Decades after the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was first introduced, it is still one of the most misunderstood federal health laws in effect, including within dentistry. Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed for health care.
Recent events concerning vaccination requirements for employment have caused confusion about the extent of the protection HIPAA provides for personal health information. It is important for dental professionals to be compliant with HIPAA rules and regulations and to clearly understand how they pertain to employees, employers, and patients.
HIPAA is a federal law that required the creation of a national standard to protect sensitive patient health information from being disclosed without a patient’s consent or knowledge.1 Protected health information (PHI) includes names, addresses, contact information, social security numbers, payment information, insurance information, medical records, and any other health-related information.3
Protected health information encompasses any piece of information in a person’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them.3
Who has to comply with HIPAA?
Covered entities under HIPAA include health care providers, health plans, health care clearinghouses, and business associates of covered entities (claims processing, billing, data analysis).1,12 Life insurers, employers, workers’ compensation carriers, most schools and school districts, and many state agencies such as Child Protective Services, law enforcement agencies, and municipal offices are not required to follow HIPAA as none are listed as covered entities by the law. This helps to avoid unnecessary court orders for information that may be needed for investigative purposes by these agencies.11
HIPAA rules for dentists apply to any dental office that sends claims, eligibility requests, pre-determinations, claim status inquiries, or treatment authorization requests electronically.3 Dental practices are legally required to read and understand all HIPAA requirements, create a HIPAA compliance team, perform regular HIPAA risk assessments, implement policies and procedures to correct identified deficiencies, provide training for workforce members on HIPAA compliance, and maintain compliance in an ongoing manner.3,7
What information is protected?
PHI is any information health care providers put into a medical record. This includes conversations about a patient’s care or treatment with other health care staff, information in a health insurer’s computer system, and financial billing information.11
How is PHI protected?
Covered entities are required to integrate safeguards to protect health information and ensure they do not use or disclose that information improperly. Uses and disclosures must be limited to the minimum necessary to accomplish the intended purpose.
There must also be procedures in place to limit who can view and access PHI, and a training program is necessary for employees about how to protect health information. Business associates of covered entities must also follow these standards.11 In dentistry, business associates include billing services, document storage, practice management, collection agencies, shredding services, and any other outside person or entity that does a service for a covered dental practice that involves patient information.7
Permitted Uses and Disclosures
A covered entity is permitted, but not required, to use and disclose protected health information without an individual’s authorization for the following situations: disclosure to the individual or for treatment, payment, and health care operations.1
A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.1
The HIPAA Privacy Rule permits the use and disclosure of personal health information without an individual’s permission when required by law for public health activities (i.e., public health authorities authorized by law to collect or receive such information for preventing or controlling disease), victims of abuse, neglect, or domestic violence, health oversight activities, judicial and administrative proceedings, law enforcement, functions concerning deceased persons, cadaveric organ, eye, or tissue donation, research under certain conditions, to prevent or lessen a serious threat to health or safety, essential government functions, and worker’s compensation.1
HIPAA Privacy Rule ─ Dental professionals will be most familiar with the HIPAA Privacy Rule that gives patients certain rights over their health information, including dental and billing records.7 The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA, and the HHS Office for Civil Rights enforces HIPAA rules. HIPAA violations may result in civil monetary, or criminal penalties.1
The Privacy Rule is meant to give people the right to access their medical information and to limit entities covered under HIPAA access or sharing of people’s medical information without consent. HIPAA does not protect medical information shared by the patient or give someone personal protection against ever having to disclose health information.8 The goal of the Privacy Rule is to properly protect health information while allowing the flow of that health information.1
Under the Privacy Rule, patients have a right to ask for a change in their records, ask a health care provider not to disclose their information, ask to communicate with them confidentially (encrypted vs. unsecured email), at an alternate location (direct communications to work vs. home), or by an alternate means (appointment reminders by email in place of postcards). Health care providers must make accommodations for reasonable requests.7
A provider may deny a request for PHI if the patient’s request is not in writing; the patient’s request does not specify a specific alternative method of communication or alternative location for disclosure; if compliance with the patient’s request affects payment; or the privacy officer determines that the administrative difficulty that would result from granting the patient’s request would be unreasonable and would result in a more than a modest additional cost.3
Notice of Privacy Practices ─ The law requires health care providers to ask patients to state in writing acknowledging that they have received this notice. Patients are not required to sign, but refusing to sign does not prevent the use or disclosure of health information as HIPAA permits. For example, a dental practice may still share pertinent health information with another covered entity like an endodontist, with a relationship to the patient, without patient permission. Providers should keep a detailed record of any refusal to sign this notice by a patient.6
