The Question of Subcontractors to Dental Offices. When Must They Sign Business Associate Agreements? – Summer 2003

When independent contractors come into a dental office, when are they required to sign a business associate agreement with the dental provider? This question comes up frequently, and there are some important distinctions that must be recognized.

First, companies or contractors that come into an office and do work which does not require any access to the office’s health information, such as electricians or service personnel of dental equipment, do not have to sign business associate agreements.

Secondly, if the work is done under direct order of the dental office, and is supervised and controlled by the office, then a business associate agreement is not required. If the work is done as a part of the treatment process, the business associate agreement is not required.

If there is an absence of control of these personnel, and they have access to protected health information, such as with software sales or installation representatives, computer repair personnel, and the work is done on site, then a business associate agreement is required.

Even if the protected health information is directly supplied to these personnel, the absence of control requires that a business associate agreement be set up with the companies paying these personnel.

Have These HIPAA Issues Come Up in Your Office? – Summer 2003

1. What is protected health information?

Answer #1: Protected health information, or PHI, is all information that may be used to identify a patient of a provider of medical services, whether it is medically related or not.

2. Can protected health information be transferred to a dental lab without further authorization?

Answer #2: Yes. Under the HIPAA regulations, if the disclosure is for treatment   purposes, then there is no further authorization required.

3. Can insurance companies force dentists into complying with HIPAA regulations and transactions requirements?

Answer #3: Yes. Insurance companies can require HIPAA compliant claims submissions, unless they are trying to require HIPAA standardized transactions from a non standardized office to their HIPAA compliant office prior to October 16, 2003. In that case, they are required to accept the non compliant transactions until the interim period for allowing the phasing in of the standard transaction language is over as of October 16, 2003.

4. Can a dentist be considered to have violated HIPAA privacy regulations because of training of staff in requirements for HIPAA?

Answer #4: “Failure to train” liability is a possibility for providers such as dentist who are found to have violated HIPAA, although at this early stage of the regulation, no courts have yet ruled on this issue.

5. When is a bank required to become a business associate?

Answer #5: When a bank goes beyond just handling regular consumer financial  transactions and obtains protected health information which is not required to handle routine consumer financial transactions relating to payment for dental care, then a business associate agreement must be signed or authorization obtained.

6. Is incidental disclosure of protected health information a violation of HIPAA regulations?

Answer #6: Yes, if the disclosure of protected health information was temporary (such as in verbal statements) and not intentional.

7. Are HIPAA privacy officers liable for violations of HIPAA regulations?

Answer #7: The covered entity, or dental care provider, is liable for penalties for    violations of HIPAA regulations occurring as a result of actions of its employees.  (editor’s note: there are new rules for individual penalties for employees as of 2010), but the privacy officers are subject, if they have employment contracts, to the rules instituted by the provider for its employees and possible contractual liability.

8. Can spouses obtain each others protected health information?

Answer #8: If one spouse is responsible for the payment of the other spouse’s dental care, and/or is present when that care is given, protected health information of the other spouse may be disclosed because of the spouse’s direct involvement in the dental treatment or payment for dental care.

9. Must volunteers be part of the workforce required to be trained in HIPAA regulations?

Answer #9: Volunteers are considered part of the workforce for HIPAA purposes, and must undergo the provider’s HIPAA training procedures.

10. Can HIPAA regulations be enforced outside of claims to the federal government?

Answer #10: The Health Privacy Project, a Georgetown based private initiative in             enforcement, has established a web site and requested that copies of complaints                submitted to the federal government’s Office of Civil Rights be submitted to their project also as a monitoring system of the enforcement process.

Confidentiality in Patient Records – April 2009

Many dentists and their staffs are confronted with the realities of the federal HIPAA statute concerning privacy of patient medical information every day as they are required to have patients sign documents stating they understand they are aware that they have certain rights to privacy of their medical records under federal law. Issues particularly important to dental practices continue to surface that dentists and their staffs must be aware of on a day to day basis.

