Printable format	E-mail article:	Search news:

The ADA Division of Dental Practice is stepping up its efforts to help members comply with regulations under the Health Insurance Portability and Accountability Act of 1996.

Look to future issues of the ADA News for further clarification on the various regulations under HIPAA and compliance guides specifically tailored for dental practices.

In this issue, ADA members' most frequently asked questions about the HIPAA security rule are listed below and posted at ADA.org.

(1) What is this security rule? Isn't it the same thing as privacy? Isn't privacy what HIPAA is all about?

The Health Insurance Portability and Accountability Act of 1996 is a large piece of federal legislation. There are several unique sections of this legislation and security is one of those sections. Privacy is another section that is separate and distinct and has its own requirements. The enforcement deadline for the HIPAA security rule was April 20, 2005.

(2) Do I have to comply with the security rule? Does my office need the ADA's HIPAA Security Kit?

All of the HIPAA rules — for privacy, security, transactions, and identifiers — apply to a dentist if he or she electronically transmits or receives a patient's protected health information using one of the standard transactions established by the U.S. Department of Health and Human Services.

HIPAA standard transactions are:

• claims or equivalent encounter;
• claim attachments;
• claim status inquiry;
• eligibility inquiry;
• payment advice or remittance advice;
• coordination of benefits, explanation of benefits;
• first report of injury for workers' compensation;
• enrollment in or withdrawal from a health plan;
• notice of premium payment.

For assistance in determining whether you are a covered entity, you may wish to consult the "Covered Entity Decision Tool" posted at www.cms.hhs.gov/hipaa/hipaa2.

Dentists should note that they will be required to comply with HIPAA even if they indirectly transmit or receive patients' protected health information using one of the standard electronic transactions.

For example, if a dentist sends paper claims to a clearinghouse, which then converts the paper claims to electronic claims and transmits them to a health plan, the dentist is a covered entity.

Keep in mind that faxes are not considered to be electronic transactions because they exist on paper before transmission.

Finally, remember that dentists who are subject to HIPAA must comply with the security rule in addition to the privacy rule.

(3) Who will enforce the security rule?

The Centers for Medicare & Medicaid Services' Office of HIPAA Standards.

(3a) We don't see Medicare patients. Why is CMS involved?

CMS is part of HHS and was named by the secretary of Health and Human Services to enforce HIPAA rules for electronic transactions and code sets, security and national provider identifiers.

(4) It's already past the April 20, 2005, deadline for security compliance. I just found out that the security rule existed. Am I in trouble?

If you are a covered entity and you have not implemented the security rule in your office, it would be very wise to implement the security rule as soon as possible. At this time, the Office for HIPAA Standards has no plans to perform random audits and is relying on complaints to drive HIPAA security enforcement. No one knows if this will always be the case, of course.

(5) What software do I need to comply with the security rule?

The security rule does not prescribe specific software or technologies. Each covered provider can use the hardware and software that meets the needs of the practice, as long as the technology used in the office provides the appropriate level of security for all electronic protected health information, also referred to as ePHI.

(6) What are some of the main differences between the privacy and security rules?

Unlike the privacy rule, the security rule does not establish any new patient rights. It does not require providers to ask patients to read or sign any forms.

The privacy rule establishes protections for health information in oral, written and electronic form. The security rule establishes highly detailed standards for the protection of electronic health information, but does not apply to written or oral communications.

The security rule requires covered providers to protect the integrity and availability of electronic health information as well as its confidentiality. This means:

• only authorized individuals may access electronic health information (confidentiality).
• the information does not change except when changed by an authorized person (integrity).
• authorized persons can always retrieve electronic health information regardless of circumstances (availability).

The security rule is composed of administrative, physical and technical standards. These standards are designed to help protect the confidentiality, integrity and availability of electronic health information. Covered providers meet these very flexible standards by assessing risks, deciding how to manage risks in a reasonable manner and documenting their decisions.

Ultimately, while the security rule at first may seem narrower than privacy because it covers only electronic communications, it can cut across even more operational lines, involve more business decisions and take more time to comply with than did privacy.

(7) I use X billing software with Y clearinghouse. They say they're HIPAA compliant. Does that mean I'm in compliance?

Maybe. It is possible that your existing policies, procedures and safeguards, in combination with your vendors' efforts, could meet HIPAA security standards without modification. However, there is no way of knowing this for certain without doing a risk analysis. The risk analysis process helps a practice identify and correct its weaknesses.

(8) What is a security officer?

Covered practices must appoint a security official to carry out a risk analysis in order to identify vulnerabilities to the security of electronic public health information. After identifying these vulnerabilities, the security official will write policy or update existing policy and implement safeguards to manage risks associated with these vulnerabilities. All of the new and existing policies and implementation procedures form the practice's security documentation. In the unlikely event a practice was audited by CMS for security reasons, this security documentation will help the practice avoid or reduce fines.

(9) Who should be my office's security official? Can the responsibilities be delegated to an office manager, hygienist or other staffer?

The security rule's standards cut across many practice operations in such a manner that dentists may not feel comfortable with leaving some of the decisions in the hands of an employee.

In many cases, the best individual for the job of security official may well be the dentist. The job may be delegated, in which case the dentist should keep in mind that as the covered entity he or she is ultimately responsible for HIPAA compliance.

(10) How does the security official do the risk analysis? How is it documented?

The risk analysis is a careful assessment of the areas of the practice to identify vulnerabilities to the security of ePHI.

The use of this particular checklist is not required; the office must, however, carefully analyze all of the risks in the areas specified by HIPAA. There is no prescribed method to complete the risk analysis, but the risk analysis must be completed and documented. It could be as simple as a log sheet that records the dates of periodic risk assessments.

The ADA HIPAA Security Kit comes with a detailed risk analysis tool (pages 26-34). This tool is a checklist of potential threats and vulnerabilities. Answering the questions contained in the tool helps to provide a clearer image of the practice's weaknesses and helps to prioritize implementation activities.

(11) How does one obtain a HIPAA Security Kit?

The ADA HIPAA Security Kit is a useful tool designed to help dentists comply with the HIPAA security rule. If you are subject to HIPAA and have not yet implemented the security rule, call the ADA Catalog at 1-800-947-4746, or visit the ADA Catalog online at www.adacatalog.org to order your HIPAA Security Kit today. The cost is $99.95 for members.