HIPAA and Dental Office Procedures

Dentist offices are subject to the Health Insurance Portability and Accountability Act (HIPAA) of 1996
HIPAA was enacted originally to address the electronic transmission of health information. However, in 2001, the privacy rule was created by the Department of Health and Human Services, the entity responsible for monitoring compliance with HIPAA. In addition, HIPAA requires security to be in place in the event that protected health information is disclosed.

The HIPAA Privacy Rule
HIPAA is applicable to protected health information. Protected health information is any oral or written information about a patient that relates to the physical or mental condition of a patient. HIPAA applies to "covered entities," which are statutorily defined as those entities which receive, use or are exposed to protected, private patient health information. Therefore, dentists offices are included in HIPAA's reach.

HIPAA Privacy Rule Compliance

In order to comply with HIPAA, it is necessary for a dental office to take measures to protect the patients' protected health information. One routine dental office procedure to comply with HIPAA includes having patients sign a document which states who can receive their health information. Furthermore, the dental office must create and maintain a HIPAA privacy policy and procedures in order to comply with the privacy rule. In addition, the office usually presents an explanation of the privacy policies and procedures for the patients' review and acknowledgement.

HIPAA Security Rule

Pursuant to HIPAA, there must be security efforts by a covered entity which handles the electronic storage and transmission of patient protected health information. This is known as the HIPAA security rule. Under this rule, a provider has to provide HIPAA employee training in the handling of patients' electronic records. In addition, the computer system must be password protected, contain back up emergency disaster plans and firewall protection. Therefore, a dental office must take steps to ensure the office complies with this requirement.

HIPAA and Paper Transactions

It is important to note that a dental office may possibly be exempt from HIPAA. If a dentist handles insurance or other business transactions on paper, that transaction is not subject to the privacy rules. However, when the paper is exchanged or input into electronic form at some point, such as where the paper is submitted to an insurer, then the transaction is subject to HIPAA.

HIPAA Enforcement

In 2006, the final enforcement rule for HIPAA was released. This enforcement rule indicates the procedure for complaints of HIPAA violations and provides for civil monetary penalties that can be assessed for violations of HIPAA. The United States Department of Health and Human Services, in conjunction with other state and/or federal departments administer the enforcement of HIPAA.

Why Was HIPAA Enacted?


Privacy—it’s something we all value, even if there’s nothing particularly sensitive in our personal information that could possibly be used against us. Just the same, we like to know that certain infor- mation will be disclosed only to the people to which we choose to disclose it. And patients of those working in health care services want to know that they can trust that their information will not be shared with anyone who does not have a legiti- mate need to know it. As of April 14, 2003, the management of patients’ information will be held to some new pri- vacy standards. These standards, part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, will require some extra work on the part of dental offices, although opinions vary on just how difficult this work will be. “They go much further than what patients had in the past, as far as rights,” says Los Angeles- based attorney Scott A. Edelstein, Esq. “Certainly, implementing them is burdensome on practition- ers—there’s no doubt about it. But I have the feel- ing the burden is going to be short-term.” Once health care providers have all their policies and sys- tems in place for adhering to the stan- dards, the work will be largely done, adds Edelstein, a partner in the firm of McDermott, Will, and Emery. When Mary F.H. Baughman, RDH, MA, who practices in San- dusky, Ohio, was assigned to be HIPAA coordinator for one of the two offices she works in, she says that she was told, “It [will be] a massive job requiring many hours.” Her experience, so far, has turned out some- what different. “The many hours are just reading all the advice and information.”

What is the Impact of HIPAA’s Privacy Rule?

Health care providers have a strong tradition of safeguarding private health information (PHI).
In today’s world, however, with information broadly held and transmitted electronically, the Privacy Rule provides clear standards for the protection of PHI. The Rule requires certain activities to ensure this confidentiality. They include: Notifying patients about their privacy rights and how their information can be used. Adopting and implementing privacy procedures for its practice. Training employees so that they understand the privacy procedures. Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed. Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.