May 2018--Have you ever been out of HIPAA compliance? Are you sure? Christine Taxin, founder and president of Links2Success, a practice management consulting company, says they are two common mistakes dental practices make and should remedy now.
HIPAA is the Health Insurance Portability and Accountability Act that was signed into law in 1996. It provides security provisions and data privacy. A history of noncompliance may cause the Department of Health and Human Services Office for Civil Rights (OCR) and state attorneys general to penalize you and monitor your adoption of a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.
When it comes to HIPAA forms and appropriate documentation in patient charts, many dental practices are falling short. Here are two mistakes I commonly see.
One of the biggest HIPAA compliance mistakes is one of the simplest to correct by ensuring all patients sign your Notice of Privacy Practices and consent forms. Let me give you a common example of when not having signed consent can take you out of compliance.
If the mother of a nineteen-year-old college student calls to find out what her son’s treatment will involve and the cost it will be, we cannot disclose that information until her son signs the disclosure consent form that specifically allows her to be informed. Even though she is paying the bill, we cannot legally disclose that information unless she and her son are in the same room in your presence and the son verbally consents.
Johnny has been in the practice for years with his mother always previously involved, so what does it mean, then, if someone in the practice slips by discussing the son’s case over the phone without checking for the signed consent form? You are in noncompliance.
According to the A Health Care Provider’s Guide to the HIPAA Privacy Rule, if the adult patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object. A rule of thumb is to only discuss a case with a parent when their adult child is also in the room and does not object to sharing that information or when you have a signed consent form and can confirm the identity of the inquiring parent.
Another example of failure that can lead to trouble is if you are using a third party to do your practice’s dental and/or medical billing. You need your patients to give your office signed permission for another party to look at their paperwork.
The HIPAA Privacy Rule requires that you ask a new patient to sign an Acknowledgement of your Notice of Privacy Practices not later than the patient’s first face-to-face visit. After that, the regulation generally requires that you retain any signed Acknowledgement for at least six years after the patient is no longer active in your practice. Some facilities ask all patients to sign an Acknowledgement at every visit to reduce the risk of missing new patients and lost paperwork, but this is not a HIPAA requirement.
Do you know that documenting “tooth #31 MOD” is not in compliance with the law? It's not giving information on how you diagnosed tooth #31. It's not providing information on why you're treating #31, and it’s not telling the insurance company, medical provider, or anyone how you treated it. An astounding 99% of hygienists abbreviate in this way on patient charts.
What to do: Without a comprehensive list of the abbreviations used in your practice and their documented meaning, you are legally out of HIPAA compliance. Document the meaning of each abbreviation used in patient charts and provide those definitions when filing insurance claims and other reports.
Patient Prism Academy contains a series of HIPPA Compliance videos, featuring HIPAA compliance experts Christine Taxin and Leslie Canham.