HIPAA FOR THE DENTAL PRACTICE Catherine C. Cownie Adam J. Freed E-mail: cownie@brownwinick.com E-mail: freed@brownwnick.com Telephone: 515-242-2490 Telephone: 515-242-2402 BrownWinick Law Firm 666 Grand Avenue, Suite 2000 Des Moines, IA 50309-2510 Website: www.brownwinick.com Questions to Ask About Your Practice When was the last time you completed a HIPAA risk assessment? Do you have a written HIPAA compliance plan? If you have a compliance plan, when was the last time you reviewed it? When was the last time you provided training to your employees regarding HIPAA? Other than your employees, who has access to your patients dental records? Who is your Privacy Officer? Who is your Security Officer? Applicable Laws Rules of the Iowa Dental Board HIPAA Other Laws Applicable to Specific Categories of Information Substance Abuse Mental Health HIV/AIDS Employment 1
Iowa Dental Board Rules 27.11(2) Retention of records. A dentist shall maintain a patient s dental record for a minimum of six years after the date of last examination, prescription, or treatment. Records for minors shall be maintained for a minimum of either (a) one year after the patient reaches the age of majority (18), or (b) six years, whichever is longer. Study models and casts shall be maintained for six years after the date of completion of treatment. Alternatively, one year after completion of treatment, study models and casts may be provided to the patient for retention. Proper safeguards shall be maintained to ensure safety of records from destructive elements. Iowa Dental Board Rules 27.11(3) Electronic record keeping. The requirements of this rule apply to electronic records as well as to records kept by any other means. When electronic records are kept, a dentist shall keep either a duplicate hard copy record or use an unalterable electronic record. Iowa Dental Board Rules 27.11(5) Confidentiality and transfer of records. Dentists shall preserve the confidentiality of patient records in a manner consistent with the protection of the welfare of the patient. Upon request of the patient or patient s legal guardian, the dentist shall furnish the dental records or copies or summaries of the records, including dental radiographs or copies of the radiographs that are of diagnostic quality, as will be beneficial for the future treatment of that patient. The dentist may charge a nominal fee for duplication of records, but may not refuse to transfer records for nonpayment of any fees. 2
HIPAA and HITECH Health Insurance Portability and Accountability Act Health Information Technology for Economic and Clinical Health Act HIPAA Applies to Protected Health Information Protected Health Information includes any information that identifies a patient, regardless of whether the information seems private or sensitive. PHI Includes Dental Records Maintained Pursuant to Iowa Dental Board Rules The rules of the Iowa Dental Board require the following in dental records: Name, date of birth, address and, if a minor, name of parent or guardian. Name and telephone number of emergency contact. The patient s dental and medical history. When a patient presents with a chief complaint, dental records shall include the patient s stated oral health care reasons for visiting the dentist. 3
PHI Includes Dental Records Maintained Pursuant to Iowa Dental Board Rules The rules of the Iowa Dental Board require the following in dental records (cont.): Chronological dates and descriptions of the following: Clinical examination findings, tests conducted, and a summary of all pertinent diagnoses; Plan of intended treatment and treatment sequence; Services rendered and any treatment complications; All radiographs, study models, and periodontal charting, if applicable; Name, quantity, and strength of all drugs dispensed, administered, or prescribed; and Name of dentist, dental hygienist, or any other auxiliary, who performs any treatment or service or who may have contact with a patient regarding the patient s dental health. Documentation of informed consent. Who Must Comply with HIPAA? Covered Entities Health plans Health care clearinghouses Health care providers who transmit health information in electronic form Business Associates A person who creates, receives, maintains, or transmits protected health information on behalf of a covered entity NOT a member of the covered entity s workforce Likely Business Associates of Your Dental Practice Electronic dental record provider Information technology support provider Claims processor Third-party billing company Law firm Accounting firm Document shredding company 4
Business Associates Now Include Subcontractors of Your Business Associates A business associate includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. Who Must Comply with HIPAA? (cont.) Covered Entity Dental Plan Lawyer s IT Provider Lawyer, Patient Dentist Accountant, Billing Co. Subcontractor Business Associates Workforce Members Employees Business Associates What Documentation Should a Dental Practice Request from its Business Associates? A business associate must provide satisfactory assurances that it will appropriately safeguard the protected health information. The Business Associate provides the satisfactory assurances in a Business Associate Agreement. 5
