CDA answers member questions on HIPAA

The combination of a HIPAA deadline and vendor communications about the deadline recently sent many CDA members to the Internet and telephone to find out what assistance they could get from the Practice Support Center.

Members easily found on cda.org samples of the forms that were required to be in place by Sept. 23, as well as articles, a Q&A and a checklist for HIPAA compliance. (Visit cda.org/Privacy-HIPAA for these resources.)

Callers had specific questions on the requirement to securely transmit protected health information to other dental practices. This requirement, in place since the HIPAA Security Rule became effective in 2003, was highlighted in vendor communications. The chief questions were: “Can we still text/email appointment reminders?” and “Is encrypted email required?”

Appointment reminders may be sent via text or unsecured email as long as no information on treatment or purpose of the appointment is included in the communication. The first name of the patient, date, time and name of the practice may be included. It is the dental practice’s responsibility to ensure the appointment reminder is being sent to the correct telephone number or email address.

Encrypted email is not the only solution to secure electronic transmission. Other solutions include secure file-sharing software, secure emailing services and dental-specific services such as RecordLinc, eDossea, Brightsquid and Dental Sharing. Other solutions may be available. Dental practices should consult with their IT advisors to determine the best solution for their needs. CDA makes no recommendations in this area.

Unsecured email may be used to transmit protected health information to patients only if patients have been informed of the risks of unsecured email and consent to receiving such communication. Patient consent to send their information through unsecured email to others is not recognized in law. Sample language to use for obtaining patient consent for use of unsecured email is found in “HIPAA and California Health Information Protection and Privacy Laws Q&A,” available at cda.org/compass.

Information technology security with regard to HIPAA requirements is the subject of several guides and reports produced by the National Institute of Standards and Technology (NIST), a federal agency that sets computer security standards for the federal government. One guide, for example, looks at Secure Sockets Layer (SSL) virtual private networks (VPN), and another one reviews transport layer security implementations. A list of their publications is available on the website of the U.S. Department of Health and Human Services, which enforces HIPAA.

Secure electronic transmission of protected health information is one of the many requirements of the HIPAA Security Rule. Dental practices should review the rule requirements to ensure compliance. A major component of compliance is a documented risk analysis. “HIPAA Security Rule: A Summary” is on cda.org/compass. HHS has on its site, Guidance on Risk Analysis.

For more information, visit cda.org/Privacy-HIPAA.