HIPAA Compliance Questions & Answers

Following are answers to common questions posed by dentists, compiled by ADA and CDA staff

Question: What, exactly, is "HIPAA" and why should I care?

Answer: "HIPAA" is short for the "Health Insurance Portability and Accountability Act of 1996." The intent behind HIPAA was to cut administrative health care costs, and to simplify the transfer of health records -- specifically records transferred electronically -- between health care providers, third party payers such as insurers and health plans, and clearinghouses that facilitate the processing of health information between providers and third party payers.

HIPAA achieves the objective of simplifying the transfer of health care information by enacting standard forms and procedures for the handling of such information. Called the "Administrative Simplification Provisions" of HIPAA, the U.S. Department of Health and Human Services (HHS) is adopting 1) national standards for health data that is transferred between providers and health plans or insurers (for dentists, these standards are the CDT-3 code sets which provide uniform codes used nationally for identifying various types of transactions); 2) privacy and confidentiality provisions for health data that might identify the patient; 3) security standards to protect health information; 4) standards for attachments to claims; and 5) a system for uniquely identifying providers, employers, plans, and individuals.

In terms of deadlines, the first HIPAA rule regulated providers were required to comply with related to electronic transactions and code sets. This rule originally was to take effect on October 16, 2002. However, federal legislation in 2001 allowed regulated entities (e.g., providers) to apply for a one-year extension on the compliance deadline.

The second crucial date for HIPAA compliance was that dealing with the privacy rule. All regulated entities were to comply with this rule by April 14, 2003.

The security rule, which guarantees that health records are kept in a secure manner, was adopted on January 20, 2003, and has a compliance deadline of April 21, 2005.

The rule on provider identifiers will go into effect on May 23, 2005, and has a final compliance date of May 23, 2007. The rules on the health plan identifier, first report of injury, claims attachments, and enforcement, are all still being drafted.

Transactions & Code-Sets Rule

Question: Must dentists comply with the requirements of HIPAA?

Answer: The simplest answer is, "Yes, if...." "Yes," in the sense that HIPAA applies to all providers (including dentists) or anyone that furnishes, bills, or is reimbursed for the provision of health care services; health plans, or any organization that pays the cost of medical care, including Medicare and Medicaid; and health care information clearinghouses that process any of the data that is being transferred between providers and payers. Essentially, any entity from the point where a service is provided, to the point where the cost of the service is reimbursed, is regulated by HIPAA.

The "if," or condition, is that HIPAA's requirements only apply to the transfer of health care records that are handled electronically. If a dentist chooses to engage in certain specified health care transactions electronically, that dentist is considered a "covered entity," and is therefore subject to HIPAA’s rules, including the transactions rule.

Question: What does the HIPAA rule requiring standard transactions and code sets mean to dentists?

Answer: Previously, dentists have submitted transactions in whatever form each of their third party payer plans have required. Under HIPAA, all payers - commercial and government programs - must accept electronic transactions in a standard format using ADA’s dental procedure code - the Current Dental Terminology, or "CDT-4."

Question: What types of record transactions are regulated by HIPAA?

Answer: Transactions between providers and payers that are regulated include claims and remittances, eligibility inquiries and responses, and claims status inquiries and responses. Again, to come under HIPAA's requirements, such transactions must be conducted electronically. If a provider does not transfer records electronically, or does not depend on a vendor or agent to do so on the provider's behalf, the provider is exempt from HIPAA.

Question: Does HIPAA require providers to submit claims electronically?

Answer: No. Prior to HIPAA, there were approximately 400 different electronic systems used for the submission of health care claims. Again, a major goal of the HIPAA legislation was to simplify the administrative processes involving the delivery of and payment for health care. While it is true that HIPAA requires payers to accept electronic transactions in a standardized form, dentists and other providers can choose if and when to submit electronic transactions. Payers may offer incentives to submit claims electronically, or disincentives for the use of paper, but HIPAA does not preclude the use of paper.

