Four Areas for Front Office Team Members to Know.
HIPAA, formally known as the Health Insurance Portability and Accountability Act, was signed into law in 1996. According to the California Department of Health Care Services, HIPAA’s main function is the following: Provide the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; reduce health care fraud and abuse; mandate industry-wide standards for health care information on electronic billing and other processes; and require the protection and confidential handling of protected health information. Since its inception, many provisions have been added to HIPAA, including the currency rule, the security rule, the enforcement rule, the omnibus rule, and the breach notification rule.
All medical practices have the responsibility to protect health information. Although HIPAA involves a lot of details and can get quite complicated, every dental practice needs to adhere to it. For any dental practice in violation of HIPAA, there are high-stakes ramifications. The U.S. Department of Health and Human Services (HHS) is the enforcement agency for HIPAA. HHS can levy criminal and civil penalties on dental practices that don’t follow the rules. According to the online HIPAA Journal, a minimum fine is $100 per violation, but the penalties can soar up to $50,000 per violation, with a maximum penalty of $1.5 million per year, depending on the level of negligence.
In 2009, after dental and medical practices began using electronic methods to store patient information, the HITECH Act (a.k.a. the Health Information Technology for Economic and Clinical Health Act) was passed, which mandated protection of electronically-stored patient information.
Understanding HIPAA and HITECH can be confusing. A lot of acronyms are often invoked when discussing HIPAA-related concerns. In an effort to simplify matters, I’ve included a chart to keep handy as you’re brushing up on privacy laws.
HIPAA training and awareness should be an ongoing activity. Many dental offices struggle to comply with HIPAA regulations, and some are not aware of all of them or do not have a dedicated team member responsible for maintaining compliance. HIPAA requires that dental offices have both a Privacy Officer and a Security Officer. The American Dental Association (ADA) suggests that every dental practice appoint one or two team members to fill these roles.
Privacy and security designees are responsible for helping all team members maintain HIPAA Privacy, Security, Omnibus Rule, and Breach Notification compliance. In addition to training new team members within a reasonable amount of time, periodic re-training helps ensure compliance and reduces the likelihood of a breach. According to the ADA, all members of a covered entity’s (CE) workforce are required to receive training in policies and procedures.
As technology continues to evolve, so do the requirements of HIPAA and the HITECH Act. As a result, dental practices must review their compliance programs regularly. Linda Harvey, president and founder of the Institute for Dental Compliance and Risk Management in Jacksonville, FL, explains, “This an exciting time in dentistry with all the technological and scientific advancements. Yet when coupled with an ever-changing regulatory landscape, it creates unknown risks and new responsibilities.”
Fortunately, several resources are available to help, including continuing education classes, dental industry specialists, and online information. For example, the ADA offers a “Complete HIPAA Compliance Kit,” which includes a manual, training resources, and updates.
How can dental offices protect themselves and their patients’ health information (PHI)? Here are four areas for front office team members to be aware of, and suggestions for compliance.
1. NEW PATIENTS
Nearly every dental office in the United States gives patients a privacy statement with new patient paperwork on their first visit. But does every dental office understand what is required to keep that information safe?
When new patients call the practice, front office team members have the goal of getting them through the door. To do so, team members gather personal information from the patient, including his or her name, phone number, and mailing address—all of which is considered personally identifiable information (PII).
Consider how PII is received and stored in your dental practice. Is this information entered into a dental management software system, or are notes handwritten on an old-fashioned piece of paper? Both methods must be protected. If you are using a software system, access to the computer where personal data is stored should be password-protected.
When the computer is not in use, team members should immediately log off. Team members must not only back up data but also use encryption for the data in case of a breach by hackers (see story, “Cybersecurity for Dental Practices” by Matthew Cook). Under the HIPAA security rule, encryption of patient data is required.
Every dental office should have a shredder nearby so that any handwritten notes can be safely discarded. If a team member absentmindedly crumples a note with PII written on it and tosses it into a trash can, it is a HIPAA violation. In a 2015 press release after prosecuting a dentist for a HIPAA violation, former Indiana Attorney General Greg Zoeller said, “In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes.”
In my Total Team Training (TTT) courses with the Dr. Dick Barnes Group, we teach dental offices to build relationships with new patients by conducting new patient interviews—brief, 10-minute, one-on-one interactions to discuss the patient’s medical history and learn about his or her dental goals and concerns. Dr. Barnes has always said that dental team members should communicate with patients “eye-to-eye and knee-to-knee.” Information disclosed in that interaction must be protected.
Such conversations should take place in an area where other people can’t overhear any PII. If your dental office has open operatories with no closed doors, the person conducting the interview must lower his or her voice so that others cannot overhear—or better yet, find a place where the conversation can be conducted in private.
