HIPAA Update

HIPAA is the Health Insurance Portability and Accountability Act of 1996.  This group of Federal regulations, which has been modified numerous times since its inception, has rules that cover virtually every medical practitioner or office, including all dentists and dental offices submitting electronic transactions.  Also covered by HIPAA are insurance companies and heath plans, hospitals, electronic claims clearinghouses, and other entities.  Presented below are summaries of some of the ways HIPAA will affect your dental practice.

DISCLAIMER: The information presented here is not intended as official regulatory details, nor legal advice.  BRS provides this information in order to enhance the knowledge of clients and other interested parties.  To fully comply with HIPAA, covered entities must know and understand the complete regulations, and follow those regulations.

Electronic Health Transactions

HIPAA regulations have rules that went into effect on October 16, 2002, relating to the transmission of electronic data. If you send electronic claims, then you would qualify as a covered entity for electronic transactions under HIPAA, and are expected to conform to the requirements of the Act. The basic requirement of the Act that went into effect on October 16, 2002, is that electronic insurance transactions, commonly sent via a clearinghouse to an insurance company, meet the HIPAA specifications. However, on September 23, 2003, the Centers for Medicare and Medicaid Services ("CMS"), which is responsible for enforcing the HIPAA regulations, announced a contingency plan for continuing acceptance of non-HIPAA-compliant transactions.  Most claims submitted through BRS and on to WebMD-emdeon Business Services are being sent to the insurers in HIPAA-compliant format.  CMS and payers urge that all providers continue to send as many claims as possible electronically, even if a specific payer is still not receiving the claims in the HIPAA-compliant format.

Privacy and Confidentiality

HIPAA includes privacy rules that went into effect on April 14, 2003.  There was no provision for any extension to this deadline.  The privacy rules are the ones that will likely cause the most concern for dental offices.  Under HIPAA, there are Federal standards for Protected Health Information (PHI), although note that more restrictive state laws will take precedence.  PHI includes any information that links personal data (names, phone numbers, etc.) with any medical information.  The dental practice will have to adopt specific administrative steps in order to safeguard PHI, and meet the requirements of HIPAA.

The minimum administrative requirements include the appointment of a "Privacy Officer" (someone in the practice) to make in-office decisions about HIPAA, and maintain records, and develop and post a Notice of Privacy Practices.  The dental office must obtain an Acknowledgement of Receipt from patients regarding the Notice of Privacy Practices.  In addition, the dental office must provide adequate training to employees regarding PHI and privacy.  The dental office must provide a Contact Person for patients that have a complaint or wish additional information (in a smaller office, the Privacy Officer and Contact Person may be the same individual, and may be the practice owner).  The deadline of April 14, 2003, also applied to training of existing staff.  In order to prove compliance with HIPAA, all records relating to compliance and training should be saved.  Before you start to modify existing documents, or develop your own, check regulatory sources for required language, and other organizations that may have sample documents available.

Note that the basic Notice of Privacy Practices and Acknowledgement of Receipt apply only to provision of medical treatment, and use of information in obtaining payment (including consulting with insurers and health care plans) and conducting health care (business) operations.  These do NOT apply to anything that involves the use of PHI for any marketing, for which a higher level of Authorization is required.  Authorization is also generally needed for release of PHI to schools, employers, and other non-health entities.  Note that reminders for periodic or on-going care are generally not considered marketing.

Business Associates are entities not directly subject to HIPAA regulations.  They may include other businesses that perform work for the dental practice, and may in the course of this business have access to or be provided PHI.  The dental office must have a Business Associate Agreement in place by April 14, 2003 for Business Associates, including computer system vendors and practice consultants, that may have access to PHI .  Note that there may be a grace period for Business Associates that have an existing written contract initiated prior to April 14, 2003.  As an electronic claims clearinghouse, and therefore a covered HIPAA entity, BRS Systems LLC (BRS Computing) does not require a Business Associate Agreement for clients using the BRS DOM for Windows practice management software.

There have been a number of rumors involving the privacy law that have alarmed dental offices.  According to current information, situations such as announcing a patient name when the provider is ready for them are not prohibited, nor are reminder postcards asking the patient to call the dental office.  Even sign-in sheets should be allowed, as long as there is no other personal or medical information revealed.  However, leaving patient charts in publicly-accessible areas, or posting detailed schedules including procedures or health warnings may be violations.  Even the choice of practice management software may matter, as opening a full schedule in the operatory with other patient information visible may be a violation.

Make sure you know the complete Privacy and Confidentiality Rules, and implement them in your practice.

Unique Identifiers for Providers, Employers, Health Plans, and Patients

It is expected that eventually, national identifiers for all health transaction parties will be established.  This will avoid the need for differing identifiers that currently exist when dealing with government, insurers, and employers.  One of the first to be introduced is the National Provider Identifier ("NPI"), which is a single standard ID used for healthcare providers.  You may apply now for the NPI by going to https://nppes.cms.hhs.gov , or by calling 1-800-465-3203 .  Note that NPIs will be assigned both to individuals, and to healthcare organizations.  BRS accommodated the NPI by adding fields in the provider record (DOM ver. 6.14 and higher).  The NPI will be mandated for most health plan transactions and electronic submission effective May 23, 2007.  Smaller health plans must adopt the NPI by May 23, 2008.  One of the potential complications is that some payers may require the NPI prior to the deadline of May 23, 2007.  BRS will assist clients in the management of this issue.  As always, the more claims that can be sent electronically, the better, as the routing and management of ID numbers is handled automatically.

