Answers To 26 HIPAA Dental Questions You Were Afraid To Ask

Why HIPAA?

Previous to HIPAA being enacted, some employees would lose benefits when changing jobs. In 1996 HIPAA was originally signed into law to help solve this problem. Since then, of course, HIPAA has grown to encompass more than the transition of benefits. The original goal was to protect workers from losing health insurance in between jobs and reduce healthcare fraud.

Today, as almost all patient records are stored and shared digitally, HIPAA has developed and adapted to continue to protect patient health information. In fact, it’s probably best known today as a measure to protect patient confidentiality. This means that this act of legislation has important ramifications for marketing, education, and data storage on websites and apps.

What Is HIPAA?

HIPAA stands for Health Insurance and Accountability Act. It’s a federal law to protect patient health information from being disclosed without the consent of the patient. All covered entities must ensure that their collection, storage, and use of patient information adhere to federal standards enumerated under HIPAA. Today, the Department of Health and Human Services (HHS) oversees the proper enactment of HIPAA regulations.

What Is PHI?

PHI stands for Protected Health Information and is any identifiable information about the health status or provision of care for a patient. PHI might include facial images, voice prints, name, address, insurance coverage eligibility, etc. This is important to understand because certain patient information can be shared without explicit consent, as long as it isn’t information that can lead to the identification of the individual. This allows generalized healthcare research and data collection to continue unobstructed. 

Some information could be called de-identified PHI. This refers to health information that’s been stripped of any personal identifying details, and it is not protected under HIPAA. However, it’s essential to take a look at the whole data set before you can call something “de-identified PHI.” Oftentimes, health data is sorted by age, gender, race, date of care, insurance provider, etc, and so even when names are removed, identifying information remains.

What Are The Top 5 Most Common HIPAA Dental Violations?

HIPAA violations reach into the tens of thousands and have maximums penalties of $1.5 million per violation. Dentists should take action to mitigate all violations whether they are large or small. The most common dental HIPAA compliance violations are:

• A data breach or being hacked
  • PHI is a popular target for hackers, as it often has information that can be used for identity theft. As such, many healthcare businesses must take extra precautions to protect digital and physical information. While many programs that you might use for data collection, storage, and sharing have their own HIPAA-compliant firewalls and access protections in place, it’s up to you to understand these guidelines and train your team on them. You’ll also need to take extra measures with your own digital assets, including a HIPAA compliant website and any tools used internally for record-keeping. HIPAA outlines specific safeguards that must be enacted in both digital records and physical documents. 
• Losing a device that has PHI on it
  • While even the most vigilant practice can be the victim of a break-in, there are plenty of lost devices that are simply the result of negligence. Keep any devices that have access to PHI in a secure location, follow specific lockup guidelines at the end of the workday, and ensure that employees aren’t accessing secure files from their personal devices. 
• Dishonest employees accessing files
  • HIPAA requires that employees are given training regarding PHI access and requirements. However, there’s still the risk that someone could either accidentally or deliberately access and share or abuse PHI. Avoid storing passwords on sticky notes in the clinic, and restrict administrative access to files and programs holding PHI to a select few. 
• Releasing patient information after an authorization period expires
  • In order to be HIPAA compliant, all patient authorization of personal information must have a set expiration date, or an expiration event (i.e. if the patient is no longer a patient at the clinic or has requested that their records be removed or transferred). If patient information must be accessed or shared after the expiration date, then it’s necessary to obtain permission once again. 
• Incorrect disposal or filing of PHI documents
  • Documents or files containing PHI must be disposed of in a certain manner. HIPAA outlines specific ways to dispose of physical documents (shredding or burning) and digital documents (erasing through magnetic exposure, overriding with new files, and physically destroying hardware) alike. Likewise, data must be stored and filed securely. 

What Constitutes A Breach Under HIPAA?

A breach of HIPAA is an impermissible disclosure of a patient’s PHI. In section 164.402 of the HIPAA Survival Guide, it states, “The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”

What Is Not Considered A Breach Of HIPAA?

If a patient’s information is shared accidentally it is not considered a breach of HIPAA. An example would be a dentist sending a text message unintentionally. The text would not be considered a breach as long as the dentist is able to prove that the text was sent accidentally and that it does not happen often.