During the interview, the team member asking questions usually takes notes on a piece of paper. Once the conversation has ended, he or she should scan the paper into a secure electronic chart and shred the original document. A designated private area in a dental office can fulfill multiple functions besides just providing a setting for the new patient interview. A private area is also great for discussions regarding financial arrangements, or for patients asking questions about treatments.
2. ELECTRONIC COMMUNICATION
There are some hip ways to communicate these days like text, social media, and apps. Of course, there are still more traditional ways like voicemail, email, and fax. All of these methods have an electronic component to them, but it’s possible to use them with patients and still comply with the requirements of HIPAA. It all depends on the content that is being communicated, to whom it is being sent, and how it is being stored and transferred.
Communication is an important part of everyday tasks, and it can be easy to slip into a non-HIPAA-friendly exchange. To prevent this from happening, email and fax communication must be encrypted for transmitting PHI or PII. The concern with sending information via text message is that someone besides the intended recipient may have access to the phone receiving the message.
Because texting is not encrypted, having a conversation via text that includes PHI or PII is a violation of HIPAA. It’s okay for a dental team member to send a text to a patient, but the text message must comply with the “minimum necessary standard” laid out in the Privacy and Security Rules.
Since team members ultimately have no control over the final destination of the message, “Short Message Service” (SMS) and “Instant Messaging” (IM) often fail to meet the standards of the technical safeguards of the HIPAA Security Rule. In addition, using messaging apps on mobile devices that have no log-in or log-off requirements are discouraged because if a mobile device is lost or stolen and PHI or PII have been exchanged, this information could be compromised.
When it comes to social media, every post is considered part of the public domain. Therefore, a photo release and proper consents are necessary when posting any images of a case. And even then, it is recommended to avoid releasing any information that might be personal. It may be easy to identify patients from specific details about treatment even without posting any PHI or PII information directly.
If your team members plan to leave detailed voicemail messages like test or lab results, your practice must obtain prior consent. Generally, it’s best to just avoid leaving such detailed information on voicemail. Team members can leave details about an upcoming appointment (confirmation calls) without including any specific patient, diagnosis, or treatment information. Call reminders should only include the day and time—they should not include any information about the patient or what kind of appointment or treatment will be done. This policy protects patients in the event that someone else overhears the voicemail message, and it also protects dental offices, whose front office team members may be making calls within earshot of other patients.
So does this mean that all patients need to sign a release specifying those to whom you can communicate PHI or PII? Not necessarily. According to the Uses and Disclosures for Treatment, Payment, and Health Care Operations (TPO), there are exceptions like communicating with other physicians, insurance companies, and collection agencies.
3. GIFTS OF APPRECIATION
After a patient has undergone a long or complicated dental procedure, it’s a great idea for the doctor or a team member to call the patient to make sure that he or she is feeling okay. In the Colorado dental practice where I previously worked, we would sometimes take it a step further and send them a congratulations or thank-you gift after completion of comprehensive treatment. Occasionally, we would send a bouquet of flowers or a gift card for a favorite restaurant. Often, we sent those gifts to the patient at their place of employment.
During a recent TTT seminar, the question was asked that specifically addressed whether it was a HIPAA violation to send patients something at their workplace, knowing that co-workers would likely discover it’s from a dentist. After researching the issue, I discovered that when sending tokens of appreciation to patients, dental team members should make sure that gifts are addressed directly to the patient in a sealed envelope.
After the patient opens the envelope, it becomes the patient’s choice whether he or she wants to share who it’s from. However, to be extra cautious, it is recommended to send gifts directly to a patient’s home, where it’s less likely that an unknown person will see any private information. And of course, as with all other forms of communication, keep it short and leave out specific details about the medical procedure or any other health-related information.
4. FAMILY MEMBERS
Sometimes, family members may be involved with a patient’s treatment. Perhaps they are participating in the decision-making process or acting as a legal guardian. It’s important to know which situations require disclosures and which ones do not.
If a patient needs care and cannot make his or her own medical or dental decisions, it’s in the best interest of the patient to give that information to a family member or legal guardian. Dental practices must obtain and keep documentation specifying that the patient has given them permission to share information with the designated individual (see 45 CFR 164.510 of the Privacy Rule).
According to the HHS, “the HIPAA Privacy Rule specifically permits a CE to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health/dental care. If the patient is present and has the capacity to make healthcare decisions, the CE may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The CE may also share relevant information with the family and the designated persons if it can reasonably infer, based on professional judgment, that the patient does not object.”
There’s no time like the present to make sure you and your dental team are up to date on HIPAA compliance. Consider getting a risk assessment done on your practice to learn and understand where your team may need to improve.
Once you understand your risk for HIPAA violations, you can take steps to protect your patients and your practice. Specific areas like communicating with new patients, sending text messages and other forms of electronic communication, giving gifts after treatment, and considering the circumstances of elderly patients are all areas where HIPAA compliance is necessary and important. But there are many more areas and circumstances to consider and protect. Don’t become complacent about HIPAA. Many resources are available to help.