Security of Health Information & Electronic Signature Standards

All electronic storage of health information must be protected.   The effective date for the Security Compliance was April 20, 2005.  As with the Privacy Rules, there are no specific technical requirements for Security Compliance, other than appointment of a Security Officer (again, this could be the same person as Privacy Officer and Contact Person, and may be the dentist), and maintaining records pertaining to Security Compliance.  Generally, security efforts will be related to the size of the practice, and the nature of the PMS and other technology.  Smaller offices will want to make sure that unauthorized personnel and patients do not have access to your computer systems.  Special care must be taken to prevent theft or access to electronic copies of patient information or images on common media, such as "RAM" drives, CDROMs, or DVDs.  Other backup media should be kept in a secure place.  BRS does not recommend the use of wireless networks in a dental practice, due to the inherent difficulty of securing such a network.  All computers should have password-protected logons, and automatically have a password-protected screen saver come on after a short interval.  Many of these efforts will also help with meeting privacy requirements.  Larger offices have to look at network design and access, and consider using devices that provide limited access to data, such as thin-client terminals.  For emails containing patient information or images, encryption or password protection of attachments should be considered.  Keep in mind that the information contained here is only summary in nature, and the full scope of HIPAA and the Security Rules should be studied and understood in the context of your dental practice.

How BRS Fits in the Picture

BRS Computing has been taking the steps necessary to be HIPAA-compliant as a covered entity.  If you are a current BRS practice management system client, enrolling in or continuing your DOM for Windows Software Subscription Service ("SSS") assures you of obtaining DOM updates that will help your practice meet the future requirements of HIPAA.  As with most covered entities, including national claims clearinghouses and insurance companies, BRS provided a compliance plan and obtained an extension for the Electronic Health Care Transaction and Code Sets compliance until October 16, 2003.  BRS is currently submitting HIPAA-compliant insurance transactions to United Concordia Companies (UCCI), and their various lines of business such as Dental Plus and PA BC/BS.  Since most other electronic claims go through WebMD Transaction Services, the current HIPAA status depends upon the preparations made by the various payers to accept the HIPAA-compliant transactions.  On September 23, 2003, the Centers for Medicare and Medicaid Services ("CMS"), which is responsible for enforcing the HIPAA regulations, announced a contingency plan for continuing acceptance of non-HIPAA-compliant transactions, allowing insurers to continue to accept non-HIPAA-compliant transactions, as long as the payers have plans to work towards implementing HIPAA-compliancy.

Practice management systems, such as DOM for Windows, cannot by themselves be HIPAA-compliant.  Covered entities, such as most dental practices, must follow all the necessary steps to assure HIPAA compliance.  As noted in the sections above, a variety of areas should be reviewed in order to meet the Privacy and Security Rules.  As BRS and the claims industry complete changes for HIPAA compliance, DOM updates incorporating these changes will be available as part of our customer support plans (Software Subscription Service, or "SSS").

As a covered entity, BRS Computing does not believe that a Business Associate agreement is needed between BRS and any dental practice submitting electronic claims.  If you do not currently send electronic claims to BRS, or if for any reason you feel that a Business Associate agreement is appropriate for your relationship with BRS Computing, please send such agreement in writing to:  HIPAA Compliance Officer, BRS Systems LLC, 420 Columbus Avenue, Valhalla, NY  10595, and it will be reviewed and considered. 

BRS is a covered entity and meets the requirements of HIPAA Privacy Rules, specifically the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), its implementing regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg 82462 [Dec. 28, 2000]) (“Privacy Rules”), as amended (67 Fed. Reg. 53182 [Aug. 14, 2002]).  All BRS staff members have completed HIPAA Privacy Training, and BRS maintains a written privacy policy for protected personal and health information.  When assisting clients, BRS strives to utilize the minimum necessary patient data, and does not make copies of data except as needed for business operation support.  For clients with in-office systems and servers, BRS does not regularly copy any data from client systems, except as agreed upon in writing for protected backup services, and during the course of business for electronic claims clearinghouse operations.

Commentary

Achieving good HIPAA compliance may make good business sense.  As patients encounter other health professionals and organizations, they will become accustomed to reviewing privacy policies, and may expect similar policies be in place at all medical and dental facilities.  If you do not have HIPAA compliance in your office, you may be at a competitive disadvantage as compared to other dental professionals.  In fact, if you deal with other dental professionals on a referral basis, either incoming or outgoing, they may also expect good HIPAA compliance in order to continue future referrals.  Since another dental professional with HIPAA compliance may expect all referring professionals to have the same level of compliance, meeting HIPAA regulations may maintain and enhance your practice's standing with other dental professionals.

More Information

If you have further questions as to how HIPAA will affect your dental practice, professional organizations, such as the ADA, may be a good source of information. Start with the following ADA link for more HIPAA information.   For detailed information on some of the actual Federal HIPAA regulations, use this link to the U.S. Department of Health and Human Services .  This document will be updated on a periodic basis, so be sure to visit this page in the future.