Question: Can I opt-out of HIPAA’s requirements on the transfer of information by avoiding electronic claims transactions?

Answer: You may. HIPAA gives the dentist, or any provider, the choice of whether to send and receive electronic transactions. However, be aware of the incentives for using electronic transactions before choosing against such use. Electronic claims are generally reviewed faster, and payment is received sooner. Many payers have simplified the information necessary to accompany claims submissions. A case study suggesting that a dentist can save over $200 per week using HIPAA standard electronic transactions is available at http://www.ada.org/prof/resources/topics/hipaa/benefits.asp .

Question: Wasn’t there an extension on the compliance deadline for HIPAA?

Answer: H.R. 3323, which President Bush signed into law on December 27, 2001, extended for one year the compliance date for the transactions and code sets requirement of HIPAA only. That extension was good until October 16, 2003. However, many regulated entities were still not in compliance by that date. The Department of Health and Human Services have taken a flexible approach to enforcement, provided non-compliant regulated entities can show progress toward compliance with the transaction and code sets rule.

Privacy Rule

Question: What about the separate rule dealing with the privacy of patient information, and what does it mean to dentists?

Answer: The privacy rule, with a full-compliance deadline of April 14, 2003, allows individuals to retain some control over most releases of individually identifiable health information. Authorizations from patients are generally required for uses and disclosures of patient information that is for purposes other than treatment, payment, or the healthcare operations of the dental office. A dentist who holds patient-identifiable information would, under the rule, be required to protect this information and report disclosures of that information. Unlike the provisions of HIPAA that pertain to electronic transfers of records only, the privacy provisions apply to paper and oral information, as well as electronically-stored and transferred information. But, again, the privacy rule only applies to dental offices which conduct certain specified transactions with third party payers electronically.

Question: How final is the privacy rule?

Answer: The "final" rule on privacy was published by the U.S. Department of Health and Human Services on December 28, 2000, but the new Administration reopened the rule for a comment period of 30 days to ensure that the final rule would protect patients' privacy without creating unanticipated consequences that might harm patients' access to care. After that comment period, President Bush allowed the rule to take effect on April 14, 2001, with a compliance date for all regulated parties of April 14, 2003.

However, on March 28, 2002, HHS again reopened the rule for further comments and revisions. Among the changes to the privacy rule were strengthening the patient notice provisions, yet removing consent requirements that hinder access to care; clarifying that treatment-related conversations between two doctors, or between a doctor and staff, are not violations of the privacy rule; assuring appropriate parents’ access to children’s records; prohibiting use of patient records as a source to create mailing lists for marketing materials; simplifying the use of health records for research purposes; creating model provider/business associate agreement provisions to assure that business associates, such as property managers, adhere to privacy rules; and simplifying patient authorization for release their records.

Question: Must operatories and waiting rooms be soundproofed to comply with HIPAA?

Answer: The final privacy regulations went further than the proposed regulations and state that the requirements of the regulations apply to oral as well as written and electronic communication. This legitimately raises the question of whether offices must be soundproofed to prevent one patient from overhearing a conversation with or about another patient. Guidance from HHS on how it interprets and enforces the regulations clarified that it is the intent of the regulators that reasonable efforts should be taken to protect the privacy of patient health information. Soundproofing operatories and waiting rooms is often more than is be necessary for individual dental offices. In the ADA’s comments to HHS, it stated that oral communications should not be subject to civil or criminal sanctions when the dentist or the staff is engaged in treatment, payment or health care operations.

Question: Under HIPAA’s Privacy Rule, will I not be allowed to have a patient sign-up sheet by the front desk?

