HIPAA 20 Questions

HIPAA directly applies only to “covered entities” and "business associates." A dental practice becomes a covered entity by conducting a HIPAA standard transaction electronically or by having someone do so on the provider’s behalf. (See the next question for more information about HIPAA standard transactions.)

An example of a HIPAA standard transaction is the submission of an electronic claim. A dental practice becomes a HIPAA covered entity when it submits a claim electronically, or when it conducts another HIPAA-regulated electronic transaction, such as an eligibility inquiry or a claim status inquiry. HIPAA also reaches entirely paper dental offices that submit paper claims to a billing service that converts the paper into electronic format and submits the claims electronically for the dental practice.

The use of a paper-to-paper (non-digital) fax machine to submit claims does not, by itself, make a dental practice a HIPAA covered entity. However, if a dental practice is otherwise covered by HIPAA, the HIPAA Privacy Rule requires the dental practice to have in place reasonable and appropriate safeguards to protect the privacy of patient information in any format (for example, paper or other hard copy documents, photos, radiographs, oral and electronic information), which may include faxed data if the dental practice uses a fax machine to send or receive patient information.

Even if a dental practice does not meet the definition of a HIPAA covered entity, the dental practice may bind itself contractually to abide by HIPAA – for example, by signing a participating provider agreement that requires HIPAA compliance.

HIPAA empowers the government to impose substantial penalties against covered entities that violate HIPAA. HIPAA “business associates” must also comply with HIPAA and are subject to penalties for HIPAA violations (a business associate is generally defined as an outside person or entity that has access to patient information because it is performing a service on behalf of a covered entity). In addition, certain HIPAA violations are crimes and can subject individuals and entities to fines and imprisonment.

• Are You a Covered Entity?

The U.S. Department of Health and Human Services (HHS) has adopted HIPAA standards for several electronic transactions. These electronic transactions are used to exchange information about health care benefits and services among health care providers, health plans, clearinghouses, and, in limited circumstances, employers.
Use of any HIPAA standard transaction makes a dental practice a “covered health care provider” that must comply with all HIPAA rules, including those for Privacy, Security, and Breach Notification.

The HIPAA standard transaction that is most likely to make a dentist a HIPAA covered health care provider is the submission of an electronic claim or equivalent encounter information. Also included in the definition of this transaction is the electronic submission of "encounter information," if the doctor’s reimbursement from a health plan is not based on claims for specific services. The transaction must be transmitted in electronic form; voice communications by telephone, or paper communications by non-digital fax typically do not count as “electronic,” although there may be some limited exceptions.
There are also separate standards for electronic inquiries about the status of a claim.

Another common electronic transaction for which HHS has adopted a standard is an inquiry from a health care provider to a health plan about a patient’s eligibility to receive health care under the plan, a patient’s coverage under the plan, or benefits associated with the plan. Similarly, HHS has adopted standards for the electronic transmission of claims or payment information from any entity to a health plan for purposes of determining coordination of benefits.

Other relevant electronic transactions for which HHS has adopted a standard include electronically transmitted requests for authorizations for health care or for authorization to refer a patient to another provider. These transactions generally will be used by doctors who are under contract with an insurance company or health plan which requires them to obtain pre-authorizations for certain procedures, or authorizations to refer a patient to a specialist.

Finally, HHS has developed standards for the electronic transmission of payment information about the transfer of funds or payment processing information from a health plan to a health care provider’s financial institution. HHS also has developed standards for the electronic transmission of an explanation of benefits form or a remittance advice from a health plan to a health care provider.

For more information about the HIPAA standard transactions, see CMS, Are You a Covered Entity?

The standards are at 45 C.F.R. Part 162.