What Must a Dental Practice Do If There’s Been a Breach of PHI?

According to the breach notification rule of HIPAA, if a practice learns that PHI under their care has been put at risk of exposure, they must take specific steps. 

1. Do a risk assessment to determine…
   1. What information was put at risk, and the likelihood that it could be used for re-identification
   2. The party that received the unauthorized disclosure
   3. Whether the information was received, viewed, downloaded, etc.
   4. What steps have been done to decrease the continued risk
2. Inform affected individuals, including those patients whose information has been shared with an unauthorized party
3. Inform the media, if the breach affects more than 500 people within a certain area
4. Fill out a breach report form on the HHS website

Are You Allowed To Take A Photo Of A Patient Without Consent?

Images of patients’ faces are clearly classified as PHI. Patient photos taken without consent are a direct violation of HIPAA. Even a patient in the background of a photo is a violation. If any identifiable photo is taken there must be consent. Dentists abiding by HIPAA regulations will use a dental HIPAA consent form to receive authorization to take and use patient photos.

A dental HIPAA consent form should include the following information: 

1. What the image/information will be used for (i.e. social media, marketing, case studies, educational materials, etc.) 
2. Notification that the patient has the power to revoke permission for this information to be shared up to a certain date
3. Exactly what media and information the patient is releasing 
4. The parties involved, including both the patient and your practice

What Are The Three Rules of HIPAA?

The three rules of HIPAA are the privacy rule, the protection rule, and the breach notification rule. Of course, each “rule” encapsulates a large number of specific standards and regulations. However, breaking down this complicated piece of legislation into three “rules” is a good way to discuss the salient points. 

The privacy rule identifies ways to protect PHI, or Protected Health Information. PHI may include patient names, credit card information, social security numbers, insurance data, and personal identifying information such as facial images, addresses, or even voice prints. As PHI can be a frequent target for identity theft and hackers, the standards outlined in HIPAA ensure that entities safeguard this information as well as possible. It sets guidelines regarding who can access and share the information, empowers patients to request copies of their own information as needed, and sets baseline security measures and safeguards that covered entities have to implement. 

The security rule sets standards around the safe collection, storage, transfer, and destruction of electronic patient data. The way that this differs from the privacy rule is that the security rule applies specifically to electronic PHI, whereas the privacy rule encompasses data stored on paper, voice recordings, etc. The security rule prioritizes new technologies and leaves room for innovation while still protecting patient information. Safeguards for electronic PHI usually include physical rules (regarding workstations, devices, etc.), administrative rules (appointing a security officer, giving staff training, and managing logins and digital access), and technical safeguards. 

The breach notification rule states that any covered entity that suspects a breach of PHI must notify impacted individuals, the media, and The Department of Health and Human Services. They must also conduct an investigation and risk assessment to determine the scope of the breach, who the information was shared with, and to what degree. 

What Information Must I Share With Patients Regarding Their Rights Under HIPAA?

Every new patient in your office must sign an authorization form in order for you to store, use, or share their collected information. You should also have a notification of privacy practices (NPP) informing patients about your conduct and procedures with their information. NPPs need to have specific regulatory language dictated by HIPAA and inform patients about their right to access information. The HHS provides boilerplate forms that can be modified according to your needs. 

Note that additional authorization must be obtained for any additional data that you collect from patients and utilize in your practice. For example, if you are collecting case study information or imagery to be used for advertising purposes, you’ll want a HIPAA-compliant patient consent form that you can keep on file.

Does HIPAA Apply To Organizations Outside The USA?

No. HIPAA is regulated by the federal government and only pertains to PHI data held by organizations within the USA.

Are US Citizens Living Outside The USA Covered By HIPAA?

If the person is part of a non-US healthcare company, then they are not covered by HIPAA. Conversely, if a person is living in the USA and is not a citizen, they are covered by HIPAA.

Can You Talk About A Patient Without Saying Their Name?

The short answer is No. Talking about a patient without purpose is never okay and clearly violates the privacy rule if the information shared can be identifiable. 