Answer: This question is another example of misinformation that circulated prior to the final compliance date for the HIPAA Privacy Rule. The Privacy Rule allows for the use of patient sign-in sheets, but, again, they should be used with common sense. While this may be more of a concern for physicians’ offices than for dentists, a sign-in sheet can be used in which a patient signs in. However, requiring a patient to indicate why they are there (i.e., the purpose of the appointment) is likely a violation of a patient’s privacy. In a medical office, it would be a violation of confidentiality for a patient to write their name on a sign-in sheet and to have them announce on the sheet that they are there for the results of their HIV test. For all practical purposes, people may not care whether anyone else in a dental office waiting room knows they are there for a crown, the principle is the same: information about a patient’s condition and treatment should be kept confidential (and off of sign-in sheets). Again, following common sense procedures will likely result in an office being in compliance with the Privacy Rule.

Question: Will sending appointment reminder postcards violate HIPAA?

Answer: The ADA raised this issue with HHS in its comments to the agency regarding the final rule. They made it clear that such reminders are sent to facilitate the dental health of a patient, and reflect the ongoing preventive nature of dental care, in contrast to what is often the episodic nature of care rendered by other health care providers. Essentially, reminder postcards are allowed under HIPAA, provided the cards convey a general reminder to the patient (i.e., “This is to remind you of your appointment with us…”), and do not mention the specific nature of the appointment (i.e., “This is to remind you of your appointment with us for your root canal…”).

Question: Does HIPAA regulate where patient schedules are placed in the office?

Answer: Yes. Some offices may print out the patient schedule for the day and post it for professional staff. Often the schedule is posted where it can be seen by a patient - either in the examining room, or in a corridor, or on a door. Where it is placed may result in an unauthorized disclosure of patient information. Offices must make an effort to protect identifiable personal health information on a schedule of appointments, but this does not mean that the use of patient schedules is prohibited. If a schedule is placed in an operatory, with the patient’s back to the wall where it is hung, this would likely be considered sufficient protection of patient information. An office that shows it has made a conscious effort to protect such information by placing it in a location accessible to professional staff, but with minimum access by patients in the office, will not be in violation of the HIPAA privacy rule to use printed patient schedules.

Question: Must all confidential conversations take place as much as possible in areas that cannot be overheard by other patients or non-staff individuals?

Answer: Yes. HIPAA does not prohibit confidential conversations with patients, nor require that they be held in sound-proof rooms with closed doors. However, there must be an understanding that conversations may be easily overheard in many settings. For example, a receptionist may schedule appointments over the phone. This requires taking and verifying the name of the caller, as well as discussion of the patient’s dental information. If patients and others are sitting in the waiting room, they may overhear such an exchange, and this could represent an unauthorized disclosure of patient information. The same may be said of discussions between staff members in the hallway. Providers must use their best professional judgment to reduce the risk of such information being shared, but they do not have to guarantee that it can never occur. Again, the emphasis in the Privacy Rule is on "reasonable" safeguards and actions to protect patient confidentiality and privacy, and the Privacy Rule defers most issues to the judgment of the provider in determining what is "reasonable."

Question: Should computers and fax machines in the office be situated such that patients cannot gain access or view computer screens and fax copies?

Answer: Yes. More and more, dental offices are using computers for such things as billings, tracking accounts receivable, scheduling, and storing patient dental records. Wherever computer terminals and/or fax machines are located, even if they can be seen by patients, it is important that only office staff can gain access to fax machines and computers. This access includes restricted physical access as well as restricted viewing access. Much of the precautions are commonsense. For example, computers should have screensavers such that if a staff member is away from a computer terminal for more than a couple of minutes, and the terminal might be seen by a patient at the counter, a screensaver would protect against unauthorized individuals reading patient information. Also, having computer-stored patient information password-protected is another commonsense precaution.

When a staff person steps away from their computer for a period of time, the staff person should be required to re-enter his or her password. Passwords should, of course, be kept confidential (no placing of passwords on a yellow sticky note on the computer monitor), and changed occasionally.

Question: How should patient records that are not stored electronically be handled?