The HIPAA Privacy, Security and Breach Notification Rules impose a variety of requirements on covered entities and their business associates. Examples of key steps for covered dental practices include:

• Designate a privacy official and a security official
• Conduct a risk assessment of electronic patient information in your dental practice
• Develop and implement appropriate written privacy and security policies and procedures
• Develop the forms needed to implement your policies and procedures
• Prepare and prominently display a HIPAA-compliant Notice of Privacy Practices (NPP)
• Make copies of your NPP available to patients
• Protect patient privacy by taking appropriate precautions to prevent against inappropriate disclosure of patient information
• Adhere to HIPAA’s “minimum necessary” rule: when you use, disclose, or request patient information, limit your use, disclosure or request to the minimum amount of information necessary for the purpose (there are exceptions, such as disclosures for treatment purposes and disclosures to patients of their own information)
• Train your staff about your office’s privacy policy and practices. Impose sanctions for violations. Document training and the imposition of any sanctions.
• Enter into a compliant business associate agreement with each business associate
• Develop and implement a Breach Notification policy, train staff to comply, and provide any required notifications
• Maintain each of your HIPAA compliance documents for at least six years from the date it was created, or at least six years from the date when it last was in effect, whichever is later. Examples of HIPAA compliance documents include your NPP, written risk assessments, policies and procedures, designation of your privacy official and security official, training documentation (e.g., sign-in sheets), documentations of any sanctions for failure to comply, copies of any breach notification letters, and records of complaints and their disposition, if any, and signed business associate agreements.

If your dental practice is ever investigated or audited by the HHS Office for Civil Rights (OCR), the federal agency that enforces HIPAA, you will be asked to provide documents such as these to demonstrate compliance.

OCR has information about HIPAA compliance on its website.

Here are some examples of forms you may need to provide to patients or ask them to sign. The ADA Practical Guide to HIPAA Compliance Privacy and Security Kit has sample forms for dental practices to use as tools in developing their own HIPAA compliance programs.

Every patient must receive your NPP at his or her first appointment. In an emergency, provide the NPP as soon as reasonably practicable after the emergency treatment situation.

You must ask a patient to sign a valid authorization form before you may use or disclose his or her patient information for a purpose that is not permitted by HIPAA. For example, with certain exceptions, a patient must sign a valid authorization before your dental practice may make specific kinds of marketing communications or exchange patient information for remuneration.

If you discover a breach of unsecured patient information, you must send affected patients a letter containing specific information about the breach.

The NPP must contain certain specified regulatory language, and additional information in unspecified format about a variety of issues such as patient rights under HIPAA. The ADA sample NPP form (available in English and Spanish) includes examples of certain basic provisions required by HIPAA, and can be amended to take into account more stringent state privacy law.

OCR provides model NPPs

HIPAA requires you to give each new patient a copy of the NPP (see Question 4, “What forms must I give to patients or have them sign?”).

You must also have copies of the NPP available for individuals to request to take with them, and post the notice in a clear and prominent location. If you maintain a website that provides information about your services, you must also prominently post your NPP on the website and must make the NPP available electronically through the website. You may provide the NPP to an individual by email if he or she has agreed to electronic notice and has not withdrawn that agreement. If you know that the email transmission has failed, you must provide a paper copy of the NPP to the individual.

When you change or revise your NPP, you do not need to provide copies to each patient (although you should use the new NPP when giving a copy of your new NPP to new patients). You are only required to make the NPP available upon request on or after the effective date of the revision. Remember to replace the NPP that you have prominently placed in your dental office with the revised NPP, and to change the NPP on your website, if applicable.

You cannot refuse treatment solely because a patient refuses to sign an acknowledgment of receipt of your NPP. You are only required to make a good faith effort to obtain the patient’s acknowledgement. If the acknowledgement is not obtained, you should document your good faith efforts to obtain the acknowledgement and the reasons why the acknowledgement was not obtained.

HIPAA does not require patients to sign a form that says they agree to the policies in the NPP. HIPAA only requires covered dental practices to make a good faith effort to secure a patient’s acknowledgement that he or she has received your NPP (see Question 4 of this appendix, “What forms must I give to patients or have them sign?”). HIPAA does not require covered entities to obtain patient consent to the NPP.

If an applicable state law requires patients to sign a consent form, then you may be required to ask patients to sign the consent form. HIPAA does not preempt state law that is either not contrary to HIPAA, or that is contrary to HIPAA but is more stringent than HIPAA. A qualified attorney can provide information about what may be required in your state and how to develop a form that complies with all applicable requirements. Your state dental association may also have information about state laws that pertain to patient information.

Under HIPAA, dentists must have a compliant written business associate agreement in place with each of their HIPAA business associates (BA). HIPAA generally defines a BA as an outside person or entity that does something for or on behalf of a covered entity that requires the BA to access patient information.

