The HIPAA Privacy Deadline Has Passed...But I Still Have Questions By: Curt Hamann, MD, SmartPractice

The HIPAA privacy deadline was April 14, 2003, but many dental practitioners remain confused about what is, or is not, allowed under the Privacy Rule. This confusion has led many offices to eliminate the use of patient sign-in sheets, cease leaving phone messages for patients and abandon their postcard reminder system. If you are among the many who have been confused by contradictory information or paralyzed with fear of violating HIPAA rules, perhaps the answers to the following frequently asked questions will provide some assistance.

Is HIPAA state or federally regulated? Don’t some state laws prohibit the use of recall postcards?
In general, state laws do not specify permission to use or not use postcards, but may confirm that a “Covered Entity” may disclose Patient Health Information only in a manner consistent with their Notice of Privacy Practices. If you have described the ways your office will use PHI and made a “Good Faith Effort” to obtain “Acknowledgement” from your patient (and the patient has not requested another mode of communication), you may proceed. Some state law may be “more stringent” than the HIPAA Privacy Rule as it relates to PHI, or an individuals rights with respect to that information. For example, some State law may provide individuals with a right to inspect and copy their medical records in a timelier manner or specify different regulations based on specific health conditions. Where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails. Where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws. In regards to specific situations such as the use of recall postcards, it is advisable that you review your state laws and contact your state dental association for specifics. There are many consultants and marketers providing information and misinformation regarding what is required or not allowed. Don’t be misled! The Health Privacy Project features summaries of State health privacy statutes that may help you compare state law with the new federal privacy protections (http://www.healthprivacy.org).

We’ve missed the deadline for sending out our Notice of Privacy Practices (Notice)…do we need to wait until the patient comes into the office now?
No. The Rule stipulates you must provide the Notice at or before the date of first service delivery and therefore, you can mail your Notice at any time.

How do we provide the Notice to individuals and obtain their written Acknowledgement if our first treatment encounter after April 14, 2003 is over the phone or by mail?
If you are required to advise or treat a patient (who has not received your Notice yet) over the phone, you can satisfy the Notice requirements of the Privacy Rule by mailing it to them the same day, if possible. If your initial contact with the patient is simply to schedule an appointment or a procedure, the Notice and Acknowledgment requirements may be satisfied at the time the patient comes for their appointment.

How do we make sure we have made a “Good Faith Effort” to get the patients Acknowledgment of our Notice if we mail it?
To satisfy the “Good Faith Effort” requirement you may include a tear-off sheet or mail back response card with your Notice that requests the Acknowledgment be mailed back to you. You are not in violation of the rule if the patient chooses not to return their Acknowledgment. In this case a file copy of the Acknowledgement form sent to the patient would be adequate documentation of your “Good Faith Effort”.

Can we E-Mail patients our Notice?
Yes. E-Mails may be sent to all patients at one time or contemporaneously in response to the patient’s first request for service. An electronic return receipt or other return transmission from the individual is a valid written Acknowledgment of your Notice.

May we combine our Notice with an Authorization form?
No. Covered entities may not combine the Notice in a single document with an Authorization form(s). An Authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, other than for Treatment, Payment or health care Operations (TPO), or to disclose PHI to a third party specified by the individual. You may not condition treatment or coverage on the individual providing an authorization.

Must we give every patient a copy of our Notice if it’s clearly posted in the office?
Yes. You must provide the patient with a copy as well as post it in a prominent location.

Are postcard appointment reminders allowed without Authorizations?
Yes, appointment reminders are considered part of Treatment of an individual and can be made without a patient Authorization.

May we continue to mail postcards or leave messages for patients on their answering machine or with a family member, to remind them of appointments?
Yes. You are allowed to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through mail, phone or in some other manner. In addition, the rule does not prohibit you from leaving messages for patients on their answering machines. Your Notice should detail all the ways your office uses or plans to use PHI for TPO.

Can I communicate with my patient via postcard or phone message before they have received our Notice?
No. You may not continue routine communication practices such as mailing postcard reminders or leaving appointment messages on the phone until your patient has seen your Notice. Once your patients have received your Notice you are able to continue with phone or postcard reminders.