Answer: Dental records on paper and in files are usually located in a number of locations around an office during practice hours, including the receptionist’s desk, in the operatories, on the dentist’s desk, and at the counter where patients check out. HIPAA does not prohibit patient records "floating" around the office, but it is important that no patient or non-staff individual have access to any medical records at any place in the office. Again, this is common sense. For many offices, this will require an assessment of how and where records move throughout the office, and may require a change in the manner in which patient records are handled and stored if they are left in locations where a patient or non-staff person might have ready access to them.

Question: When one parent has majority custody, can a child's dental records be released to the other parent?

Answer: Yes. The HIPAA Privacy Rule considers parents to be "personal representatives" for children. As such, parents have the authority to make medical decisions for their minor children, including signing of the acknowledgement of receipt of the office's privacy policy, and can authorize the dental office if their children's dental information is to be used for purposes other than treatment, payment, or healthcare operations. California law (Family Code Sec. 3025) allows both parents access to a minor child's medical, dental, and school records, without regard to who has majority custody of the child. HIPAA is silent on matters of family law, so in this case, California law controls the issue of access.

Security Rule

Question: What are the security measures of HIPAA that apply to dental offices?

Answer: The HIPAA law contains a security provision; these things are law already, without the necessity of adopting regulations. The HIPAA statutory provisions require that each person who maintains or transmits health information to adopt reasonable and appropriate administrative, technical, and physical safeguards to: 1) ensure the integrity and confidentiality of patient information; 2) protect against any reasonably anticipated threats or hazards to the security of the information; 3) protect against unauthorized uses or disclosures of the information; and 4) ensure compliance among employees and officers.

Some of these security standards are addressed in a separate regulation that establishes procedures by which electronically-kept and transferred patient records are stored, accessed, and transmitted. The compliance date of the security rule is April 21, 2005. View more information about the requirements of the security rule. Information on compliance with the HIPAA Security Rule can be obtained by purchasing ADA’s HIPAA Security Kit (http://www.ada.org/prof/resources/pubs/adanews/adanewsarticle.asp?articleid=891), and by discussing security features to updated practice management software with software vendors.

Question: Does HIPAA require specific measures to protect my patients’ records?

Answer: HHS' first guidance on privacy (see www.hhs.gov/ocr/hipaa/assist.html) amplified on how the rule applies to oral (i.e., intra-office and telephonic) communications, but it does not specifically address how providers must secure and monitor patient records to prevent unnecessary disclosure. The general standard is that dentists must take "reasonable steps to limit the use and disclosure of personal health information to the minimum necessary to accomplish the intended purpose," and the guidance does exempt certain types of transactions:

Disclosures to or requests by another health care provider for treatment purposes;
Disclosures to the individual who is the subject of the information;
Uses or disclosures made pursuant to an authorization requested by the individual;
Uses or disclosures required for compliance with HIPAA-mandated standard transactions;
Disclosures to HHS when required under the rule for enforcement purposes, and
Uses or disclosures that are required by law.

One thing to understand about compliance with the HIPAA privacy rule: The rule is written in a general, somewhat unspecific way, in order to allow flexibility in complying with the rule, and to assure that where reason dictates, one office may comply differently than another. The rule requires a provider to look at the rule, consider how health records are kept and with whom they are shared, from this assessment consider ways to further secure and protect the confidentiality of those records, develop a privacy policy for the office, and then disclosed that policy to patients. HHS will likely not assess the contents of a dental office’s privacy policy (unless it’s grossly negligent), but will mainly be concerned with whether the dentist, as a regulated party, compared his or her office’s record-keeping practice in light of the HIPAA, and actually developed a privacy policy in compliance with the rule. In short, the HIPAA privacy rule is not a "one-size-fits-all" approach to privacy. But you do need to carefully assess how records are stored and shared, and develop a policy on the access and use of those records in light of HIPAA.

HIPAA Compliance Questions & Answers

Transactions & Code-Sets Rule

Privacy Rule

Security Rule

Other Questions