The Notice of Privacy Practices should include how the privacy rule allows the provider to disclose personal health information and must explain that their permission is necessary before the information is shared for any other reason. The notice must outline the duties of the dental practice to protect personal health information, privacy rights, and how to contact HHS for more information or to make a complaint. HHS provides model notices to guide healthcare providers when creating a Notice of Privacy Practices.10
HIPAA Security Rule ─ The HIPAA Security Rule protects a subset of information covered by the Privacy Rule and pertains specifically to all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This rule does not apply to written or orally transmitted health information.1
Practices must detect and safeguard against anticipated threats to the security of the information and protect against anticipated, impermissible uses or disclosures.1,12
The HIPAA Security Rule requires a dental practice to conduct a written risk assessment and develop safeguards to protect electronic patient information. These safeguards are divided into administrative, technical, and physical categories. The purpose of the Security Rule safeguards is to protect the confidentiality, integrity, and availability of electronic patient information.7
Common safeguards are taking steps to ensure it cannot be hacked, sharing it only with authorized parties, and not publicly acknowledging or discussing patients’ care or conditions in any forum.3
The HIPAA Security Rule also requires ongoing maintenance of safeguards, periodic risk assessments, workforce training, and documentation.7
Breach Notification Rule ─ The Breach Notification Rule requires dental practices to provide notification of breaches of unsecured patient information to affected individuals, the federal government, and in some cases, the media.7
HIPAA 2013 Omnibus Final Rule ─ The Omnibus Final Rule extended the requirements of the privacy and security rules to cover dental practice business associates and their contractors. Business associates are defined by HIPAA as an outside person or entity that does a service for a covered dental practice that involves protected health information (shredding firm or collection agency, for example). This information cannot be accessed by a business associate until a compliance agreement is in place, making the business associate subject to the same enforcement actions as the dental practice.7
This rule also included new limitations on the use of protected health information for marketing and fundraising purposes, prohibits the sale of a patient’s protected health information without the individual’s authorization.7 For example, a dental practice should not share mailing information of their patients who purchase teeth bleaching materials to a dental supply company for marketing purposes without patient consent.
HIPAA & Patient Communications
The way dental practices communicate with patients has evolved from phone calls and mailings to include text, email, and teledentistry. Patients must give their consent to be contacted by text or email and must be notified if the method being used is not secure. The practice should note any unsecured communication and the reasoning for using an unsecured method of communication in the patient record.
In voicemail messages, it is generally acceptable to provide practice name, caller’s name and phone number, appointment date and time, and the name of the person you are attempting to contact. Do not leave any financial or health-related information.6
HIPAA does require dentists to use security measures when emailing or texting patients, such as encryption. Password protection alone is not considered secure or encrypted.
Teledentistry presents HIPAA risks because third-party providers are involved in making the technical aspect possible, other individuals may be present on the patient’s end, and appointments may be conducted via an ongoing relay of information that creates the opportunity for unauthorized parties to access protected health information. Training is necessary to be sure providers and staff are clear on what regulatory requirements apply and how to make sure they are implemented and enforced. They may fail to include telehealth business partners in their HIPAA reviews and miss opportunities to prevent violations.3
All dental providers and staff should be trained on the type of information acceptable to include as part of patient communications, and only encrypted, secure communication systems should be used.
Dental HIPAA Violations
HIPAA training is paramount for dental staff since violations can range widely from innocently commenting on social media to large-scale malware attacks. Here are a few examples of dental HIPAA violations and their consequences:
- Dr. Lookhart of Anchorage, Alaska, performed a tooth extraction on a sedated patient while riding a hoverboard. He recorded this event and sent the video to several recipients. The patient did not consent to film the procedure or being treated while the dentist was on a hoverboard. Dr. Lookhart violated her privacy by recording and distributing the video. The State of Alaska filed a lawsuit charging Dr. Lookhart with “unlawful dental acts,” and he was also later found guilty of fraudulent Medicare billing. He was convicted on 46 felony and misdemeanor counts, including medical assistance fraud, scheme to defraud, illegal practice of dentistry, and reckless endangerment. He was sentenced to 20 years with eight suspended, resulting in 12 years of total jail time.2
- Delta Dental of Arizona found suspicious activity on an employee email account and found the employee was the victim of a phishing scam that gave an unauthorized individual access to the email account. There was no evidence of misuse, but the company had to notify all possible affected individuals.2
- Elite Dental Associates responded to a Yelp review disclosing a patient’s last name and information about their health condition. They also did not have a HIPAA compliant Notice of Privacy Practices. After receiving a fine, the office paid $10,000 to settle the improper private health information disclosure.2
- Dr. Beck of Indiana hired a company to dispose of 7,000 files of old files containing private health information, but those files ended up in a church dumpster fully intact. Dr. Beck received a $12,000 fine from the state.2
Employee Rights under HIPAA
Can an employer require you to provide personal health information as a condition of employment? Yes. The Privacy Rule applies to disclosures made by your health care provider, not the questions your employer might ask. The only aspect HIPAA applies in an employer-employee relationship is that your health care provider cannot answer your employer’s questions about your health information without your consent.9
OSHA has required the hepatitis B (HBV) vaccine for dental professionals for many years. In a few states, the dental board requires dental professionals to provide proof of receiving the HBV vaccine as part of the licensing process.
