#15 – HIPAA Privacy Guide

In 1996 the federal government passed HIPAA (Health Insurance Portability and Accountability Act) to protect the confidentiality of health information.  This law requires all healthcare organizations to establish privacy standards for all information related to our clients.  This includes:

  1. Dental Records
  2. All written or oral communications concerning a client

If we don’t comply, we can be fined $100/offense (civil) and up to $250,000 and or 10 years in prison (criminal/penalty).  Most of HIPAA’s requirements are just reasonable common sense.  If you have specific questions ask ___________, our designated Privacy Officer.

Areas of Privacy

  • Staff training – Your responsibility is to read and review all of the information in this section.
  • Safeguards – Protect all client’s health information from any intentional or unintentional disclosure that violates privacy law.  We should use virus software, offsite storage of back up, firewalls for net work computers, encryption software for information transfer, and regular review.
  • Complaints by clients – must be documented
  • Access to records – clients must know our privacy policy.
  • Sanctions – Staff who violate these regulations will be reprimanded and/or terminated.
  • Mitigation – Correct any damage caused a client by breaching this confidentiality
  • Retaliatory Acts – We can’t punish a client who reports us for a violation.
  • Waiver of rights – Clients can’t be made to waive their rights if they want us to treat them.
  • Revisions – We can change these policies anytime we want
  • Documentation – We must maintain these privacy policies in writing for at least 6 years from when they were last in effect.

_______________________________                      ___________________                  Secretary Team Leader                                                               Date

_______________________________                      ___________________                    Your Signature                                                                            Date


  1. Use lowered voice for all verbal communication that might disclose PHI (personal health information).  Particularly in open operatories.  Use private offices for “sensitive” discussions.
  2. Never “call out” any information that might be considered as personal, e.g. tests required or taken, test results, medications, devices used, etc.
  3. Do not allow computer screens to be viewed, intentionally or unintentionally, by unauthorized persons.
  4. Exit all programs that might contain PHI (personal health information) when leaving a computer workstation for a period of time.
  5. Be certain that “sign-in” sheets do not require “reason for visit” information.
  6. All chart holders must effectively obscure patient information
  7. All email, written, and faxed PHI must be clearly marked “confidential” and contain a privacy warning.
  8. Never leave files or folders open or unattended.  Filing cabinets and etc. containing PHI must be secured and locked.
  9. Do not share computer passwords.  Change them regularly.
  10. Take every precaution to control PHI (personal health information).
  11. Don’t use client’s names or discuss their treatment in public areas.
  12. Internet rules: The internet at HP is never to be used for personal pleasure; Staff use of the computers will be monitored; Keep your password confidential; Most deleted information can be restored; Never open unexpected attachments

HealthPark Dentistry’s Training Manuals

Dr. Smith and Jill Nesbitt have written over 4000 pages of training manuals and they own the federal copyright on these levels. Copyright law restricts you from physically copying these manuals for any other than personal use. In order to protect the thousands of hours of time spent creating and updating these training manuals from being shared with other dental offices or other outside HealthPark Dentistry organizations, we are asking that you sign your agreement that you will follow the copyright law. By signing this, you agree not to give copies of any of your training manuals to anyone else.

I hereby agree that HealthPark’s training manuals contain certain proprietary information that is not to be disclosed to outside parties without HealthPark’s permission. I also agree not to give or sell to others a similar set of training manuals during my association with HealthPark or for a period of 7 years following my disassociation with HealthPark. Failure to abide by this stipulation shall result in damages to be determined by arbitration.

___________________                    __________________ Signature                                                        Date

Identity Theft Detection Policy & Procedures

Watch For:

1)    An individual falsely claiming to be someone else;

2)    Unexplained discrepancies between the patient’s medical records and the patient’s physical condition.

3)    A complaint by a patient that he or she has been the victim of identity theft in connection with services provided at HealthPark;

B.    Responding to Red Flags

Any employee who recognizes a potential identity theft situation should report the situation to                                .  She will follow up and record the incident.

C.    Possible responses to a Red Flag Situation include the following:

1)      Patient notification –  We may notify the client if a Red Flag is encountered and verify the theft did not occur at our office.

2)   Possible specific actions: 

a)   Cease any collection efforts that are related to the identity theft. 

b)   Notification of Legal Authorities

If we learn that a client or staff member has committed identity theft, we will  contact law enforcement to the extent permitted under HIPAA and other privacy laws. 

c)   If a Red Flag is triggered but we determine that there clearly has been no identity theft, no action will be taken. 

D.    Plan Administration and Updates

1)        All staff will receive a copy of this Policy to be signed.

2)        We will evaluate our Program annually and update it in light of experience. 

3)        Any questions about this Policy should be addressed to  the dentist.

E.    ACKNOWLEDGEMENT (to be completed by all staff members who interact with patients)

I, ____________________, have read the practice’s Identity Theft Detection and Response Policy and Procedures and understand the contents.  I have been instructed regarding situations that may suggest possible identity theft. If I discover a possible instance of identity theft, I will immediately bring the matter to the attention of ________.

_____________________________            _______________________ Staff person                                                                            Date

HIPAA Security Quick Reference Guide

What is HIPAA?

