• About CDA
  • CDA Code of Ethics
  • Contact Us
  • Missions, Visions & Core Values
  • Strategic Plan
  • Organization Chart
  • Component Dental Societies
  • American Dental Association
  • Events Calendar
  • Leadership
• Advocacy & the Law
  • Legislation
  • Regulations
  • Issues & Policies
  • California Dental Political Action Committee
• Careers in Oral Health
  • Become a Dental Professional
  • Dental Students & New Graduates
  • Licensing & Exams
  • Start a Dental Hygiene Program
• Conferences & Education
  • Scientific Sessions - Annual Meetings
  • Education
• Jobs & Classified Ads
  • Available Positions
  • Employment Seekers/Opportunities Wanted
  • Careers at the California Dental Association
  • Dental Offices for Rent/Lease
  • Dental Offices for Sale
  • Dental Practices for Sale
  • Dental Equipment for Sale
  • Miscellaneous
  • Post a Job/Ad
• Member Benefits & Resources
  • Government Benefits Programs
  • Donated Dental Services
  • Membership with CDA
  • Conferences & Education
  • Peer Review
  • CDA Endorsed Programs
  • CDA-recommended Insurance Plans
  • Patient Education Tools
  • Tools to Help Your Practice
  • Third-Party Payer Information & Resources
• Patient & Community Resources
  • Patient Oral Health
  • Community Oral Health
• Publications
  • Journal of the California Dental Association
  • Update
  • Advertising & Sponsorship Opportunities

• Member Benefits & Resources
• Tools to Help Your Practice
• Health Insurance Portability & Accountability Act (HIPAA)
• Guidance on HIPPA Privacy Standards

Guidance on HIPPA Privacy Standards

Following is a summary of the guidance on HIPAA privacy standards published by the federal Department of Health and Human Services (HHS) on July 6, 2001 that was prepared by the American Dental Association, "with an eye towards items of interest to the practicing dentist," and transmitted to constituent dental societies by Executive Director James B. Bramson, D.D.S., on September 7, 2001. For more detailed information on the guidance to the privacy rule, go to http://www.hhs.gov/ocr/hipaa/assist.html.

(Note: As of this writing, HHS has proposed modifications to the HIPAA privacy rule. This summary pertains to the original rule, and will be modified when the formal rule revisions are published. For a summary of the proposed revisions, go to http://www.hhs.gov/news/press/2002pres/20020321.html.)

Background

The HHS guidance establishes privacy standards relative to nine specific areas:

• Consent requirements
• Minimum necessary disclosures
• Oral communications
• Business associates
• Parents and minors
• Marketing
• Research
• Government access to health information
• Payment

Consent Requirements

The guidance clarified the following issues about the rule’s requirement about obtaining prior written consent before disclosing personal health information to carry out treatment, payment, or health care operations:

• A provider need only obtain a patient’s written consent one time;
• The consent document may be brief and may be written in general terms;
• The dentist must retain the signed document for 6 years, but the rule does not prescribe the form in which the consents are to be retained;
• It must be written in plain language and contain the following information:

• Inform the individual that information may be used and disclosed for treatment, payment, or healthcare operations,
• State the patient's rights to review the provider's privacy notice,
• How to request restrictions and to revoke consent, and
• Be dated and signed by the individual (or his or her representative).

• The guidance clarifies the differences between "consent" and "authorization:"

• A consent is a general document that gives health care providers, which have a direct treatment relationship with a patient, permission to use and disclose all personal health information for treatment, payment, or health care operations. It gives permission only to that provider, not to any other person. Health care providers may condition the provision of treatment on the individual providing this consent. One consent may cover all uses and disclosures for treatment, payment, or health care operations by that provider, indefinitely. A consent need not specify the particular information to be used or disclosed, nor the recipients of disclosed information.
• An authorization is a more customized document that gives covered entities permission to use specified personal health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose personal health information to a third party specified by the individual. Covered entities may not condition treatment or coverage on the individual providing an authorization. An authorization is more detailed and specific than a consent. It covers only the uses and disclosures and only the personal health information stipulated in the authorization; it has an expiration date; and, in some cases, it also states the purpose for which the information may be used or disclosed.

As an example, a dentist may, under the consent obtained from the patient, send an appointment reminder to the patient, but would need authorization from the patient to send their name and address to a company marketing a new dental product. Of course, this would be true under federal law, but state law may impose more stringent requirements. The same is true about all of the information in this section; e.g., state law may affect requirements for consent forms.

Minimum Necessary Disclosure

Although the privacy rule generally requires dentists and other health care professionals to take reasonable steps to limit the use or disclosure of personal health information to the minimum necessary to accomplish the intended purpose, the minimum necessary provisions do not apply to the following:

• Disclosures to or requests by another health care provider for treatment purposes;
• Disclosures to the individual who is the subject of the information;
• Uses or disclosures made pursuant to an authorization requested by the individual;
• Uses or disclosures required for compliance with HIPAA-mandated standard transactions;
• Disclosures to HHS when required under the rule for enforcement purposes, and
• Uses or disclosures that are required by law.

For use of personal health information, policies and procedures must identify which employees need access to the information to carry out their job duties, the types of personal health information needed, and conditions appropriate to access. For routine requests and disclosures, standard protocols must limit personal health information to what is the minimum necessary for the type of request or disclosure. Covered entities must make their own assessment of what is reasonably necessary for a particular purpose, given the characteristics of their business and workforce.

