Popular HIPAA questions, as answered by RevenueWell affiliate and Practice Mechanic, Rick Garofolo.
RevenueWell recently hosted a webinar that sought out to debunk six popular myths pertaining to HIPAA. The webinar turned out to be one of most well-received online presentations to date.
After fully laying out everything a practice should know about HIPAA, presenter Rick Garofolo received a ton of questions. So many, in fact, that we couldn't get to them all despite running 15 minutes over!
Being the nice guy he is, Rick collected all the questions from that session and set about answering every single one of them. Below are all his responses.
We highly recommend bookmarking this page as a quick reference guide for any HIPAA-related questions that may pop up during your day.
What is the law for reasonable time in Iowa?
Iowa follows the federal standard of 30 days, but I always tell people to remember that is the MAXIMUM. I typically do it same day if everything is digital for two reasons.
1) I prefer to cross things off my To Do list as quickly as possible so they don’t get missed or forgotten.
2) If I delay, it only irritates the patient. Then if it doesn’t work out at the new office, I annoyed them and the chances of them coming back are VERY slim. I just send them right away and make everyone’s life easier!
What states do not let you tell patient balance to a new dentist when requesting records?
Colorado, Hawaii and Alaska
Can each state have its own HIPAA ruling about records release?
They can and some do.
I work in Minnesota and other offices are very cautious when releasing records to another practice. They state that within Minnesota, a release is needed before they can release information to a new dental office. Is this true?
Currently, there is a debate in Minnesota about the state records release form. There is a lot of back-and-forth about whether that form is required within the state even if federal law says it is not.
Remember, the federal HIPAA law is the MINIMUM that you can do. States are free to pass stricter laws, but cannot pass LESS strict laws.
I am actually waiting for a call back from the Secretary of Health in Minnesota for a final answer on the matter.
Where can I find out my state's timeframe for holding records? I'm in Indiana.
Indiana has a policy of releasing records in 72 hours. Any more and you can actually be charged with misconduct through the Attorney General.
A patient passed away. Can we provide their records to a family member like their sister or child without any patient signature or directions?
Once a patient passes away, their records can only be released to someone holding a short certificate (that they are responsible for the estate). Or, if the person you are releasing the records to was responsible for payment of the care or transporting the patient to get the care prior to death.
So, a son who came with his mom every appointment, wrote the check for her, drove her to and from each appointment can receive that information without a short certificate.
If the patient’s hotshot lawyer son flies on from Arizona, you have never seen or spoken to him before, and he does NOT have a short certificate stating that he is responsible for the estate, then you CANNOT release those records to him.
When patients are requesting records for themselves, you said let them tell us what they need. If they say "everything" what are we required to send?
A complete record includes chart notes, the ledger and account notes, all x-rays, a list of all disclosures (usually your PMS will say something like “Claim submitted to Primary Insurance: Delta Dental of MO), all perio charts (not just the latest one but all of them that exist), and any other documents, Smart Docs, Images, I/O pics, etc. that exist in the patient’s chart.
Regarding the record release: Does it apply to the state the office is in, or the state the patient lives and services that were performed?
Typically, it applies to whichever is less. If you are in Iowa, with a 30-day policy and a patient moves to Indiana (with a 72-hour timeframe) you must release those records in 72 hours. If you are in Indiana and a patient moves to Iowa, you must still release them in 72 hours. It is a “whichever is less” policy.
Do we need to have a place on our form where patients specify who can have access to their records.
Your Acknowledgement of Receipt of Privacy Practices should have some blanks where patients can write in who it is acceptable to speak with regarding their care.
I write my NPPs to include a check box stating:
“We may share information about your appointments, unscheduled treatment or other important information with other members of your household who answer the phone numbers you have provided. Please check here [ ] if you do NOT want us to do so.”
No one ever reads the thing, so no one ever opts out, and you’re covered!
For a married couple, can we share appointment confirmations within the family?
You can, so long as your NPP states that you will. See above answer.
What is a reasonable amount to pay to get help on the annual risk assessment? Can't we just do it ourselves?
You certainly could do it yourself. The question is how much is your time worth?
You need to check patches and security updates on all software installed on your computers (even those that do not contain PHI, like Word, Excel, Adobe, PowerPoint, Internet Explorer, drivers for all devices, etc.) in addition to your operating system and practice management software.
The main part of your HIPAA compliance strategy is having the written plans addressing each of the 196 Audit control points (found online here).Once you have addressed all those points, you can create a simple training in PowerPoint highlighting your rules as well as the sanction policies for violating each rule.