Professor Kayte Spector-Bagdady, JD, MBe, a lawyer and bioethicist, states, “Institutions rarely have the right to require that you actually get vaccinated, but if you want to work somewhere in particular, or want others to provide you services (such as schools, businesses, or travel), they might have the right to ask you to provide proof of vaccination first. Not only might they have the legal right, but the right also has the legal obligation to protect others.”
Professor Spector-Bagdady continues, “People often feel like HIPAA protects them from being asked about their medical information or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals such as your doctor from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer, but not answering health questions might come at a cost, such as not being able to enter your workplace or board a plane.”5,8
The U.S. Equal Employment Opportunities Commission (EEOC) in June 2021 ruled employers are not prevented from requiring workers to be vaccinated against COVID-19 provided they comply with the reasonable accommodation provisions of the American Disabilities Act and Title VII of the Civil Rights Act. Additionally, employers are allowed to offer incentives, such as gift cards or paid time off for the vaccination, to employees to voluntarily provide documentation of vaccination. If an employee provides their vaccine information, the employer is required to keep that information confidential under the American Disabilities Act.4
All dental staff should have training within a reasonable time of joining the practice on HIPAA laws, policies, and procedures. HIPAA training standards and intervals are left up to each individual dental practice, but an annual update is recommended to avoid any possible violations. A clear understanding of HIPAA is important for dental professionals to maintain the privacy rights of patients.3,6
Listen to the Today’s RDH Dental Hygiene Podcast Below:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA). (2018). Centers for Disease Control and Prevention. Retrieved from https://www.cdc.gov/phlp/publications/topic/hipaa.html
- Clark, M. (2020). Brace Yourself: 9 Examples of Dental HIPAA Violations. eTactics. Retrieved from https://etactics.com/blog/examples-of-dental-hipaa-violations
- Garner, G. (2020). Dentists and Compliance: An Overview of HIPAA Dental Patient Rules. HIPAA Exams. Retrieved from https://www.hipaaexams.com/blog/dentists-and-compliance-an-overview-of-hipaa-dental-patient-rules/
- Garvin, J. (2021). EEOC Releases Expanded Technical Assistance Addressing EEO Laws, COVID-19 Vaccines. American Dental Association. Retrieved from https://www.ada.org/en/publications/ada-news/2021-archive/june/eeoc-releases-expanded-technical-assistance-addressing-eeo-laws-covid-19-vaccines
- Gavin, K. (2021). Who Has a Right to Ask if You’re Vaccinated? University of Michigan. Retrieved from https://healthblog.uofmhealth.org/wellness-prevention/who-has-a-right-to-ask-if-youre-vaccinated
- HIPAA FAQ. (2019). American Dental Association. Retrieved from https://www.ada.org/en/member-center/member-benefits/practice-resources/dental-informatics/electronic-health-records/health-system-reform-resources/hipaa-faq
- HIPAA Privacy and Security. (n.d.). American Dental Association. Retrieved from https://www.ada.org/en/member-center/member-benefits/practice-resources/dental-informatics/electronic-health-records/health-system-reform-resources/hipaa-privacy-security
- Jetelina, K. (2021). HIPAA Violation? Your Local Epidemiologist. Retrieved from https://yourlocalepidemiologist.substack.com/p/hipaa-violation
- Employers and Health Information in the Workplace. (2008). U.S. Department of Health and Human Services. Retrieved from https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html
- Notice of Privacy Practices. (2008). U.S. Department of Health and Human Services. Retrieved from https://www.hhs.gov/hipaa/for-individuals/notice-privacy-practices/index.html
- Your rights under HIPAA. (2017). U.S. Department of Health and Human Services. Retrieved from https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
- HIPAA for Professionals. (2017). U.S. Department of Health and Human Services. Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html