title title

Frequently Asked Questions

Q: Why should I do any of this? This is the first I've heard of it. Why hasn't my state association or the government told me about it?
A: HIPAA was originally signed into law in 1996, and now we are approaching the dates by which the Administrative Simplification, Privacy, and Security aspects of the law will begin to be enforced. HIPAA affects all healthcare providers in all specialties, including medical, dental, medical, pharmacy, chiropractic, home health, hospice, etc. It also affects health plans as well as providers. Other specialties (such as medical) have been aware of HIPAA for the past 18-24 months; however the primary national conduits for communicating legislative information to the dental market is only now starting to give visibility to HIPAA.

We've been working on HIPAA for the past few months, and are bringing it to your attention because it is an issue that you need to be aware of and that you need to take action on. The government has called HIPAA the new "standard of care" for providers, meaning that all providers like yourself will need to take the steps necessary to bring yourself into line with the new "standard".

Q: They'll never enforce it anyway; it's just like OSHA.
A: HIPAA is not comparable to OSHA from an enforcement perspective. The Office of Civil Rights (OCR), which is part of the Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. The government made OCR the designated enforcement body for HIPAA because it has the resources and ability to enforce it.

Because HIPAA ultimately gives patients "ownership" of their personal health information, and because providers will be required by law to notify patients of their rights under HIPAA, patient awareness and concerns will drive enforcement.

Q: I've heard that the government is going to abolish HIPAA.
A: To the contrary. A June 17, 2002 US District Court ruling upheld HIPAA, dismissing constitutional and statutory challenges. In its March 21, 2002 Notice of Proposed Rule Making (NPRM), the Department of Health and Human Services proposed modifications to the privacy rule. While certain rules were relaxed, others were strengthened, and HHS explicitly reiterated the importance of protecting patient information and its intention to implement HIPAA.
Q: What are the penalties if I am out of compliance with the law?
A: Penalties start at $100 per person per infraction. They can run as high as $250,000 if a provider sold Protected Health Information for marketing purposes. The $100 fines can add up quickly. For example: If three people are using a process that is out of compliance five times a day for five weeks, the potential exposure for their practice is 3 x 5 x 5 x $100 = $7,500
Q: What are the deadlines for compliance?
A: Each section of the regulations has separate enforcement dates. It is important to remember that HIPAA is the law of the land today. HHS has, however, recognized that compliance is a significant undertaking and has allowed a transition period. The last dates for compliance are:
Transactions - October 16, 2002
Privacy - April 14, 2003
Security - Not yet finalized. Final rules are expected Fall 2002, with compliance required 2 years following publication of final rules.

It is also important to remember that some portions of Security are required to effectively implement Privacy. In general, all three parts of the law are closely linked, so it's important to have a baseline understanding of all three to effectively implement one portion by itself.
Q: I'm not going to do anything until all the changes are done and we're closer to the compliance deadlines.
A: HIPAA will never really be "finalized," and changes will continue to be made. HHS has repeatedly shown a willingness to modify the rules to reflect actual implementation issues. As the industry gains additional experience with the practical aspects of HIPAA implementation, expect a series of small changes to accommodate specific issues.

Although industry pressured Congress to allow an extension of the transaction deadline, there is no indication the privacy deadline will be extended. It will take several months of calendar time to become compliant, and an early start is to your advantage.