In this day and age, the transfer of medical information by e-mail is becoming more and more necessary as paperless technology in the keeping of patient records is being legislated regularly by incoming federal and state governmental bodies. Dentists must communicate information about patient’s medical records to specialists who are treating these patients for symptoms that are visible to both professionals. Communicating this information by paper is for the most part a decreasing phenomenon, particularly when new privacy laws require that less staff personnel have access to private medical information. Dentists must be aware of how to transfer medical records to other dentists and specialists electronically without the use of intermediaries who should not have access to those records because of privacy laws. E-mail is an excellent medium to use in transferring that information but it too can be accessed by intermediaries if not properly kept private between dental professionals.

The privacy of e-mailing medical records is now becoming an issue that is being dealt with in the private sector by new software that is being put out by major technology companies. E-mail is now being thought of as somewhat similar to a post card in that it may be intercepted and read by third parties when not properly kept confidential by the sender and recipient. E-mail may be encrypted or coded with a digital ID (often called a digital certificate) with software put out that is compatible on programs such as Netscape or Microsoft Outlook. A third party group on the internet verifies the identity of the sender and recipient before information is exchanged. Verisign is one such company which markets this service, and the prices are reasonable ($14/year with a 60 day free trial).   With this type of process becoming a frequently used medium of exchange of medical information between medical professionals, dentists and specialists, they need to be aware of the changing technology necessary and often mandated by law.

Records of patients in dental offices that must be kept confidential and not entirely accessible by many of the staff members are not limited to just medical information. Patient accounts need to be preserved so as to prevent financial information from being used inappropriately or illegally. Recently, there have been cases of fraudulent use of patient accounts by office staff members to steal money from dental offices. In one particular instance a dental assistant was found to be forging orders for expensive dental procedures under patients’ names, intercepting insurance checks, and pocketing the resulting cash. Now there are companies which can make sure patient accounts are available only for use by appropriate and trusted personnel.   These companies provide accounting services through e-mail and can provide procedures which can be checked regularly for fraudulent use by staff members. Computer files can be accessed only by particular passwords available only to personnel who have been given the necessary background checks to ensure trustworthiness.

Staff members as well as dentists must be kept up to date on confidentiality issues. An agreement should be signed by all staff in an employee handbook or other document in which   the staff members acknowledge that all patient records must be kept confidential. Recently, Massachusetts Attorney General Martha Coakley issued an opinion in connection with fraudulent use of patient accounts by Sierra Dental, a southeastern Massachusetts group of dental offices, which confirmed the Massachusetts law that requires the maintenance of confidential patient records for at least 3 years since the last active patient encounter. This law is among the growing number of state and federal statutes supplementing HIPAA which all dentists and their staff need to adhere to.

New HIPAA Regulations for Dental Offices – December 2009

The HIPAA privacy and security regulations which have had increasing influence on the communication within and between health care providers such as dental offices, have now become more complex and pervasive than ever before. And, with the American Reinvestment and Recovery Act (ARRA), more enforcement of larger penalties is now in store for violators. Most of the focus of the new statues involved, known as the HITECH laws have to do with breach of security or privacy law notification, but there are other provisions that make employees and not just employers liable for breaches, necessitating more training for office staff and increased responsibilities for privacy officers.

New breach notification rules in effect on September 23, 2009, with enforcement to start on February 22, 2010, are now requiring covered entities (CEs) that use protected health information ( PHI)(any identifying information used in the health care setting) to notify the Department of Health and Human Services (HHS) without reasonable delay and within 60 days of the discovery of a breach of privacy or security in handling PHI. CE’s are still the decision makers in deciding whether or not a breach has occurred which will create “harm” for the party whose information was somehow released in violation of the regulations, with “harm” being defined as a disclosure of PHI that creates a significant risk of financial, reputational or other harm to individuals. Unintentional access to PHI by a CE or business associate (which are those entities which deal with a CE on an independent contractor basis) or certain inadvertent disclosures still do not meet the standard necessitating notification.

The penalties for disclosing PHI have been increased and those covered have been expanded significantly. The new penalty structure allows for penalties of between $100/violation up to $50,000/violation and up to $1.5 million per year depending on the size of the breach and how much responsibility the violator should have had for knowing it would take place. More enforcement officers have been added, and auditing procedures will be put in place.

