By Dan Schulte, J.D.
MDA Legal Counsel
From the June 2013 issue of the Journal
Question: I have read about changes to HIPAA taking effect later this year. Will any of these new rules affect dental practices?
Answer: On Jan. 25, 2013, the federal Department of Health and Human Services published its final rule containing changes to HIPAA’s Privacy Rule, Security Rule and certain enforcement and breach notification provisions (the “HIPAA Amendments”). Some of the HIIPAA Amendments will directly affect what you have already done to comply with the HIPAA Privacy Rule and Security Rule. The effective date of the rule was March 26, 2013. However, dental offices, other covered entities and their business associates generally have until Sept. 23, 2013, to be in compliance.
Generally, there are three areas dental offices need to be aware of. The first are changes that need to be made to your Notice of Privacy Practices. Generally, you must re-do your Notice of Privacy Practices to include the following:
- Most uses and disclosures of protected health information for marketing purposes and disclosures that constitute a sale of protected health information require the patient’s authorization, and any uses and disclosures not described in the Notice of Privacy Practices will only be made following patient authorization.
- Patients have a new right to restrict certain disclosures of their protected health information to a dental plan when patients are paying out of pocket in full for their dental care services.
- The patient has a right to be notified following a breach of his or her protective health information. A simple statement that the patient has a right to or receive a notification that there has been a breach of his or her protective health information will suffice in most cases.
These changes will require dental offices to distribute new Notices of Privacy Practices to their patients. The ADA made available a revised model Notice of Privacy Practices in May of this year. Beginning on Sept. 23, 2013, dental offices must post the revised Notice of Privacy Practices in a clear and prominent location. You are only required to give a copy of your new Notice of Privacy Practices to and obtain a good faith acknowledgment of receipt from new patients. For existing patients on Sept. 23, 2013, posting the new Notice of Privacy Practices will suffice.
Second, dental offices need to be aware of new breach notification rules. The HIPAA Amendments clarify that a “breach” is any impermissible use or disclosure of protected health information unless it can be shown that there is a low probability that the impermissibly used or disclosed protected health information has been actually compromised. In all situations where you cannot demonstrate such a low probability that protected health information has actually been compromised, the breach notification rules must be complied with.
In determining whether the risk is sufficiently low, you must conduct a risk assessment that considers at least the following factors:
- the nature and extent of the protected health information involved;
- the identity of the person who used the protected health information and those to whom the disclosure was made;
- whether the protected health information was actually acquired or reviewed; and
- the extent to which the risk to the protect health information has been mitigated.
Third, you should be aware the HIPAA Amendments contain changes regarding business associates. Business associates are now directly liable for compliance with the HIPAA Privacy Rule and Security Rule. The HIPAA Amendments contain a number of modifications to implement the provisions of the HITECH Act. For example, business associates must comply, when applicable, with the Security Rule with respect to safeguarding electronic protected health information and report security breaches.
As the Sept. 23, 2013, compliance date draws closer more specific information on how to maintain HIPAA compliance will be provided by the ADA and MDA.