HIPAA doesn't care

We're all concerned with protecting patients' privacy. But sometimes, HIPAA doesn't care.

Well, it does, but not formally…at least about the issue called in last week by a member.

The case is this: A patient’s general practice dentist referred the patient to a specialist for treatment, and after the treatment was completed, the specialist communicated back to the referring dentist the results of the care.

As it turned out, the patient was upset about something completely unrelated to the care received, threatened to sue the general practice dentist, and it has splashed-back on the specialist as the patient filed a complaint with the US Dept. of Health and Human Services over a “HIPAA violation” for sharing information about the treatment back to the general practice dentist.

First, sharing information about the patient’s treatment back to the referring dentist (who, again, is the patient’s general practice dentist) isn’t a violation of HIPAA. The HIPAA Privacy Rule protects the confidentiality of personal, identifiable, health information – essentially, information that ties a person’s health condition or treatment for a condition to their identity. This information is what regulated entities, like dentists, should protect. However, HIPAA’s rule allows such personal health information of patient’s to be used or transmitted to others, without the patient’s formal approval, and without such being a violation of HIPAA. One example is transmitting a patient’s health information to their insurance company. A no-brainer, in that regard.

But the rule also allows the sharing of a patient’s personal health information for the purposes of treatment. Letting a referring dentist know what the outcome was of a specialized procedure performed on their patient is considered a “treatment-related” communication, and is not a violation of HIPAA. Specifically, Sec. 45 Code of Federal Regulations 164.506(c) clarifies that a covered entity (a dentist) may use or disclose protected health information for the treatment activities of any health care provider. It’s certainly in the interest of a general practice dentist, not to mention the patient, to inform that dentist of the outcome of specialized treatment on one of their patients, particularly if the dentist referred the patient to the specialist in the first place.

But HIPAA doesn’t care in this particular case for another reason: The specialist isn’t regulated by HIPAA. When the specialist received a call from the regional Office of Civil Rights with the U.S. Dept. of Health and Human Services about the fact that a patient had filed a complaint against the dentist for a possible HIPAA violation, the OCR representative neglected to ask the dentist whether the practice was even regulated by HIPAA. The HIPAA law is clear: only those health care providers who conducted specified transactions (e.g., claims and such) electronically with payers come under the regulatory obligations of HIPAA. In this case, the specialist conducts no communications involving patient information with dental benefit plans electronically. When the dentist called the OCR representative back and informed her of this, she said, “Oh…. Fine! Please send us a letter to that effect, and we’ll close the case.”

The vast majority of complaints filed for presumed violations of HIPAA are dismissed by HHS either because HIPAA doesn’t apply to the practice, or because the presumed violation wasn’t a violation at all. In this case, the complaint wasn’t over an actual violation of HIPAA, and the dentist didn’t come under HIPAA’s regulatory requirements anyway.

Case closed.