HIPPA Policies

Back to: Things Everyone Should Know

0

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

On This Page

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

Top of Page

Covered Entities

The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:

  • Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
  • Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
    • Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
  • Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
  • Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.

Top of Page

Permitted Uses and Disclosures

A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

  • Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
  • Treatment, payment, and healthcare operations
  • Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object)
  • Incident to an otherwise permitted use and disclosure
  • Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposesexternal icon:
  1. When required by law
  2. Public health activities
  3. Victims of abuse or neglect or domestic violence
  4. Health oversight activities
  5. Judicial and administrative proceedings
  6. Law enforcement
  7. Functions (such as identification) concerning deceased persons
  8. Cadaveric organ, eye, or tissue donation
  9. Research, under certain conditions
  10. To prevent or lessen a serious threat to health or safety
  11. Essential government functions
  12. Workers compensation
  • Limited dataset for research, public health, or healthcare operations

Top of Page

HIPAA Security Rule

While the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must do the following:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

For more information, visit the Department of Health and Human Services HIPAA websiteexternal icon.

WHAT DOES THIS MEAN?

HIPAA is the requirement that we keep PHI (Protected Health Information) private and only to be discussed with the owner of the PHI or someone they grant us permission to discuss PHI through our HIPAA form.

The 18 identifiers that make health information PHI are:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

It is imparative that you check in the scanned images to see if a HIPAA form is completed when discussed any patient’s record with anyone other than the patient.

HIPPA AND EMAIL

We communicate a lot via email with internal (people who work at Keith and Associates) and externally.  Usually when sending patient data or PHI we are communicating with other offices regarding the treatment of a patient.  We provide records such as patient notes, xrays, and anything else relevant to help the other office provide the best patient experience possible. 

When transmitting data it is imperative to protect PHI.  We use a service called Azure to help encrypt the email.  All you have to do is type “encrypt” somewhere in the email and it will require the recipient to log in to a secure portal to receive the information.  This extra layer of security is required by law.  Everyone’s email is equipped with this software.

HIPPA BOTTOM LINE

Here is the deal, it is up to each person to protect patient data.  Here are some basic rules of the office:

  1.  If you are not actively working in a patient’s chart either working on their account, preparing for their appointment, or treating the patient, you do not belong in that chart.
  2.  Under no circumstance may you take PHI out of the office.  Printed reports, pictures on your cell phone, phones numbers to call the patient later, addresses, etc.
  3.  You are to only use PHI for the use of the dental office, no personal use under any circumstance.
  4.  You are responsible for your log in.  Anything that happens on your log in, you are responsible for.  Remember to sign in and out of your computer and Open Dental.
  5.  Always check the patient’s chart for a HIPAA release before discussing any PHI with someone other than the patient. 

It is easy to get comfortable and forget basic HIPAA rules.  However, patients trust us with their information and we need to protect it like we would want our data protected.  If you have any questions, please direct them to the HIPAA Coordinator or the Office Manager.

By marketing this page as completed, you are accepting that you understand the HIPAA law and will uphold privacy polices within our office.