The Health Insurance Portability and Accountability Act (HIPAA) requires all health plans, including ERISA, health care clearinghouses and any dentist who transmits health information in an electronic transaction, to use a standard format. Those plans and providers that choose not to use the electronic standards can use a clearinghouse to comply with the requirement. Providers' paper transactions are not subject to this requirement.

As Chart-It does not file directly to health plans, it is uncertain how this would apply directly to this product.  To insure that all information is secure in Chart-It, all records are encrypted.  We have been tested in a court of law and our records have been deemed secure and that all due care has been taken to insure that they are tamper proof.

By Arlene Furlong

"Don't make it harder than it has to be."

ADA Executive Director James Bramson said it before and he's saying it again. This time in regard to HIPAA security regulations, with a required compliance date of April 21, 2005.

"We'll again offer the best guidance for dental practices," said Dr. Bramson. "We believe — and I think our track record shows — that the ADA will provide members with everything they need to comply."

The security rule applies to the same groups as the other HIPAA rules — all health plans, clearinghouses and health care providers who conduct health care transactions electronically, either directly or through a third party.

None of the HIPAA rules apply to dentists who do not transmit electronic health care transactions for which standards have been established by the U.S. Department of Health and Human Services. (The most common transaction a dentist is likely to use, for which a standard has been established, is submission of electronic claims.)

The main difference between the HIPAA security regulations and the HIPAA privacy regulations is that the security rule applies only to "electronic" confidential patient health information. The HIPAA privacy rule, which had a mandatory compliance date of April 14, 2003, applies to all communications: electronic, written and oral (again, providing the health plan, clearinghouse or health care provider transmits electronic health care transactions either directly or through a third party and therefore is covered under HIPAA).

Under the Health Insurance Portability and Accountability Act of 1996, both the privacy rule and the security rule were written to protect patients' identifiable health information from unwanted disclosure. Protected patient health information is anything which ties a patient's name or social security number to that person's health, health care or payment for health care, such as X-rays, charts or invoices.

ADA guidelines to help members meet the HIPAA security requirements by the compliance date of April 2005 will be available by April 2004, allowing one year for implementation of HIPAA security measures in members' offices.

Stanley Nachimson, technical advisor in the Centers for Medicare and Medicaid Services, the agency in charge of enforcing the rule, says one year should be plenty of time for most dental practices to comply. The final security rule was posted to the Federal Register on Feb. 20, 2003.

"Dentists who have taken steps to comply with the privacy rule may have already taken many of the steps needed to comply with the security rule," says CMS' Mr. Nachimson. Because of this, Mr. Nachimson says in some ways the security rule can be defined as the "easier" of the two rules.

The size and capabilities of health plans, health care clearinghouses and providers of health care services, such as dental offices, will be taken into account when CMS assesses methods of ensuring protection for electronic confidential information, said Mr. Nachimson.

"Appropriate, reasonable and scalable" are recurring themes found throughout the security rule. This means a small dental office will not need to take the same security measures to comply as a large practice, hospital or insurance company.

For example, one way a dental office might demonstrate compliance with the security rule is by developing a written security policy (a sort of checklist) for the practice and appointing a security officer. The security officer may be the same person who serves as the privacy officer and might be the dental assistant or office manager.

Other security measures a dental practice may take to protect patient data would be to ensure only office staff employees are allowed access to electronic information and to keep virus software current.

"The security rule is completely scalable, customizable to the size of the health care entity, in this case: dental practice," said Mr. Nachimson. "The difference compared with the privacy rule is the security rule deals more with the technical aspects of protecting patients' private health information."

The security rule requires that health care entities maintaining or transmitting electronic health information adopt reasonable and appropriate administrative, technical and physical safeguards:

• to ensure the integrity and confidentiality of patient information;
• to protect against any reasonably anticipated threats or hazards to the security or integrity of the information;
• to protect against unauthorized uses or disclosures of the information;
• to otherwise ensure compliance among employees or officers — in short, measures designed to keep patients' private information private.