Printer Friendly

Are we HIPAA compliant when sending and storing patient records electronically?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. Its purpose was to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, by establishing standards and requirements for the electronic transmission of health information. (1) HIPAA is best known for the Privacy Rule, a federal law that gives an individual rights to his or her personal health information and sets rules and limits on the uses and disclosure of such information. The Privacy Rule applies to all forms of individuals' personal health information, whether electronic, written or oral. (2) HIPAA also includes the Security Rule, which applies to health care information in electronic form.

Many of us consider our health information to be a private matter and therefore believe that it should be protected. We want to know who has our information and how it is stored. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule and Security Rule to implement certain provisions of HIPAA to ensure that covered entities limit the use of disclosure and requests of protected health information (PHI) to the minimum amount necessary to accomplish the intended purpose. (2) Examples of covered entities are physicians, dentists, clinics, hospitals, nursing homes, pharmacies, health plans and health care clearing houses. PHI relates to individually identifiable health information that can be linked to "the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual." (2,4)

Basically, any piece of information that can be used to identify an individual should be safeguarded. This includes, but is not limited to, common identifiers such as name, birthdate, address, Social Security number and other demographic data. Although under the Privacy Rule authorization may be required to reveal PHI, there are circumstances where disclosure can be obtained without authorization, such as to protect public health. This article concerns keeping HIPAA compliant when sending and storing patient records.

Permitted Uses and Disclosures

A covered entity may disclose PHI without authorization for the following purposes:

1. To the individual (2)

* Copies and disclosure of your own PHI

2. Treatment, payment, and health care operations (2)

* Consultation between providers, referral of a patient by one provider to another

* Health plan activities to obtain premiums, determine coverage and provision of benefits

* Health care provider actions to obtain payment

* Entity administrative activities

3. Opportunity to agree or object (2)

* Informal permission may be obtained by asking the individual.

* Individual's informal permission to disclose PHI to family, relatives, friends or other persons whom the individual identifies

* Notification to public or private entities authorized by law to assist in disaster relief efforts

4. Incident to an otherwise permitted use and disclosure (2)

* Secondary disclosure of PHI as a result of an otherwise permitted disclosure is allowed as long as the covered entity has reasonable safeguards in place and limits PHI being shared to the minimum necessary.

5. Public interest and benefit activities (2)

* PHI can be released without authorization with specific limitations to the following 12 national priorities: required by law; public health activities; victims of abuse, neglect or domestic violence; health oversight activities; judicial and administrative proceedings; law enforcement purposes; decedents; cadaveric organ, eye or tissue donation; research; serious threat to health or safety; essential government functions; and worker's compensation.

6. Limited data set for the purposes of research, public health or health care operations (2)

* Identifiers are removed from PHI and used as a "limited data set," provided the recipient enters into a data use agreement promising specified safeguards for the PHI.

Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make. However, the HHS Office of Civil Rights (OCR) recommends implementing office policies compliant with HIPAA laws. Some of these policies include providing patients written notice of uses and disclosures of PHI, listing any privacy practice changes, providing individuals' rights and covered entities' legal duties regarding PHI, and implementing administrative safety measures to protect PHI and diminish any unsafe use of PHI. (2)

In addition, it is also recommended that privacy training be provided to all workers and a system of sanctions be developed and applied to employees violating Privacy Rule requirements. (2) Furthermore, designating a privacy officer and a person responsible for receiving privacy complaints is also suggested.

E-Communication in the Dental Practice

Increasingly, oral health care providers are implementing the use of the electronic health record (EHR). A key feature of an EHR is that it can be created, managed and consulted by authorized providers and staff across more than one covered entity. Although this facilitates e-communication and patient-centered oral health care, it also warrants careful HIPAA consideration with each disclosure transaction.

Considerably, routine "business operations" of a practice can be accomplished via e-communication. Certain types of communication can be written without disclosing sensitive information or by "de-identifying" the PHI. The HIPAA Privacy Rule stipulates the standard for "de-identification" is viable as long as the covered entity has no basis to believe the information disclosed can be used to identify an individual. (3)

For example, a switch from phone call or regular mail to electronic appointment reminders via e-mail or text message is a routine business operation that can be accomplished without revealing PHI. Conversely, e-communications regarding clinical care pose a greater concern, and implementation of safeguards is needed to ensure the patient's PHI is protected.

Maintaining PHI Security

Encryption is a commonly utilized safeguard for e-communication transmissions. This safety feature can protect PHI from malicious software (malware) or cyber attacks. Another safety measure is the use of a patient portal, which allows users access to their health records via a protected website. These portals may also provide secure email communication channels between the patient and provider, and supply an audit trail of the frequency and identity of personnel accessing an individual's PHI. Precautions like restructuring text messages to remove PHI or de-identifying PHI in the message have been suggested. (4) Conducting a risk analysis to meet HIPAA guidelines is another safety measure to consider when texting. (4) Additionally, written consent to opt in or opt out of e-communications should be explained to and obtained from the patient. Regardless of the technology used, any information sent via e-communication should also be entered into the patient's record.

OCR guidelines to protect electronic PHI (ePHI) include:

* Conducting a risk analysis to identify threats to ePHI

* Establishing a plan to remediate identified risks

* Implementing procedures to safeguard against malicious software

* Training authorized users on detecting and reporting malicious software

* Limiting access to ePHI only to persons or software programs requiring access

* Maintaining a contingency plan including disaster recovery, emergency operations, frequent data backups and test restorations. (5)


Despite regulations, HIPAA compliance does not ensure patient records are secure. Any provider utilizing e-communication should consult a risk management specialist prior to implementing e-communication office policies. Developing a thorough consent protocol is prudent when justifying the benefits and limitations of e-communication to a patient. Careful consideration in handling PHI can deflect potential problems. We need not fear technology as long as we use it responsibly.

Margarita Rivera, RDH, MSDH, is an adjunct lecturer at New York City College of Technology and a clinical instructor at Fones School of Dental Hygiene-University of Bridgeport. She is a Long Island Dental Hygienists' Association (LIDHA) delegate and president of the Sigma Phi Alpha dental hygiene honor society Alpha Mu chapter at Farmingdale State College.


(1.) U.S. Department of Health and Human Services Office of the Assistant Secretary for Planning and Evaluation. Health Insurance Portability and Accountability Act of 1996. Available at: https://aspe.hhs. gov/report/health-insurance-portability-and-accountability-act-1996. Accessed Aug. 16, 2016.

(2.) U.S. Department of Health and Human Services. Summary of the HIPAA privacy rule. Available at: hipaa/forprofessionals/privacy/laws-regulations/index.html. Accessed Aug. 16, 2016.

(3.) U.S. Department of Health and Human Services. Guidance regarding methods for de-identification of protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. Available at: for-professionals/privacy/special-topics/de-identification/ index. html#rationale. Accessed Aug. 16, 2016.

(4.) Karasz HN, Eiden A, Bogan S. Text messaging to communicate with public health audiences: how the HIPAA Security Rule affects practice. Am J Public Health. 2013; 103(4): 617-22. Available at: http://www. Accessed Aug. 16, 2016.

(5.) U.S. Department of Health and Human Services. Fact sheet: ransomware and HIPAA. Available at: files/RansomwareFactSheet.pdf. Accessed Aug. 16, 2016.
COPYRIGHT 2016 American Dental Hygienists' Association
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:SPECIAL FEATURE
Author:Rivera, Margarita
Date:Nov 1, 2016
Previous Article:Anesthetic nasal spray for use in dentistry.
Next Article:ADHA's National Board Review course--the best course for success!

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters