Everyone is familiar with the HIPAA regulation that requires you to distribute a Notice of Privacy Practices to all patients, who then sign an Acknowledgement indicating they have reviewed the Notice. While most patients don’t actually review the information, certain content is required to be included on your Notice.
Published on January 25, 2013 and in effect on March 26th, a new HIPAA Final Rule was passed. Being referred to as the Omnibus Rule, these new regulations include required changes to the wording of your Notice of Privacy Practices. Dental offices had until September 23, 2013 to comply.
One change to the Notice involves fundraising and marketing. The Notice must now indicate if the patient’s Protected Health Information (PHI) is used for fundraising the patient has the right to opt out. If there is a disclosure of PHI for marketing purposes or the sale of PHI, a written authorization must first be obtained from the patient.
The Breach Notification Rule was part of the HITECH Act that was passed back in 2009. The new Notice must now inform the patient of the dental office’s obligation to notify patients in the event of a breach of unsecured PHI.
Another change not only to the content of the Notice, but also to the physical disclosure of PHI in certain circumstances is in the event a patient pays for service out of pocket in full, the patient now has a right to request the dental office not to disclose treatment information for this service to a health plan.
Lastly is a change to the patient’s right to a copy of their health records. If applicable, a patient now has a right to an Electronic copy of their records if they prefer. The patient must be notified of this right in the Notice of Privacy Practices.
While it is a violation of HIPAA Security to send a patient’s PHI over normal email without any type of encryption or security measures, a dental office is allowed to send regular email containing PHI directly to the patient, but only if the patient requests this and is informed of the possible security risks of emailing sensitive information.
The Notice of Privacy Practices should contain an effective date of when the office first started distributing the new Notice. Distribution is only required to patients as they come in for appointments and only new patients who have not yet signed an Acknowledgement of Receipt Privacy Practices Notice are required to sign a new Acknowledgement. No changes are required to the Acknowledgement form.
If a dental office has a website, as of September 23rd they are required to post their updated Notice of Privacy Practices to the website.
For more information or to receive a copy of a new and compliant Notice of Privacy Practices, please call The Dental Record at 800-243-4675.