Dentist offices are subject to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA was enacted originally to address the electronic transmission of health information. However, in 2001, the privacy rule was created by the Department of Health and Human Services, the entity responsible for monitoring compliance with HIPAA. In addition, HIPAA requires security to be in place in the event that protected health information is disclosed.
The HIPAA Privacy Rule
HIPAA is applicable to protected health information. Protected health information is any oral or written information about a patient that relates to the physical or mental condition of a patient. HIPAA applies to "covered entities," which are statutorily defined as those entities which receive, use or are exposed to protected, private patient health information. Therefore, dentists offices are included in HIPAA's reach.
HIPAA Privacy Rule Compliance
HIPAA Security Rule
Pursuant to HIPAA, there must be security efforts by a covered entity which handles the electronic storage and transmission of patient protected health information. This is known as the HIPAA security rule. Under this rule, a provider has to provide HIPAA employee training in the handling of patients' electronic records. In addition, the computer system must be password protected, contain back up emergency disaster plans and firewall protection. Therefore, a dental office must take steps to ensure the office complies with this requirement.
HIPAA and Paper Transactions
It is important to note that a dental office may possibly be exempt from HIPAA. If a dentist handles insurance or other business transactions on paper, that transaction is not subject to the privacy rules. However, when the paper is exchanged or input into electronic form at some point, such as where the paper is submitted to an insurer, then the transaction is subject to HIPAA.
In 2006, the final enforcement rule for HIPAA was released. This enforcement rule indicates the procedure for complaints of HIPAA violations and provides for civil monetary penalties that can be assessed for violations of HIPAA. The United States Department of Health and Human Services, in conjunction with other state and/or federal departments administer the enforcement of HIPAA.