access and make decisions about the child's PHI.

Resolving this question can be tricky when the child's parents are not married and only one parent has custody. If there is one custodial parent, he or she likely will be the appropriate person to sign the acknowledgement of receipt of notice of privacy practices on behalf of the child. However, if a person other than the custodial parent brings the child in for an appointment, it is sometimes less clear whether the child's PHI may be discussed with that person. Generally it would be best to obtain permission from the custodial parent or parents before talking to a third party, such as another relative or a nanny, about that child's health care. If two parents who are not married are involved in a dispute over access to information about their child's health care, you should defer to your state's law.

Generally, if your state's law would allow a parent or other person to make decisions about the child's health care, then that parent or other person may also have access to and make decisions about the use of the child's PHI. When in doubt about questions of state law, consult your state dental association or the lawyer for your practice.

State law will also affect your dealing with an adult patient. Typically, unless the patient has a court-appointed guardian or has legally designated another person to make health care decisions for him or her, that patient has the right to make decisions about his or her health care information, regardless of any disabilities or communication difficulties. Of course, if you feel that it would be helpful to involve a family member or friend in discussions of the patient's health information, ask the patient if this would be acceptable and proceed if this is OK with the patient. However, never assume without asking that, merely because a patient is older or is facing some challenges, it is permissible to disclose that patient's protected health information to a relative, friend or caregiver.

15. What if the patient's spouse, or an adult patient's parent, is responsible for paying the patient's bill? What information can I disclose to the person responsible for payment?

HHS has made it clear in guidance that health care providers and their business associates may disclose PHI to persons other than the patient who are responsible for payment, as long as the disclosures are limited to the minimum amount of information necessary to obtain payment. In making such disclosures, health care providers also must honor any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of the patient's protected health information. It would be a good idea for you to state in your notice of privacy practices that if a patient designates another person as responsible for payment, you will disclose the minimum amount of PHI necessary to obtain payment from that person. If the patient objects to that disclosure, inform the patient that he or she will have to choose between allowing you to disclose information in order to obtain payment, or paying for the services himself or herself.

16. Do I have to give a patient copies of his or her records if the patient hasn't paid his or her bill?

Yes, under the HIPAA privacy regulations and quite possibly under your state law as well. The HIPAA privacy regulations provide that patients have a right to inspect and obtain copies of their records. There are exceptions for psychotherapy notes and certain records maintained by laboratories, along with information compiled in reasonable anticipation of, or for use in, legal proceedings. A healthcare provider also may deny a patient's request for access to their records if the records requested were obtained from someone other than a health care provider under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information.

There are a few other possible reasons for denying access to records, but these reasons generally would apply to mental health records, and the decision to deny access would be subject to review by another health care professional.

If none of the reasons for denying records listed above apply, the privacy regulations require a dentist who is a covered entity to make records available to a patient who requests them. The covered entity may impose a "reasonable, cost-based fee." This fee must be limited to the costs of supplies and labor for copying, postage (if the copies are mailed), and preparing an explanation or summary of the records, if the patient agreed to receive a summary rather than a copy of the records.

Of course, dentists must also make sure that they are complying with applicable state law requirements for releasing patient records. Keep in mind that the federal HIPAA privacy regulations generally preempt state law, unless state law provides greater protection to the privacy of patient health information, or gives patients greater access to their health information. So, in this case, if the law in a dentist's state requires dentists to give patients copies of their records at a lower cost than the "reasonable, cost-based fee" permitted by the HIPAA privacy regulations, the dentist would have to make the records available for the lower fee.

17. What if I think the patient is going to sue me? Do I still have to give him or her copies of the records?

Yes. You may have noticed that the answer to the question above includes an exception for information compiled in reasonable anticipation of, or for use in, legal proceedings. However, this exception refers to information or documentation compiled in addition to a patient's dental record, in anticipation of or for use in legal proceedings.

18. I have a patient who is moving out of town and has asked me to send her records to a dentist in the other town? I'm happy to do so, but do I need to get some sort of HIPAA release before I can do this?

Generally, the HIPAA privacy regulations would not require you to obtain a written authorization from a patient in order to transfer their records to another health care provider for purposes of treatment. However, your state law may require you to obtain a release under these circumstances. Check with your attorney or your state dental association.