Protecting the Patient, Application of HIPAA/PCI in Dentistry
By: Gary Morgan, CDT, ASQ, CQA
Most dental practices have achieved a comfort level in implementing and maintaining compliance methods to protect patient health information within their organization.
The requirements and procedures for ensuring patient information that must be transmitted to another entity for treatment or payment of treatment can be more difficult to understand. This includes insurers, health plans, other health care providers and business associates. Additionally, practices that accept credit card payments must also ensure that credit card information is protected under the Payment Card Industry Data Security Standard (PCI DSS).
First and foremost, dental practices must ensure that the patient information held by the practice is maintained, to protect patient privacy, and is secure, meaning that the information cannot be obtained by individuals who are not part of the health care provision team. Procedures must be in place to protect information held in computer systems that contain electronic health information and systems that transmit health information to other entities.
The rules for protection of privacy and security are extended to entities, business associates that provide services to or on behalf of a health care provider. Dental practices may disclose to and allow the use of protected healthcare information with the business associate, provided that a contract or agreement is in place stating that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent use or disclosure of the protected health information other than as provided for by the contract. Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Dental patients may require the services of a reputable dental laboratory to provide restorative or therapeutic devices such as crowns, bridges, full and partial dentures, and orthodontic appliances. These dental laboratories may employ Certified Dental Technicians and be recognized as Certified Dental Laboratories. They may also have Quality Systems and Good Manufacturing Practices in place that comply with FDA requirements.
Dental laboratories are considered health care providers under the HIPAA regulations and the exchange of patient health information necessary for treatment does not constitute a business associate relationship. The Office of Civil Rights (OCR) reaffirmed in March of 2017 that a business associate agreement is not required between a dental practitioner and a dental laboratory.
Dentists must communicate with the dental laboratory to provide information on what devices are needed and describe how the device is to be made and the materials to be used to manufacture the device. This communication assures that the devices are of a quality that will meet the patient’s needs. The information may be transmitted to the dental laboratory through various means such as written prescriptions or work authorizations, phone communications, and electronically through media such as emails, texting, and data portals.
The electronic transmission of patient health information to the dental laboratory should be secure using password protection and/or encryption of the information. De-identifying the patient in the transmission by using numbers as opposed to names can minimize the risk of a breach. The dentist should provide only the information necessary for provision of the healthcare service. However, some personal information is required to be transmitted by state dental laws, especially for prosthetic identification.
The dental laboratory should also provide for the privacy and security of patient information that it receives relevant to providing the devices that will be placed in the mouth. The role of the dental laboratory is critical for ensuring not only high levels of patient care, but also that the patient information is protected.
Gary is Vice President and Senior Consultant of SafeLink Consulting, Inc., a nationally recognized consulting firm located in Cumming, Georgia. SafeLink specializes in regulatory compliance consulting, including Quality Systems implementation, FDA, OSHA, and HIPAA compliance. A Certified Dental Technician, Gary began lecturing on health and safety in the dental field in 1989 and is an Authorized Trainer under OSHA’s Outreach Program. Gary is also a DAMAS consultant and auditor and is a Certified Quality Auditor by the American Society for Quality.