Examples of BAs include attorneys, accountants, collection agencies, practice management consultants, computer software vendors, document storage firms, document destruction firms, and others who create, receive, maintain, or transmit patient information in connection with a function or service performed for or on behalf of a covered entity. A data transmission vendor may also meet the HIPAA definition of a BA. Health Information Exchanges (HIEs), and e-prescribing gateways are also BAs.
The following are generally not BAs, so a business associate agreement would not generally be required:

• Members of the dental practice’s staff, such as associates, dental hygienists, and dental assistants under the dentist’s supervision and control (including temps and interns)
• Other health care providers to the extent that they are providing health care to a patient of the dental practice, such as specialists, physicians, pharmacies, dental labs, etc.
• Certain other covered entities such as insurance plans
• Banks, credit card companies and other institutions processing payment for patients
• The U.S. Postal Service and certain private couriers
• In general, plumbers, electricians, photocopy repair technicians, and janitorial services that clean the offices or facilities of a covered entity are not business associates

A covered entity may be a business associate of another covered entity.
The list of BAs will vary from practice to practice. When assessing which individuals and entities are your BAs, come back to the question of whether you are giving that person or entity access to PHI.

The HIPAA definition of “business associate” is available in the HIPAA regulations at 45 CFR §160.103, available from the U.S Government Publishing Office.

Under most circumstances, no. The HIPAA definition of “business associate” states:

Business associate does not include: (i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

Dental laboratories generally appear to fall under the HIPAA definition of “health care provider.” HIPAA defines “health care provider” to include, among other things, any person or organization who furnishes, bills, or is paid for “health care” in the normal course of business. “Health care” is defined by HIPAA to include, among other things, the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. Therefore, a covered dental practice is not required to enter into a business associate agreement with a lab, as long as the dental practice is disclosing patient information to the lab solely for purposes of the patient’s treatment.

The HIPAA definitions of “business associate,” “health care provider,” and “health care” are all in 45 CFR §160.103, available from the U.S Government Publishing Office.

It depends. Recall that a HIPAA business associate is generally defined as a person or entity who performs a service for or on behalf of your office, and who creates, receives, maintains, or transmits patient information in the course of providing that service.
OCR includes the following in a list of situations in which a business associate agreement is not required:

When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.

See OCR, Business Associates

So, the answer to this question will depend on the particular circumstances. If the financing company is providing services to the patient, then you likely will not need a business associate agreement with that company. If, however, the financing company is providing services to your office, and creates, receives, maintains, or transmits patient information in the course of providing those services, then you may need a business associate agreement with the company.

The ADA “Sample Business Associate Agreement” in the ADA Practical Guide to HIPAA Compliance Privacy and Security Manual illustrates how a dental practice might enter into a business associate agreement with a business associate. The ADA Sample Business Associate Agreement is designed to be used as a tool for covered dental practices and their attorneys to use to develop a compliant business associate agreement between a dental practice and its business associate. Use of the ADA Sample Business Associate Agreement does not replace consultation with a lawyer or negotiations between the dental practice and business associate.

The HIPAA Privacy and Security Rules require that certain provisions be included in a compliant business associate agreement. Such provisions are included in the ADA Sample Business Associate Agreement. However, the parties to the agreement may also wish to include other provisions, such as provisions that relate to limitation of liability, indemnification, and insurance. Examples of certain optional provisions are included in brackets (“[ ]”) in the ADA Sample Business Associate Agreement.

In addition, certain other provisions may be included in a business associate agreement in compliance with applicable state law. For example, additional provisions may be necessary to create a binding contract under state law. Also, state law that is more stringent than HIPAA may require changes to the business associate agreement. A qualified attorney can help a covered dental practice develop a business associate agreement that complies with applicable federal and state law for use in a specific contractual relationship.

Some business associate agreements are styled as attachments or amendments to an underlying contract between the dental practice and the business associates, and others are stand-alone documents that may refer to an underlying agreement. The ADA Sample Business Associate Agreement is styled as a stand-alone document with a space for inserting a reference to the underlying agreement.