Dentists must be extremely careful because any information that could be directly or indirectly identified is not allowed. But dentists often discuss and share X-rays, and lab tests, with colleagues, a clear violation if the patients are identified, yet oral health care is improved from that cooperation. 

Sharing PHI with colleagues is an area where technological abilities have far outpaced regulation, and risk managers take an extremely conservative approach. Check out this article about how to reduce HIPAA disclosure risk.

What Patient Information Can Be Shared Without Violating HIPAA?

It is permitted to disclose PHI to other health providers if the information contained  is about an individual’s treatment, case management, and coordination of health care.

What Is A Covered Entity?

In the HIPAA Privacy Rule a covered entity can be a health plan, a clearinghouse, or any person or organization that electronically transmits PHI in connection with patient care.

Are Dental Offices Covered Entities Under HIPAA?

In general, it can be useful for all dental practices to assume that HIPAA applies to them and take proper security measures. However, the truth is that a small sliver of dental practices may not be covered by HIPAA. They only count as covered entities if they electronically transmit information that the HHS has released specific standards for. This includes most patient data used to coordinate with insurance companies and submit claims, including patient eligibility, claims status, enrollment, etc, if it is shared electronically. If a dental office shares information in this way, they classify as a covered entity and must adhere to all HIPAA standards; not just the ones applying to communication with insurance providers.

What Is A Business Associate?

A business associate according to HIPAA is any person or entity that performs certain functions that involves the use or disclosure of PHI on behalf of a covered entity.

What Is A Business Associate Agreement?

HIPAA requires covered entities to work with persons or organizations who assure protection of PHI. A Business Associate Agreement is a document provided by the business associate to the covered entity stating HIPAA compliance and assurance of correct handling of PHI.

Do Business Associate Subcontractors Need To Sign A BAA?

A business associate subcontractor is a person or organization that works on behalf of a business associate and comes in contact with PHI. All business associate subcontractors must provide the covered entity with a signed BAA.

What Is The Difference Between Hippa And HIPAA?

It’s most likely a typo.

How Long Do HIPAA Dental Related Files Need To Be Saved?

Under HIPAA rules and regulations covered entities must keep files for a minimum of 6 years from the date of creation or the last effective date whichever comes later.

How Should A Dental Practice Destroy Patient Records?

HIPAA states that there are only two ways to dispose of PHI: shredding or incinerating. It’s essential that records are not disposed of in dumpsters or facilities that are accessible to the public. In the case of digital records, the HHS recommends three methods to safely dispose of patient records: clearing (i.e. overwriting media), purging (i.e. exposing hardware to a strong magnetic field), or destroying the hardware itself.

How Do Patients Report HIPAA Dental Violations?

It is not possible for a patient to sue for violations of PHI. Nor can a patient seek damages if harm has resulted from a HIPAA violation. 

Patients file complaints electronically via the Office for Civil Rights (OCR) Complaint Portal.

How Long Do Patients Have To File A HIPAA Violation Complaint?

Patients have up to 180 from the discovery of the violation to take action. Extensions may be granted in some situations.

Who Sues Your Dental Practice When A Violation Occurs?

If a patient files a complaint with the Office for Civil Rights and the complaint is investigated and found to be substantial then the patient is allowed to hire an attorney to represent the case.

What Should A Dental Practice Do If They Receive A Violation?

1. Dentists need to be prepared to deal with a HIPAA complaint. The complaint must be dealt with quickly and efficiently. Take these steps to ensure that you’re handling the complaint properly. 
   1. Request that the complaint be made in writing
   2. Make sure that your offices Privacy Officer receives the complaint
   3. Your practice Privacy Officer should find out what PHI was involved
   4. The cause of the violation should be established and action to mitigate future risk implemented
   5. Update of policies and procedures regarding HIPAA regulations
   6. Retrain staff if necessary
   7. Determine if the breach is a reportable violation

   If the violation is a reportable incident, do the following:

   1. Send in a report to the OCR describing the breach
   2. File the breach with the appropriate state attorney general
   3. Notify all individuals associated with the case by mail

About the Author: Adrian Lefler is a dental marketing expert and a founding member of My Social Practice. Adrian is passionate about helping dentists grow through dental digital marketing strategies. He can be reached at 877-316-7516.