"Minimum necessary" is an important point of possible future change in the Rule, including for items such as sign-in sheets in waiting rooms.

Finally, the state law issue is again relevant. For example, while the guidance clarifies that disclosures between health care providers are exempted from the minimum necessary requirement, similar state laws would still be binding.

Oral Communications

The Guidance clarifies that the privacy rule is not intended to prohibit providers from talking to each other and to their patients, recognizes that providers understand the sensitivity of oral information, and acknowledges the importance of oral communications occurring freely and quickly in treatment settings.

The privacy rule contains provisions requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements. These are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients.

Under the guidance, the following practices would be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lower voices and talking apart):

• Health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member;
• A health care professional may discuss lab test results with a patient or other provider in a joint treatment area; and,
• Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution.

The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.

For example, the privacy rule does not require the following types of structural or systems changes:

• Private rooms.
• Soundproofing of rooms.
• Encryption of wireless or other emergency medical radio communications, which can be intercepted by scanners.
• Encryption of telephone systems.

HHS will propose regulatory language to reinforce and clarify that similar oral communications (such as calling out patient names in a waiting room) are permissible. While providers and health plans must provide reasonable safeguards to avoid prohibited disclosures, the rule does not require that all risk be eliminated to satisfy this requirement. Organizations must review their own practices and determine what steps are reasonable to safeguard their patient information. In assessing what is "reasonable," covered entities may consider the viewpoint of prudent professionals. Of course, HHS would then determine the reasonableness of any such assessment. This too is an area where state law may apply.

Business Associates

The privacy rule conditions disclosures to business associates on the providers obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the contracted purpose, will safeguard the information from misuse, and help them provide appropriate access about health information and disclosures to certain individuals. personal health information may be disclosed to a business associate only to help the dentist carry out health care functions - not for independent use by the business associate.

Provided a covered entity complies with the rule, it is not liable for privacy violations of a business associate. Among the requirements is that the business associate contract must obligate the business associate to advise the covered entity when a violation occurs. When a covered entity becomes aware of a pattern or practice that materially violates the Rule, the entity must take "reasonable steps" to cure the breach including terminating the relationship, if feasible, or reporting the problem to the Department.

Parents and Minors

Under the rule, a parent is generally considered a "personal representative" and has the right to access health information about their minor child. The guidance reflects the following exceptions to these rights:

• When state or other law does not require parental consent prior to a minor obtaining care and the minor consents to the health care service;
• When a court determines or other law that authorizes some other individual to make treatment decisions for a minor;

In addition, the guidance clarifies that:

• If a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the personal health information stemming from the arrangement;
• If the physician reasonably believes that the minor has been or may be subject to abuse or neglect, or that treating the parent as he child’s personal representative could endanger the child, the physician (dentist) may choose not to treat the parent as the personal representative of the child.

The rule does not preempt state law that might authorize or prohibit a disclosure of personal health information about a minor to a parent.

Marketing

The rule limits marketing that can be done as a health care operation, and requires authorization for other uses of personal health information for marketing purposes. The guidance clarifies that the following uses of personal health information to tailor health information sent to individuals do not constitute marketing:

• A covered entity may use personal health information to individuals provided that the communication is part of the treatment and the purpose is to further the treatment (e.g. recommendations of specific brand name drugs)
• A communication directed to an individual’s treatment or to make an alternate treatment recommendation. (e.g. reminder notices for appointments, annual exams, or prescription refills are not marketing)

If a communication is marketing, a covered entity may use or disclose personal health information only with applicable consent (authorization) and only in the following circumstances:

• In a face-to-face communication;
• If the product or service is of nominal value (e.g. free toothbrushes with name of covered entity, key chains, calendars, etc.); or
• It concerns health-related products or services where the covered entity or third party is identified in the communication.

In such cases, the communication must identify the covered entity that is making the communication; indicate that the covered entity is being compensated, if true;

provide information on how the individual may "opt out" of future communications; and explain why an individual was targeted and how they might benefit.

All other communications that are "marketing" under the Rule require that the covered entity obtain the individual’s authorization to use or disclose personal health information to create or make the marketing communication.

Health promotion, preventative care and wellness programs may fall within the definition of marketing, depending on how they are conducted.

Research

The privacy rule states that a covered entity may use or disclose for research purposes health information that has been de-identified. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to information necessary to conduct vital research. The guidance addresses the use or disclosure of personal health information in the research context.

Government Access to Health Information

Under the privacy rule, government-operated health plans and health care providers must meet substantially the same requirements as private ones for protecting the privacy of individual identifiable health information. All federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens - including any personal health information - can be shared with other agencies and with the public.

The rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists. Today, law enforcement officers obtain health information for many purposes, sometimes without a warrant or other prior process. The rule establishes new procedures and safeguards to restrict the circumstances under which a dentist or other covered entity may give such information to law enforcement officers.

Where state law imposes additional restrictions on disclosure of health on information to law enforcement, those state laws continue to apply.

Payment

Under the rule, a dentist may use and disclose personal health information for payment purposes. The Rule provides examples of common payment activities that include, but are not limited to:

• Determining eligibility or coverage under a plan and adjudicating claims;
• Risk adjustments;
• Billing and collection activities;
• Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
• Utilization review activities; and
• Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

The guidance specifically contemplates a covered entity’s ability to carry out appropriate activities through a third party, such as a collection agency, under a business associate arrangement.

Copyright © 1995-2006 California Dental Association, All Rights Reserved.