The business portions of the underlying contracts between covered entities and their business associates vary greatly  –  who does what, for whom, when, for what payment, on what terms and conditions, for how long, etc. Some contracts may be simple, others more complex. Some may be susceptible to significant negotiation, others perhaps not. Some may trigger other federal, state or local law and regulation; others may be free of such concerns.

Because the business aspects of each contract will vary, a business associate agreement is frequently drafted as an addendum to the underlying contract, or as a stand-alone agreement that refers to the underlying contract. Once the parties negotiate the business components of the contract, the addendum can be used to cover provisions required by the HIPAA Privacy and Security Rules by either incorporating the addendum directly into the contract or by reference to the addendum as an attachment to the contract. However, business associate terms may be incorporated into the underlying agreement instead.

The terms of each business associate agreement may vary depending on the nature of the contract involved, the relative bargaining positions of the parties, and so forth.

No. A covered dental practice is not required to sign a business associate agreement with the subcontractors of a business associate. That is the responsibility of the business associate.

A business associate must enter into a written agreement with subcontractors that will create, receive, maintain or transmit patient information. The agreement must contain certain required provisions and must require the subcontractor to appropriately safeguard the patient information. Like business associates, subcontractors must comply with many parts of HIPAA, including most of the Security Rule, and the government can directly impose penalties on business associates and subcontractors, as well as on covered entities.

Not surprisingly, some HIPAA business associates have their own business associate agreement forms and refuse to sign the business associate agreement proposed by the covered entity. Some business associates say that they will not negotiate any of the provisions of their business associate agreement form. If a business associate insists on using its own form, a covered dental practice will want, at the very least, to be sure that the business associate’s form satisfies the requirements set forth in HIPAA and any applicable state law.

We are also hearing that some business associates are refusing to sign any business associate agreements. HIPAA requires a covered dental practice to obtain a compliant business associate agreement prior to permitting the business associate to create, receive, maintain or transmit patient information. Refusing to sign a business associate agreement does not change a business associate’s HIPAA obligations or protect the business associate from government penalties for noncompliance.

In such cases, the dentist should find a more HIPAA-friendly vendor or service to provide the BA services in question.

You can remind patients of appointments, but you should restrict the information that others may be able access (for example, on a postcard or in an email, text or voice message), and you should accommodate any reasonable requests by patients to receive communications by alternative means or at alternative locations.

Keep in mind that under HIPAA, you must protect patient privacy by taking reasonable precautions to prevent incidental disclosure of protected health information and by adhering to HIPAA’s “minimum necessary” rule regarding the use and disclosure of such information. The safest course is thus to be discreet in reminders.

Using a patient’s name and the date and time of appointment to provide a reminder at the telephone number or address that the patient provided is generally fine. On the other hand, disclosing specific information about treatment, health conditions, pre-medication, and so forth can cause problems. Someone other than the patient may see the recall card or listen to the answering machine message. Emails and text messages may be accessible to third parties (for example, while they are in transit).

If there is a need to reveal information other than name and the date and time of the appointment, consider putting the message in an envelope or asking the patient to call the office. Another approach is to have the patient sign a HIPAA authorization in advance, giving you permission to leave specific messages about appointments, even if they may be seen or overheard by others.

HIPAA requires covered dental practices to permit patients to request to receive communications by alternative means or at alternative locations. Covered dental practices must accommodate such requests if they are reasonable. A dental practice may require such requests to be in writing, may require information as to how payment, if any, will be handled, and may require the patient to specify an alternative address or other method of contact. A dental practice may not require an explanation from the patient as to the basis for the request.

First, if you are dealing with minor children, the HIPAA Privacy Rule generally defers to state law to determine who can be a patient’s “personal representative,” with authorization to access and make decisions about the patient’s information.

Resolving this question can be tricky when the child’s parents are not married and only one parent has custody. Generally, HIPAA permits a child’s parent or legal guardian to access the child’s patient information. However, if a person other than a parent or guardian brings the child in for an appointment, it is sometimes less clear whether the child’s patient information may be discussed with that person. Generally, it would be best to obtain permission from a parent or guardian before talking to a third party, such as another relative or a nanny, about that child’s health care.