Q: Can we still have sign-in sheets?
A: Absolutely. However, in the interest of patient privacy, it is prudent to put the absolute minimum information on them (patient name, date, etc.). Any additional information you might need to collect, such as reason for visit, other condition, or treatment-specific information, could be requested on a separate short form that is put in the patient’s record and treated as Protected Health Information.
Q: Someone told me we can't even call patients by name when they're waiting in line.
A: Not true. The July 2001 Guidance from HHS indicates "Covered entities (i.e. providers) must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard." Patients may be called by name (unless they request not to be) when waiting, but again, discretion and minimum necessary considerations should be followed. In other words, while it is permissible to call a patient by name, it would be inappropriate and contrary to HIPAA to call the patient and the treatment they are to receive.
Q: Is it OK to publish treatment schedules in the office?
A: It is permissible to publish patient directories and treatment schedules, but, as with all Protected Health Information (PHI), patients must be protected from inappropriate disclosure. What this means is that the lists should be posted in a place inaccessible to casual observers (inside a cabinet door or in a staff-only break room or other office area to which patients do not have access). Such lists should not be posted in plain view of patients.
Q: I've heard that I need to change my office design and put new walls or partitions in my open areas so patients cannot overhear other patient/doctor conversations.
A: Not true. In response to a similar question, the July 2001 Guidance from HHS says "Covered entities (providers) must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI… The Department does not consider facility restructuring to be a requirement under this standard." This means that HHS has said that providers need to be prudent in how they conduct conversations in open areas, but they do not need to add partitions or remodel.
Q: What about conversations between patient/doctor or any member of our staff in open areas?
A: The privacy rule states that Protected Health Information (PHI) should not be disclosed inappropriately through conversation. Conversations between provider and patient (or a consulting physician or staff member) should be held in such a manner as to minimize release of information to casual listeners. The March 21, 2002, NPRM clarified further by proposing a rule change whereby disclosure of snippets of conversation would not be considered inappropriate disclosure. Bottom line: Keep your voice down, use common sense, and move sensitive conversations to an area with less traffic.
Q: Can we still send recall cards, thank yous, appointment reminders, etc.?
A: Sure. However, any visible information should exclude details related to specific treatments (past or future) or financial issues. In other words, it is OK to send an appointment reminder that indicates an upcoming appointment (no description of a specific treatment). But if specific dates or treatment details need to be communicated, the reminder should be put in an outer, plain envelope that only has the provider’s name and address information. It is equally inappropriate to put "2nd Notice" on the outside of a request for payment.
Q: Will we need to keep our files closed and locked all day so other people can't see them?
A: If your file cabinets are in areas where patients are present without regular and fairly constant staff supervision, the files should be locked. If, however, the files are inaccessible to patient and passers-by (separate locked room or behind a staffed reception desk), there is no need to lock the cabinets during the day. If the receptionist leaves, and at the end of the workday, the cabinets should be secured.
Q: How much time will it take me to do this?
A: HIPAA is an ongoing issue, requiring a change in workplace culture to be effectively implemented, as well as numerous regulatory changes over time. For a small office, expect to spend 20-40 hours over 2-3 months to become compliant; larger offices can expect to spend significantly longer.

HIPAA is a journey, not a destination; practices must also stay informed on the changing regulations and reflect these changes in their policies and procedures. HIPAA is here to stay and represents a new way of thinking about Protected Health Information, as well as a new Standard of Care for providers.

Q: I just went to a free seminar on HIPAA last week. Why should I spend money on your solution?
A: Free seminars are a great way to get some background on the law and a general understanding of how compliance affects you. After the seminar, use HIPAANow! to give you the detailed step-by-step approach to help make your practice compliant.
Q: The ADA has a product that they said gives me all the information I need for $125.
A: That's a bit misleading. HIPAANow! provides step-by-step instructions for all three aspects of the law: Electronic Transactions, Privacy, and Security. This is critical, because all three are closely linked, and you must have a baseline understanding of each to effectively implement any one of the three. The ADA solution only covers the privacy aspect of the law, and has no information on security or electronic transactions. This means that in order to effectively implement HIPAA you also need to purchase another product for security and electronic transactions or determine how to make yourself compliant on your own — no small task. HIPAANow! also includes the opportunity to get training in a variety of ways (self-paced, in-person seminars, or teleconferences) as well as toll-free dedicated customer support and monthly updates delivered to your desk. It is designed to give you all the tools and support you need to make HIPAA compliance, in the words of our customers, "seem like a cakewalk."
Q: How many people can go to the seminar when I buy HIPAANow!?
A: A purchase of HIPAANow! gives you one seat in a seminar. Additional seats are available for $150 per person.
Q: How do I buy it and get signed up for a seminar?
A: I can help you with that right now - can I get the name of your practice/pharmacy?
Q: What makes HIPAANow! different from other products?
A: Ease-of-use, support, and completeness. HIPAANow!’s unique, step-by-step approach is at the core of the solution. Our support begins with live seminars and teleconferences to provide the critical information you need to begin your compliance efforts. Support continues with a toll-free help line and monthly newsletters to keep you up to date on the latest changes to the law. HIPAANow! provides a complete solution, examining all aspects of the law, along with tips on how HIPAA compliance can benefit your practice. It is the most comprehensive, easy-to-use, and cost-effective product available.