Dental Labs In March 2017, the Office for Civil Rights confirmed that dentists are not required to have a Business Associate Agreement with their dental laboratory when disclosing PHI for treatment purposes. http://www.ada.org/en/publications/ada-news/2017-archive/march/ocr-responds-toquestion-about-dental-labs-business-associate-agreements So I m Subject to HIPAA Now What Do I Do? HIPAA requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. STEP 1: Conduct a Risk Assessment HIPAA requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. The risk assessment must be prepared in writing. 6
STEP 1: Conduct a Risk Assessment (cont.) Possible Vulnerabilities (not an exhaustive list): No off-site back-up of electronic PHI. Lack of a Business Associate Agreement with one or more business associates Protected health information stored in unencrypted format Insufficient user access controls to computer systems containing PHI Passwords taped to the side of monitors Storage of PHI on portable devices that could be lost or stolen Routine discussion of care with patients in area where other patients are present (such as the waiting room) Former employees have keys to the office or building. Outdated anti-virus software. STEP 2: Correct Any Deficiencies Identified If your risk assessment identifies any risks, determine what steps are necessary to eliminate or minimize the risk. Document the steps you take to eliminate or minimize the risk. STEP 3: Develop Written Policies and Procedures Establish protocols for your administrative, physical, and technical safeguards, such as the following: How often and where electronic PHI is backed up Password content requirements and how often they must be changed Which workforce members have keys to the office When and how training is provided to new and current workforce members Termination of access to PHI by former employees Restrictions on use of portable devices for electronic PHI Use of antivirus software 7
STEP 3: Develop Written Policies and Procedures (cont.) Specify processes for complying with your patients rights under HIPAA, including their rights to Access their PHI Amend their PHI Obtain a list of disclosures of their PHI Establish a procedure to follow if you are unable to access your electronic PHI Establish a procedure to follow in the event of a breach of electronic PHI Establish a sanction policy for employees who fail to comply with the policies and procedures STEP 4: Train Your Workforce on the Policies and Procedures Provide initial training to all employees upon adoption of the policy Include HIPAA training in the orientation for new employees Periodically hold refresher courses for current employees Periodically send out reminders to employees STEP 5: Monitor Compliance with Policies and Procedures and Revise as Necessary Risk Assessment HIPAA Compliance is an Ongoing Process Monitor Compliance Correct Deficiencies Train Workforce Implement Procedures 8
HIPAA Example [Insert Video] HIPAA Issues Identified in the Example Elaine could have simply requested a copy of her medical record from her physician. Physician reviewing x-ray image in plain view of everyone in the lobby. Fake Erase : The rules of the Iowa Dental Board do not permit erasures or white-outs in dental records. Changes can only be made by drawing a single line through the incorrect information and initialing the change. Consequences of Failing to Comply with HIPAA and HITECH Discipline by Iowa Dental Board Must report breaches of PHI to HHS Office of Civil Rights Must report major breaches of PHI to local news media Civil penalties of $100 up to $50,000 per violation depending on severity Criminal penalties of up to 10 years in prison for intentional violations State Attorneys General can enforce HIPAA Damage to reputation and loss of confidence among patients 9
Recent Examples of HIPAA Breaches Recent Examples of HIPAA Breaches June 29, 2016 Recent Examples of HIPAA Breaches 10
Recent Examples of HIPAA Breaches Website: www.brownwinick.com Toll Free Phone Number: 1-888-282-3515 OFFICE LOCATIONS: 666 Grand Avenue, Suite 2000 Des Moines, Iowa 50309-2510 Telephone: (515) 242-2400 Facsimile: (515) 283-0231 616 Franklin Place Pella, Iowa 50219 Telephone: (641) 628-4513 Facsimile: (641) 628-8494 DISCLAIMER: No oral or written statement made by BrownWinick attorneys should be interpreted by the recipient as suggesting a need to obtain legal counsel from BrownWinick or any other firm, nor as suggesting a need to take legal action. Do not attempt to solve individual problems upon the basis of general information provided by any BrownWinick attorney, as slight changes in fact situations may cause a material change in legal result. 11