Generally, if your state’s law would allow a parent or other person to make decisions about the child’s health care, then that parent or other person may also have access to and make decisions about the use of the child’s PHI. When in doubt about questions of state law, consult your state dental association or your personal attorney.

State law will also affect your dealings with adult patients. Typically, unless the patient has a court-appointed guardian or has legally designated another person to make health care decisions, that patient has the right to make decisions about his or her health care information, regardless of any disabilities or communication difficulties. Of course, if you feel that it would be helpful to involve a family member or friend in discussions of the patient’s health information, ask the patient if this would be acceptable and proceed if this is OK with the patient. However, never assume without asking that, merely because a patient is older or is facing some challenges, it is permissible to disclose that patient’s protected health information to a relative, friend or caregiver.

More information is available in the following OCR resources:

Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care

Personal Representatives

HHS has indicated in guidance that covered entities and their business associates may disclose patient information for payment purposes to persons other than the patient who are responsible for payment, as long as the disclosures are limited to the minimum amount of information necessary to obtain payment. In making such disclosures, dental practices must honor any restriction on the use or disclosure of the patient’s protected health information to which the covered entity has agreed.

Keep in mind that, with limited exceptions, HIPAA requires a covered dental practice to permit a patient to request the dental practice to restrict uses or disclosures of the patient’s information to carry out treatment, payment or health care operations. With one important exception involving disclosures to health plans (which we will discuss below), the dental practice is not required to agree to a requested restriction. However, if the dental practice agrees, the dental practice must honor the restriction except in certain emergency circumstances. A dental practice must document any agreed-upon restrictions. Except for restricted disclosures to health plans discussed below, a dental practice may unilaterally terminate a restriction by informing the patient; however, a unilateral termination is not effective for patient information created or received after the termination. A dental practice that uses or discloses patient information in violation of an agreed-upon restriction may be in violation of HIPAA.

If the patient objects to such a disclosure, you may wish to inform the patient that he or she will have to choose between allowing you to disclose information in order to obtain payment, or paying for the services himself or herself.

Restricted disclosures to health plans. HIPAA requires a covered dental practice to agree if a patient asks the dental practice not to give the patient’s information to the patient’s health plan, as long as the information:

• Is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and
• Pertains to a health care item or service for which the patient or someone else (including a different plan) has paid the dental practice in full.

The dental practice cannot terminate this kind of restriction unless the patient agrees.

Yes, under the HIPAA privacy regulations and quite possibly under your state law as well. The HIPAA Privacy Rule provides that patients have certain rights to see and get copies of their records. There are limited exceptions, including, for example, information compiled in reasonable anticipation of, or for use in, legal proceedings. A healthcare provider also may deny a patient’s request for access to his or her records in certain circumstances, such as if the records requested were obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

If none of HIPAA’s grounds for denying access applies, the Privacy Rule sets forth how a dental practice must respond if a patient asks to see or get copies of his or her patient information. For example, the dental practice may impose a “reasonable, cost-based fee.” This fee must be limited to the costs of supplies for and labor of copying, postage (if the patient requested the copies to be mailed), and preparing an explanation or summary of the records, if the patient agreed in advance to receive a summary or explanation and agreed in advance to the fee for its preparation. Dentists may not charge for time spent locating, searching or retrieving records. This HIPAA fee limitation only applies when patients ask for copies for themselves. The fee limitation does not apply when a patient asks for a copy to be sent to a third party, or when a third party with the patient’s authorization ask for a copy of patient records. Covered dental practices must comply with applicable state law that is more stringent than HIPAA. For example, if state law requires dentists to provide copies at a lower cost or no cost, dentists must follow state law.

Yes. You may have noticed that the answer to Question 18 of this appendix mentions an exception for information compiled in reasonable anticipation of, or for use in, legal proceedings. However, this exception refers to information or documentation compiled in addition to a patient’s dental record, in anticipation of or for use in legal proceedings.

If a patient asks the dental practice to send his or her records to someone else, the request must be in writing signed by the patient, and clearly identify the designated person and where to send the copy. Generally, the HIPAA privacy regulations would not require you to obtain a written “valid authorization” from a patient in order to transfer his or her records to another health care provider for purposes of treatment. However, applicable state law may require you to obtain a consent or authorization under these circumstances. Check with your attorney or your state dental association.