However, the important part is having the Audit Control Points all addressed in writing and the training done!
Where can we obtain a HIPAA plan to train our employees on?
The training should be on your office’s site-specific policies and procedures. If you don’t have them you can write them yourself (ensuring that you address all 196 Audit control Points located here) or call me and we can do it for you in less than a week, including an onsite inspection, and onsite training with your entire team!
We do CEDR's online HIPAA training yearly, but now that I hear it doesn't meet requirements I would like to know if there is something online or that could be accessed to use for training. What we need to do specific to our office to make sure we are completely compliant?
The training needs to be on your office’s specific policies, like password requirements, sanction policies, sharing of usernames, etc. There is no way that a recorded training could meet that.
I would write your in-house policies, create a training using that as a guide, and go over the training annually with your team members. Have them each sign a sing-in sheet and you are DONE and compliant.
If a front office member is speaking on the phone and says a patient’s first and last name and another patient in the office overhears, is that a violation? If so how do we avoid that?
As long as you are taking all possible precautions it is okay. HIPAA is about reasonable and appropriate behavior.
It may not be considered that you build a separate room for phone calls if you are a small office. In a much larger office, it may be reasonable to do so.
As long as you have a written policy on addressing patients in a manner to disclose as little PII as possible, when other patients can hear, like talking in a quiet manner with a low voice, then you should be fine.
What if someone overhears you talking about delinquent account, is that a violation?
It could be, depending on the circumstances. However, chances are it is not. As long as you are taking all reasonable and appropriate steps to ensure that you are not disclosing information, you are fine.
Remember, having those written policies in place is a HUGE help in cases like this. There are times when it is completely unavoidable, but you should try to ensure that it happens as little as possible.
Do we need patient consent to send appointment reminders?
No, reminders are considered part of the operations of your business and are therefore exempt from requiring consent from the patient. Remember, you don’t need the patients consent if the disclosures are for Treatment, Payment or Operations!
Is a simple envelope to our office from the patient with their return address on it considered PII?
While in your office it “technically” is, but once you mail it, the postal service is considered a conduit and is exempt. Print them out and mail them right away!
What is considered PHI and PII?
PHI consists of chart and ledger notes, x-rays, perio charting, disclosure records (when something was released to a specialist or insurance company), lab test results, billing, and planned treatment.
PII would be anything that can be used to identify an individual. In most states, this would be first and last name, date of birth, social security number, a photograph of the patient (face photo, not I/O) or any combination thereof.
In most states, just first and last name are considered PII when used together.
According to your presentation, it sounds like records release forms are obsolete. Is this true?
They are at this point. I just wish that more offices knew and understood it!
The only time they would be needed is if the patient requests the records be released to an entity that is NOT a covered entity, like a lawyer, government agency, child, or parent (if over 18).
Are we able to send statements to patients via email?
Absolutely, and I love doing this. It decreases the time it takes to pay, especially when coupled with an online payment entry system!
We have encrypted email at our office so we are covered when communicating in that format, but is it HIPAA compliant to send PHI/PII via fax?
As long as the patient requests the fax and provides you with an acceptable fax number, that is totally fine.
I will add that if you are sending a fax to someone’s office, or a shared fax number, that you should CALL the patient before sending it. Give them an opportunity to “catch” the fax at the other end rather than have it float around their office!
Thank you letters to patients for referring a friend: Can we mention first AND last name of the person they referred? Ex: “Dear Mrs. Jones, thank you for referring John Smith to our practice.”
While this is PII, you are not stating that they scheduled an appointment, that they are coming in for two crowns, etc. You are simply thanking them for the referral.
What are the guidelines to responding to patient reviews online without violating HIPAA?
I always advise my clients to be careful when responding to reviews or comments online. I follow a three-rule process for this, being VERY careful not to violate HIPAA.
Step 1: Respond Generically
Whether the review or comment is positive or negative, always be as generic as you can.
For example, I might respond to a positive review by saying:
“Our goal is to ensure that all of our patients have the best experience of their life every time they visit our office. We pride ourselves on our honesty, integrity and superior clinical skills. Thank you so much for the kind words and recommendation.”
You never acknowledged whether or not they are a patient or anything about what services they may have had done.