Now more than ever before employees of dental offices must be diligent in their efforts to preserve PHI on a daily basis because now individual violators such as employees, trainees, volunteers and any other persons who are under the direct control of the health provider are legally responsibility for individual breaches. Business associates, or those who deal with providers and PHI in a contractual relationship, must have business associate agreements which detail the specifics of what and how information will be transferred and how breaches will be handled once they are discovered. New tighter regulations govern business associate relationships and will be in place in February, 2010. No longer are patient provided restrictions on access to their PHI optional for the health care provider to decide whether they are necessary.

There must be a privacy officer designated by each dental office, and more and more responsibility is now required of them to provide in-depth training of new and current employees. They are required to create a policies and procedures manual for determining when breaches are likely to occur, what is the likely harm that will result, and how they will be dealt with as far as notifying individuals affected and the HHS. If a breach does occur, such policies as further encryption of PHI and more training and development of breach notification policies and procedures including a formal risk and management analysis for each office must take place.

The ADA has fought for an exemption for small dental offices, and has succeeded in postponing applicability of the deadline for compliance until June 1, 2010. There are time deadlines that the HHS has set in motion for implementation of further standards, including a proposed February 12, 2012 date for the beginning of the sharing of civil money penalties with harmed individuals. When harmed individuals begin to realize monetary benefits from breaches (which is already happening with other privacy laws), vigilance over possible breaches is more essential.

Security Risk Management Analysis for Dental Offices – January 2010

Security of Protected Health Information (PHI) has been a focus of federal legislation applicable to dental offices since the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996 and its subsequent revisions in 2003, 2005 and within the last year. As a result of that legislation, now dental offices must have a privacy officer appointed who conducts a risk management analysis for each office so that it may comply with the new breach of PHI disclosure notification regulations in effect starting on February 17, 2010.

The first need for a privacy officer to understand when conducting a risk management analysis is what a breach is under the new rules. It is an unauthorized disclosure of PHI which may result in financial, reputational or other harm to an individual. The risks involved in handling PHI in certain ways must be weighed by the privacy officer in order to develop safeguards in three areas: administrative, technical, and physical aspects of a dental office. It is important for all employees to know how to prevent an unauthorized disclosure in these areas, and for the privacy officer to be able to decide whether the disclosure would result in harm significant enough to require notification of an individual or others.

There must be a written set of privacy procedures in place, and it is the extent to which those procedures effectively address the problems associated with possible security breaches that determines the risk of a breach occurring. The procedures must state who has access to PHI, what kinds of PHI can be accessible by various employees, and for what purposes the PHI may be used. There must be a balancing test done by the privacy officer writing the procedures of the need to use and access readily the PHI for treatment, payment or operations of the office and the risk of disclosure if PHI is made too easily available. A good way to start this process is for the privacy officer to identify what PHI is necessary for particular functions (such as medical histories, lab work, x-rays and patient charts for treatment, patient accounts and insurance information for payment, and other identity information for operations). Then the levels of access for employees dealing with those particular functions can be determined. Written procedures regarding what training is being used at what stage in the employment relationship must be set out, showing what the training is done on, what a breach is, who to notify when a potential breach happens, and how to prevent breaches from occurring in various situations, to name a few topics.

Technical safeguards must be in place in a dental office that show that the risks of breaches have been minimized in the areas of communication of electronic PHI in particular. There should be a way of authenticating communications with other entities, and encryption is beginning to be recommended for communications of such information as dental x-rays and other information in dental charts. A system of double keying passwords should be evident and there should be a way of authenticating digital signatures. There must be a back up of data to a secure site, and for protection against occurrences like natural disasters, to another site aside from the location of the office. A wireless router should be used if the internet is used for internal purposes. And particularly if the router is from a retail store, there should be a default to a secure setting. In any case, the wireless routers should be isolated from the primary network. A computer networking advisor should be available for consultation in the process of installing technical safeguards.

There must be a weighing of whether sufficient physical safeguards are present to ensure against breaches. This includes the non-accessibility of PHI to non-employees, appropriate mechanisms for making sure business associates are trained in allowable access, the monitoring of PHI access, and proper and private workstation use rules. There must be rules involving a lockdown of access to computers at the end of the day, including requirements for logging out of practice management software.

The new statute requires a thorough risk management analysis, and each privacy officer should ensure that there is definitive evidence that it has taken place.