Can we include time and date of appointment on recall reminders? Do they have to be in sealed envelopes?
You may continue to use postcards and include appointment time and date. In situations where a patient has requested confidential communication you must accommodate the request, if reasonable. For example, a request to receive mailings from your office in a closed envelope rather than a postcard is reasonable and should be accommodated. A good rule of thumb is to use good professional judgment to assure that such PHI disclosures are in the best interest of your patient. When in doubt ask your patient!

May we use patient sign-in sheets or call out a patient’s name in the waiting room?
Yes, with some limitations. HIPAA explicitly permits “Incidental Disclosures” that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these Incidental Disclosures are permitted only when the Covered Entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate.

Must we remove patient chart holders outside treatment rooms or soundproof private operatories?
No. A dentist, hygienist or assistant uses the patient charts and communicates with their patients for Treatment purposes and the Privacy Rule permits this practice provided you take reasonable precautions to protect the patient’s privacy. Incidental disclosures to others that might occur as a result of the charts being left in the box or incidental overheard conversation are permitted, if the minimum necessary and reasonable safeguards requirements are met. Reasonable measures may include limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box so the PHI is not readily visible to unauthorized personnel. Discreet communication with a patient may be facilitated by keeping voices lowered or moving the conversation into a private area. Each office must evaluate what measures are reasonable and appropriate in their environment and tailor measures to their particular circumstances.

Do we need a patient’s written Authorization to send their record to a specialist (i.e., endodontist) who will treat the patient or to consult with a patient’s other health care providers (i.e. physician) ?
No. You may disclose PHI about an individual, without the individual’s Authorization, to another health care provider for that provider’s treatment of the individual. Further, consulting with another health care provider about a patient falls under the definition of Treatment and is expressly permitted to disclose PHI about an individual to another health care provider for that provider’s Treatment of the individual.

Do we need a Business Associate Agreement with our cleaning service?
No. Typically a cleaning service does not involve the use or disclosure of PHI, and such access would be considered Incidental and permitted by the HIPAA Privacy Rule. If a service is hired to do work for a covered entity where disclosure of PHI is not limited (such as routine handling of records or shredding of documents containing PHI), they would be considered a Business Associate. If the work is conducted under your direct control (e.g., on your premises), the Privacy Rule permits you to treat the service as part of your workforce, and you do not need a Business Associate Agreement.

We are required by State law to obtain an individual’s Consent to use or disclose their PHI. Should we obtain the individual’s Acknowledgement of the Notice too?
Yes. If you have a direct treatment relationship with an individual you must make a Good Faith Effort to obtain Acknowledgment, regardless of whether you choose to, or are required to obtain the individuals’ Consent. However, those providers that choose to obtain Consent from individuals have discretion to design one form that includes both Consent and Acknowledgment of receipt of the Notice.

As a pedodontist, am I required to give a Notice to the children I treat?
No. You satisfy the Notice distribution requirements by providing a copy to the parent/legal guardian and making a Good Faith Effort to obtain their Acknowledgment.

Are we liable for the actions of our contracted Business Associates related to the Privacy Rule?
No. You are not required to monitor or oversee how the Business Associate manages their privacy safeguards or the privacy requirements of the contract. Nor are you liable for their actions. However, if you become aware of a material breach or violation of the contract by them, you must take reasonable steps to fix the problem, terminate the contract or report the problem to the Department of Health and Human Services Office for Civil Rights.

May we use information regarding specific clinical conditions of individuals in order to communicate about our products or services for such conditions without written Authorization?
Yes, if the communication is for the individual’s Treatment or for case management, care coordination, or the recommendation of alternative therapies. Communications regarding your health-related products or services is not considered marketing and you may use clinical information to the extent it is reasonably necessary for these communications.

---

If you would like further information on this topic, please contact Dr. Curt Hamann, CEO, SmartPractice at 1-800-522-0800.

---

References: U.S. Department of Health & Human Service, Health Privacy Project.