For a negative review, I would say something similar, like:
“Our goal is to ensure that all of our patients have the best experience of their life every time they visit our office. We pride ourselves on our honesty, integrity and superior clinical skills. Due to HIPAA privacy laws we are not able to address your concerns in a public forum, but please feel free to call our office at 555-555-1212 and Dr. Nudel will speak with you PERSONALLY to address any concerns, whether before, during or after any appointments.”
Step 2: Contact the Patient
Reach out to the patient directly, assuming they are a patient and did not leave anonymous comments or reviews.
For positive reviews or comments, I love to send hand written thank you cards, and even movie tickets or a $5 Starbucks gift card. For negative reviews, try to call the patient (always remaining positive).“Good morning Mr. Jones, I wanted to reach out to you to make sure you’re happy with the service that you received in our office last week. Our goal is to make every patient 100% satisfied 100% of the time. Please call me back at 555-555-1212 at your earliest convenience.”
Most will call back and are happy to tell you why they are not happy. At that time, you can address the problem and make a determination of your best course of action.
It may be a redo for free, a follow up visit, or even determining that the patient isn’t a good fit for your office and dismissing them, but handle it quickly and definitively.
Many people who are quick to leave negative reviews will edit or delete them once they feel that their opinion or feelings have been validated.
Step 3: Reflect
Learn from the reviews or comments. Whether negative or positive, there is always something to be learned. Identify areas that your team is succeeding as well as areas of improvement.
I would rather spend 10 minutes at the morning huddle doing some customer service training than discussing which patient is getting which x-rays that day. You can never please 100% of the people, but you can learn something from every single one of them.
What is the accounting of disclosure mentioned in Myth 3?
The accounting of disclosures is a record of every time the patient’s records were viewed, opened, altered, amended or disclosed. It is REQUIRED that you release this information when requested.
Unfortunately, none of the PMS out there make it easy, but you can do them manually.
If you are having a hard time getting something paid for a patient by an insurance company after their “dental reviewer” examines the claim, have the patient request one. Then you will see the name and LICENSE number of the person reviewing the claim, most of the time it’s not a dentist actually licensed in the same state (sometimes not even in the same country).
I have seen many insurance companies would rather PAY the claim than release the Accounting of Disclosures, and yes, even if paid you could still ask for it and failing to provide it is a substantial violation of HIPAA law.
What document was a disclosure to get bills to be covered?
That would be the accounting of disclosures. This must be requested by the patient, and another covered entity cannot request it.
Is there an expiration date on a signed HIPAA form?
Your Notice of Privacy Practices expires when either a change is made to it (EVERY PATIENT must be presented with the new one and sign a new acknowledgement) OR every four years.
Even if nothing has changed in that four years, the date at the top must be updated and new acknowledgements signed.
All other HIPAA forms (disclosure restrictions, etc.) are valid for 50 years AFTER the patients Date of DEATH.
Can you share an example of HIPAA-specific policies from an office?
Specific policies would be something like:
“Usernames and passwords are to be unique and never shared with anyone else in the office. No one may know your password or log-in credentials other than you. Failure to follow this guideline is a level 2 sanction. You will receive a written warning on the first offense, and immediate termination, with prejudice, on your second offense.”
You address each one of the 196 Audit Control Points in this manner. Some are super simple, like this one. Some are MUCH more complicated, like the back-up plans, emergency preparedness plan, etc.
Do you know who writes/creates specific HIPAA guidelines for offices? Do you recommend someone?
CONFLICT OF INTEREST WARNING, I do, and no one does it better or more compliant!
When sending records to a new office, can we disclose any patient notes we have made on an account?
Absolutely. Those items become part of the patient’s record and should be sent along with x-rays and chart notes.
If we make personal notes about the patient for the team, do we need to provide those as well?
Technically, they are part of the patient’s record, but again, I only provide what is requested. The only time I would release those is if I am asked for the COMPLETE record.
When referring a patient to another office, can we give the other office personal information from whom to talk to and about patient's health issues?
You can certainly give them a heads up, but it doesn’t release them from getting a signed medical history when the patient arrives in their office.
If another office calls requesting insurance information, can we disclose that information? Such as insurance company, employer info, ID number, SSN, etc.?
You can disclose all information that is part of the patient’s chart, including registration information such as ID numbers, SSN, DOB, etc. I would MOST certainly verify that the entity is TRULY another doctor’s office before releasing it, but if they are known to you, I wouldn’t hesitate to get them what they need.
President and CEO of The Practice Mechanic, Richard Garafolo works as a practice management and OSHA/HIPAA compliance consultant for dentists. Rick develops site and state-specific plans and business systems for dental offices around the country.
Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.