• About CDA
  • CDA Code of Ethics
  • Contact Us
  • Missions, Visions & Core Values
  • Strategic Plan
  • Organization Chart
  • Component Dental Societies
  • American Dental Association
  • Events Calendar
  • Leadership
• Advocacy & the Law
  • Legislation
  • Regulations
  • Issues & Policies
  • California Dental Political Action Committee
• Careers in Oral Health
  • Become a Dental Professional
  • Dental Students & New Graduates
  • Licensing & Exams
  • Start a Dental Hygiene Program
• Conferences & Education
  • Scientific Sessions - Annual Meetings
  • Education
• Jobs & Classified Ads
  • Available Positions
  • Employment Seekers/Opportunities Wanted
  • Careers at the California Dental Association
  • Dental Offices for Rent/Lease
  • Dental Offices for Sale
  • Dental Practices for Sale
  • Dental Equipment for Sale
  • Miscellaneous
  • Post a Job/Ad
• Member Benefits & Resources
  • Government Benefits Programs
  • Donated Dental Services
  • Membership with CDA
  • Conferences & Education
  • Peer Review
  • CDA Endorsed Programs
  • CDA-recommended Insurance Plans
  • Patient Education Tools
  • Tools to Help Your Practice
  • Third-Party Payer Information & Resources
• Patient & Community Resources
  • Patient Oral Health
  • Community Oral Health
• Publications
  • Journal of the California Dental Association
  • Update
  • Advertising & Sponsorship Opportunities

• Member Benefits & Resources
• Tools to Help Your Practice
• Health Insurance Portability & Accountability Act (HIPAA)
• HIPAA Security Rule

HIPAA Security Rule

Congress passed the Health Insurance Portability and Accountability Act in 1996 to simplify, and thereby reduce the cost of the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information. The HIPAA Privacy Rule, which had a compliance date of April 14, 2003, was the first regulation to ensure the protection of patient health information. The Security Rule, with a compliance date of April 21, 2005, is also intended to protect the confidentiality of patient information.

Privacy and Security: The Similarities; the Differences

The implementation of the HIPAA Privacy Rules requirements was eased by the flexibility of the regulatory standard within the Rule. The Privacy Rules compliance standard for regulated entities (i.e., health care providers who conduct certain transactions with third-party payers electronically) the adoption of reasonable measures to protect the confidentiality of patient information. What constitutes reasonable measures for a particular office are largely determined by such things as the size of the practice, the physical lay-out of the office, how patient information is used and conveyed within the practice, even such factors as cost. What might be a reasonable measure to protect patient information within a hospital setting is going to be different than a reasonable measure in a dental practice with one or two dentists. Measures that are reasonably necessary for a hospital to protect against the unauthorized release of patient information are likely going to be unreasonable for a small private practice office.

The standard of compliance for the Security Rule is the same: the regulated entity must install reasonable measures to secure patient information. What are reasonable security measures for a large entity like a hospital are likely to be unreasonable for a small entity like a private dental practice office. There is also some overlap between the requirements of the Privacy Rule and the Security Rule, meaning that what a dental practice did to comply with the Privacy Rule ensures that the practice is already in partial compliance with the Security Rule.

There are differences between the concepts of privacy and security, however. Privacy deals with what is called leakage of protected personal health information. Such leakage occurs, and can be controlled, by how patient files are used, how they move through the office during the day, whether they are ever left in a place where they might be accessible to other patients. Leakage also deals with where conversations take place with patients about their oral health condition, discussions about recommended treatment of their condition, and conversations about how theyll be paying for that treatment. Obviously, such conversations should not take place in the office waiting room or reception area, or within earshot of other patients.

Whereas the Privacy Rule protects against leakage of protected information, the Security Rule deals with unauthorized invasion of confidential patient records. The scope of the rule addresses the protection of patient information that has been electronically created or stored. In this regard, the Security Rule does not address patient information that is in a folder and stored in a file cabinet. The focus of the Security Rule is to protect against hackers breaching a computer networks firewall, the interception of viruses that are attached to emails, the use of passwords to access electronically-stored patient information, protection against interception of electronic transmission patient information, and the like.

Security Rule Requirements

In complying with the HIPAA Security Rule, covered entities should begin by recognizing four security requirements:

• Ensure the confidentiality, integrity, and availability of all electronically protected health information that the covered entity creates, receives, maintains, or transmits.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated unauthorized uses or disclosures of such information.
• Ensure compliance by its workforce.

There are three basic requirements to the Security Rule: administrative safeguards, physical safeguards, and technical safeguards to protect electronically stored health information. Essentially, administrative safeguards involve documented, formal practices to manage the selection and implementation of security measures; physical safeguards involve the protection of computer systems and related equipment from hazards and intrusions; technical safeguards involve processes that protect and monitor information access, and protect data that is transmitted over a network.

With each of these compliance elements are specific standards that are required of all regulated entities, and other standards which are addressable if they are deemed reasonable, appropriate, and applicable to a regulated entity.

Required administrative safeguards involve conducting an analysis to determine potential risks to the confidentiality of patient records that are stored and used electronically; implementing practices to reduce identified risks; instituting a system to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; developing a policy to sanction staff members who violate the offices security procedures; designating one staff person to be the Security Officer (similar to the designation of a Privacy Office as required by the HIPAA Privacy Rule); establishing who on staff has appropriate need to access patient records, and who does not; establishing and providing a security training program for office staff.

Required physical safeguards are such things as implementing a policy limiting access to the office computer system to those on staff who require such access; developing policies and procedures for workstation use and physical safeguards and security; securing transmission media, such as the Internet, leased lines, dial-up lines, and private networks; procedures governing receipt and removal of hardware and electronic media containing electronically stored protected health information.

Required technical safeguards consist of establishing password access to electronically-stored patient files; a means of assigning a name or number to track users of the office computers; and the means to recover or access patient information during an emergency.

Many of these safeguards may be added to new versions of practice management software before April 2005. Dental offices should contact their practice management software vendors to inquire about the development and availability of upgraded versions which will be compliant with HIPAAs Security Rule.

In addition, the American Dental Association will be publishing in July a companion compliance kit to the HIPAA Privacy Kit. The Security Kit promises to be the single source from which dental offices can gain the information necessary to comply with the new rule. ADA is taking orders now for the Security Kit at 800-947-4746, or it may be ordered online through the product catalog on ADA.org.

For further information on the Security Rule, or other HIPAA requirements, you may contact Greg Alterton at CDA at 916-554-4994. You may also email an inquiry to greg.alterton@cda.org, or to the ADA at hipaa@ada.org.

June 2004

Copyright © 1995-2006 California Dental Association, All Rights Reserved.