Thursday, November 21, 2013
I have never met a dentist who did not believe that he or she had a professional obligation to keep patient information confidential. Dentists want to “do the right thing” and abide by privacy rules. The new HIPAA omnibus rules that went into effect September 23 are supposed to protect patients, but actual compliance has more to do with process than outcomes.
If your privacy policies are challenged you will be investigated by the Office of Civil Rights (OCR). Here are two sample questions out of a total of eleven from an OCR letter sent to a CE under investigation. (CE stands for Covered Entity that is bureaucratese for a doctor or dental office). The CE was required to produce the following within twenty days:
A copy of your HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.
A copy of the policies and procedures implemented to safeguard the CE’s facility and equipment.
Needless to say if you did not have these documents in place before the investigation you could not readily defend yourself. It is not enough to do the right thing you need to document it as well. (Here is a good place for the usual disclaimer: I am not a lawyer and you would be a fool to take my advice as legal counsel.)
In general there are five bits of paperwork you should have, two of which might actually protect patients and three of which protect you from investigators. We will designate them as PMP (Protect My Patients) and CYA (Comply Yet Again). The feds aren’t the only ones who can come up with catchy acronyms.
CYA
- Notice of Patient Privacy (NPP)
- Business Associate Agreement (BAA)
- Policy and Procedures Manual
The NPP is the HIPAA form you have been having patients sign for years. The new rules have just added five items that weren’t there before. A CE cannot use patient information for fundraising or marketing. A patient can refuse to disclose records to a health plan when the patient pays in full. Patients have a right to an electronic copy of their records and to be notified if there is a data breach.
To comply you need to rewrite the NPP, have all patients “acknowledge” the changes, post it in the office and publish it on your website.
A BA is anyone who has access to your patient data that is not directly related to treatment, payment or operations. The big change with the new rules is that BAs are now liable for a data breach. In the past if your IT provider lost a backup disk you had to pay the consequences. With the new rules the BA has to pay. That is a good thing. The catch is that the BA can escape liability if you do not have a signed agreement with them. Major companies such as Dentrix have BAAs in place. You just need to be sure and request a signed copy. For smaller local business associates such as your CPA, you will need to provide a BAA and get it signed.
The Policy and Procedures Manual is the most important document needed to defend yourself, and of course it is the most tedious to create. A policy is a short statement of intent and a procedure is a detailed plan to implement the policy. The following example is from the ADA Guide to HIPAA Compliance.
Sample Policy
Our practice will provide a notice of our privacy practices to our patients, and to anyone else who requests a copy. Our Notice and the way we provide it will comply with HIPAA and applicable state law. Our practice will revise the Notice as appropriate, and will provide the revised Notice as required by HIPAA. Our practice will not use or disclose patient information in a manner that is inconsistent with our Notice, HIPAA, or state law.
Sample Procedures
Staff: Our Notice of Privacy Practices describes how our dental practice may use and disclose patient information. Ask the Privacy Official if you have any questions about the Notice. Do not use or disclose patient information in violation of our Notice.
Provide our Notice to each new patient at his or her first appointment, and ask the patient to sign the Acknowledgement of Receipt form (see Sample Acknowledgement of Receipt of Notice of Privacy Practices, Appendix 2.2). If a patient refuses to sign the acknowledgment of receipt, note on the form that you tried to get the acknowledgement, and the reason that you could not do so. If the patient has a personal representative, such as the parent or guardian of a minor, provide the Notice to the personal representative and ask the personal representative to sign the acknowledgement form.
Retain each completed acknowledgement form for six years from the date it was created or the date that it was last in effect, whichever is later. If we don’t have an acknowledgment form for a patient (either signed by the patient or completed by staff), then at that patient’s next appointment give the patient a copy of the Notice and ask the patient to sign the acknowledgement form.
We have a supply of Notices at the reception desk for people who ask for a copy to take with them. Give a copy to anyone who asks for one.
However, inmates do not have a right to a notice of privacy practices. An inmate is defined as a person who is incarcerated in or otherwise confined to a correctional institution.
Privacy Official: You are responsible for developing our Notice of Privacy Practices and for revising our Notice when appropriate – for example, if our privacy practices change, if the HIPAA rules change, or if there is a change in state law.
Needless to say working through each and every HIPAA rule or potential privacy issue then writing both a policy and procedure is a daunting task. I admit that actually doing it would be likely to improve awareness of privacy issues and even improve privacy practices. It is just that doing so requires far more time, energy, and most importantly knowledge, than dental offices possess.
The alternative is to purchase a pre-written boiler plate manual such as the ADA sample and just customize it with your personal information. This approach does not do much for actual privacy but you will Comply Yet Again if challenged.
The two PMP processes and resulting documents that might actually improve privacy are the risk assessment and team training. We will continue with this next week, the future is coming and it will be amazing!