The Health Insurance Portability and Accountability Act is a federal law. HIPAA provides for:

  • Enhanced privacy to protect individually identifiable health information (protected health information or PHI) in any form (oral, paper, electronic) and enhanced patients rights with respect to their PHI (effective April 14, 2003);
  • Standard security measures to ensure confidentiality, integrity, and availability of data (effective April 20, 2005).

What is considered Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)?

PHI Information is believed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity. Protected Health Information may include:

  • Name and address
  • Geographic identifiers such as address and zip code
  • Telephone or fax numbers
  • Health care specifics
  • Social Security or medical records numbers

Examples of ePHI include any medium used to store, transmit, or receive PHI electronically, such as the following:

  • Personal Computers with their internal hard drives used at work, home, or traveling
  • External portable hard drives, including iPods
  • Magnetic tape or disks
  • Removable storage devices such as USB memory sticks/ keys, CDs, DVDs, and floppy diskettes
  • PDA’s, smart phones
  • Electronic transmission includes data exchanges via wireless, Ethernet, modem, DSL or cable network connections.

Who does HIPAA Security apply to?

HIPAA Security standards apply to covered entities, such as HealthPark Dentistry. A covered entity is ahealth plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. HIPAA Security standards apply to all individuals who have equipment connected to the UCHC network. In addition, it applies to all individuals, because as a member of the HealthPark Dentistry staff you may come in contact with patient information.

What are HIPAA Security Standards?

HIPAA Security Standards are Federal rules that:

  • Define administrative, physical, and technical safeguards to protect electronic protected health information.
  • Require implementation and documentation of basic safeguards.
  • Protect PHI currently or previously in electronic form.

How do I comply with the Security Standards? As a member of this community you must do the following:

  • Set up and use a Dentrix password and keep it confidential
  • Memorize your password and log off your computer by using password-protected screen savers when you are not at your work station
  • Do  not use e-mail to send or transmit ePHI to internal or external      recipients.
  • If you receive an e-mail attachment from someone you don’t know, don’t open the attachment. And don’t forward it to anyone. Instead, delete it and report it to your team leader.
  • Unless authorized, never install any software on your computer.
  • If you suspect that your computer may be infected with a virus, immediately report it.
  • Never load data files from outside CDs and diskettes.
  • Always use a shared network drive for any patient communication. Never save data on the C drive of computer.
  • If using a mobile device, set up a password to get into your phone. If using      a laptop for remote access, set up appropriate virus and firewall protection.

Names of staff/dentists that have remote access to our network:


I understand that I must follow the HIPAA Privacy and Security laws when I use my personal computer or cell phone to access PHI (Patient Health Information).

____________________________            _________________________ Name                                                                                      Date

Administrative Safeguards:

• Assign security responsibility within the organization – __________ is the security officer.

• Develop policies and procedures to address security violations. This includes completing a risk analysis, implementing security measures to reduce risks and vulnerabilities, developing a sanction policy, and implementing procedures to review records of system activity on a regular basis.

Pop Quiz – to be done at least 2x/year – Walk through office & look for computers logged into Dentrix when the user is at lunch or gone for more than 15 minutes. Document the staff that fail this quiz in their employee file.

• Attend to workforce security including: workforce clearance procedures, termination procedures and authorization, and/or supervision of workforce and management.  – When secretary or dentist is terminated, we change the security alarm to protect PHI. When a person with remote access is terminated, we let our IT company know in order to eliminate their access.

• Establish policies and procedures for granting access to ePHI.  – Only the individuals identified above have access to ePHI.

• Provide security awareness training to the workforce and management. – This will occur annually along with the OSHA annual training and will be located in general level 1 for all staff to review.

• Identify and respond to security incidents.

• Implementing policies and procedures for responding to an emergency: including plans to back up data, recover after a disaster, and operate during a disaster or emergency.  – ________ is responsible for working with the IT support company to maintain a daily backup of PHI from the servers.

• Periodically evaluate the organization’s compliance with the Security standards.  – Every 3-5 years, compliance will be evaluated.

Physical Safeguards:

• Limited physical access to electronic information systems and the facilities in which they are housed.  – Charts are stored behind secretary desks and the servers are located in the doctor’s office.

• Proper authorization for access.

• Standards that ensure proper workstation use and physical security of workstations that access ePHI.  – An ID & Password are required to access Dentrix on all computers.

• Standards for device and media controls.  – Before any removable media is used, staff/dentists should review it with __________.

Technical Safeguards:

• Technical policies and procedures for access control on systems that maintain ePHI. These systems must allow for unique user identification and include an emergency access procedure for obtaining necessary ePHI during an emergency. Addressable specifications include automatic logoff and encryption and decryption. – An ID & Password are required to access Dentrix onsite and remotely.

• Hardware, software, and/or procedural methods for providing audit controls.  – Our firewall provides data to show which computers have accessed websites and blocks restricted sites.

• Mechanisms to validate the ePHI has not been altered or destroyed in an unauthorized manner.  – We can see the history of each patient appointment using the Dentrix software. We also can run an audit trail to identify more detailed changes.

Who enforces the Security standards?

The center for Medicare and Medicaid Services within the U.S. Department of Health and Human Services will enforce the security standards.

Civil and Criminal Penalties

Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of standards, Office for Civil Rights may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.

Who to Contact?  If you believe privacy rights have been violated or that security breaches have occurred, these must be reported to ____________. Other occurrences that may constitute a security incident are: