Enacted in 1996, Title II of the Health Insurance Portability and Accountability Act (HIPAA) brought with it three essential rules that shape actions dental practices must take to protect patient protected health information.
HIPAA Privacy Rule
HIPAA Security Rule
HITECH Breach Notification Rule
Practitioners and office managers should regularly evaluate office policies and procedures to ensure compliance with the three essential rules noted above. Below is a brief summary of the obligations each of the rules creates for dental practices.
This rule is the most familiar of the three as it gives patients more control over their health information. Under this rule, patients have the right to ask providers for a change in their records or ask the provider not to disclose their information. One right it created providers may not be as familiar with is the obligation of a healthcare provider to accommodate reasonable requests from patients to communicate with them confidentially, at an alternative location or by an alternative means. Some providers have implemented patient portals which provide patients with an alternative means of accessing health information and communicating with the provider in a secure, confidential manner. If your practice is considering implementing such a portal, be sure to have an experienced attorney review any contracts with the platform provider to ensure proper steps are in place to protect patient protected health information from unauthorized access and/or alteration.
The security rule affects the back-office operations and requires extensive efforts on the provider’s part to ensure proper safeguards are in place to protect electronic patient information. According to the American Dental Association, the “purpose of the Security Rule safeguards is to protect the confidentiality, integrity, and availability of electronic patient information.”
Dental offices must ensure patient health records are protected from people who have no business accessing patient health records and must protect records from alteration or changes by unauthorized individuals. Lastly, you and those who need access to your records should have access to your information whenever it is needed.
Breach Notification Rule
This is perhaps one of the most important of the three rules. This requires your practice to notify a patient in the event of a breach of unprotected information. In some instances, you may also be required to notify not only the government, but also the media about the breach. Failure to follow this rule may result in monetary penalties under the Enforcement Rule.
For guidance on drafting and/or evaluating your practice’s policies and procedures to better protect patient health information and ensure compliance with HIPAA requirements, contact John Saunders at Avisen Legal.
John Saunders is an experienced real estate and business attorney. He focuses his practice on advising business owners and licensed professionals with succession planning and transitions as well as their general corporate matters.
Rachell Henning is a third-year student in the Mitchell Hamline School of Law's innovative Hybrid program. Rachell is an Avisen Fellow alum who enjoys spending time with her husband and two young daughters when she is not working or studying.