Please activate JavaScript!
Please install Adobe Flash Player, click here for download

DT U.S. Edition, November 2010, Vol. 5, No. 22

The importance of privacy Practice Matters DENTAL TRIBUNE | November 20106A By Stuart J. Oberman, Esq. Privacy is something we all value. It should not come as a surprise to anyone that dental patients want to ensure more than ever that their per- sonal information will not be shared with anyone without a legitimate need to know. Under the U.S. Depart- ment of Health and Human Services (, HIPAA Rules were cre- ated to ensure that all health-care professionals respect and protect a patient’s privacy. HIPAA gives patients significant rights in controlling how medical professionals maintain and commu- nicate individual health information. How well does your office comply with HIPAA guidelines? Because HIPAA compliance is not optional, every dental office should take the necessary steps to ensure it is HIPAA compliant. About HIPAA The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. HIPAA provides federal protections for patients’ health-care information. The HIPAA Privacy Rule does permit the disclosure of per- sonal health information needed for patient care and other important pur- poses related to patient care. The Security Rule under HIPAA specifies a series of administrative, physical, technical and security mea- sures required for covered entities (dental offices that transmit patient information in electronic form) to use in order to assure the confidenti- ality, integrity and availability of elec- tronic protected health information. The main objective of the HIPAA legislation is to protect the privacy of individual health information by imposing strict security requirements on health-care providers with access to confidential patient information. As a part of HIPAA, Congress man- dated the establishment of standards for the privacy of individually identi- fiable patient health information. The HIPAA Privacy Rule requires that dentists (and other medical practitioners) obtain patient consent before using or disclosing a patient’s personal health-care information, which may be needed for treatment, payment and other health-care relat- ed purposes. Private health information, also known as PHI, is any information relating to a patient’s health, treat- ment or payment for health care that identifies a patient. Private health information includes, but is not limit- ed to names, addresses, phone num- bers, fax numbers, e-mail addresses, credit card information, certificate numbers, license numbers, account numbers and birth dates. Many den- tal employees, including dental assis- tants, dental hygienists, lab techni- cians and front office staff, may come into direct contact with a patient’s PHI. PHI should be carefully secured and traced throughout the dental office to ensure patient confidential- ity. HIPPA does not require that den- tists sound-proof rooms to ensure that confidential conversations are not overheard; however, dentists should make every reasonable effort to ensure that confidential conver- sations take place in areas away from other patients. Also, comput- ers, printers, faxes and file cabinets or other containers where patient records are stored should be placed in secured areas without patient access. Although compliance is manda- tory only for “covered entities,” the American Dental Association sug- gests that dentists who are not cov- ered entities adopt the same privacy practices that HIPAA mandates for covered entities. It is still possible that HIPAA privacy laws may estab- lish an industry standard among dental practices, and the failure to comply with the industry standard may result in liability for the owner of a dental practice. Understanding the value of PHI and its relationship with HIPAA, the owner of a dental practice should be able to answer some very impor- tant questions such as: How is PHI stored in our office? How is patient information secured? Who is autho- rized to access the information? How and when is this patient informa- tion destroyed? Where in the office is it appropriate to discuss personal health information? Have we imple- mented proper training procedures? Answers to these questions cannot be left to interpretation. The owner of a dental practice must adopt and implement compre- hensive privacy procedures for the office in order to ensure that patient records are kept in a secure space. In addition, employees in a dental office must comply with HIPAA poli- cies and procedures that have been established. Most of the information obtained regarding patients does require the implementation of security mea- sures. If employees are not aware of HIPAA standards as established by the owner of a dental practice, a vio- lation of HIPAA may be costly. Patient rights The HIPAA Privacy Rule gives patients considerable rights in con- trolling their identifiable health-care information. Covered entities must provide a Notice of Privacy Prac- tices to each patient, which details how the practice can use and dis- close confidential patient health-care information. Under HIPAA, a health-care pro- vider must obtain a patient’s autho- rization before releasing protected patient information. However, a health-care provider may release patient information for specified health-care related purposes, such as for remitting payment or for patient- related treatment. As for patient records, patients are permitted access to their own records. In addition, patients may also request restrictions on the dis- closure of their personal health- care information. Patients may also request an amendment to any infor- mation in their medical file that they believe is erroneous. The HIPAA Privacy Rule also prohibits employers from using a patient’s personal health-care infor- mation as a factor in making employ- ment decisions. HIPAA violations Failure to comply with HIPAA can result in both civil and criminal pen- alties, and the penalties can be stiff. These penalties vary based on the nature of the violation and the extent of the resulting harm. Health-care entities and individu- als who obtain or disclose individu- ally identifiable health information face a penalty ranging from $50,000 to $100,000 per violation, as well as imprisonment for up to one year. However, offenses committed with the intent to use the informa- tion for personal gain, harm or com- mercial advantage face fines up to $250,000 and imprisonment for up to 10 years. Because there is no private right of action for a patient to enforce his or her privacy rights, enforce- ment of the civil penalties will be processed through the Department of Health and Human Services Office of Civil Rights, and the criminal pen- alties will be enforced through the government. It is important to note that the owner of a dental practice may be held liable for HIPAA violations. Employees who knowingly violate a HIPAA rule may also be subject to civil or criminal penalties as well (including dental hygienists, dental assistants, etc.) As a result, in order to avoid potential civil and criminal penalties, all members of a dental practice should be aware of HIPAA guidelines and procedures. The HIPAA Privacy Rule does allow dentists to use patient sign- in sheets in their offices. However, requiring a patient to indicate the purpose of his/her appointment is a violation of HIPPA and should be avoided. Reminder cards sent to a patient’s home with appointment dates on them are not considered a HIPAA violation because of the preventa- tive nature of dental care. Still, if the cards mention the purpose of the appointment (i.e., “This is a remind- er of your appointment for dental implants.”), it will be considered a violation of the HIPAA Privacy Rule. In addition, schedules of patient appointments should not be placed in an area in the office that is vis- ible to other patients. Finally, patient appointment calendars should never be placed on the Internet (yes, this has happened). Conclusion The owner of a dental practice must determine whether the office is HIPAA compliant. A failure to prop- erly implement HIPAA security and patient privacy rules could result in potentially large civil and criminal penalties. The employees of a dental prac- tice must be trained in both HIPAA regulations and security measures. A patient’s individually identifiable health-care information is confiden- tial and should be treated accord- ingly. DT About the author Stuart J. Oberman, Esq., has extensive experience in repre- senting dentists during dental partnership agreements, part- nership buy-ins, dental MSOs, commercial leasing, entity for- mation (professional corpora- tions, limited liability compa- nies), real estate transactions, employment law, dental board defense, estate planning and other business transactions that a dentist will face during his or her career. For questions or comments regarding this article, visit ‘It is still possible that HIPAA privacy laws may establish an industry standard among dental practices’ (Front page photo/Saniphoto,