In this edition of Compliance Corner, Practice Mechanic Rick Garofolo gives an overview on HIPAA consent form requirements for all dental practices.
I am amazed at the number of times each week that I get asked what forms and items are needed for HIPAA. So many offices simply don’t know. Even worse, they don’t have the HIPAA consent forms that they need. Often, the forms they do have don’t meet the requirements, which changed back in 2013 for your Notice of Privacy Practices and other forms.
Is your Notice of Privacy Practices (NPP) available on your website? It has to be. And it needs to be the same one people sign in your office, not the stock NPP web companies give you.
Is the NPP posted in your office? Again, it has to be. These are usually presented in the reception area.
So what’s really required? First, let's continue talking about your Notice of Privacy Practices. The Privacy Rule was changed a bit in 2009 and 2013 (HITECH and Final Rules) to update some information for the NPP.
First of all, your NPP must include an effective date. This is the date in which those policies went into place.
The NPP is simple; it's just a list of your rules regarding use of the patients’ PHI and PII (we covered those last month, so click here if you need to read about those).
According to the Privacy Rule, your NPP must also include patients' rights under HIPAA. That list must be on your NPP in the format, and with the wording, dictated by HIPAA.
You should also include a way for patients to opt-in or opt-out of certain communications. I prefer to let them opt-out, then if they don’t check the little box to opt out, they have automatically opted in.
Stay on top of the most important dental HIPAA forms with our free checklist. Learn what each form must include — and use it to ensure your team and your patients can easily access these dental HIPAA forms. Grab your checklist below!
Remember above where I said that your NPP has to be posted on your website? Well, it does, and it has to be the same version that you have in your office. Again, you cannot use the standard cookie cutter version that your web design company puts under “Privacy” on your site.
Lately, there have been a lot of marketing companies (Clickfunnels, Kartra, et al.) creating landing page type things for dentists. They can certainly be a great tool, and I use them for some things myself, but a landing page counts as a website, according to the Office of Civil rights. Therefore, each landing page needs to contain a link to your NPP. Again, it isn’t just your main website, but any site you maintain that provides information about your services or benefits. That is a landing page, so be sure you have links to them.
Lately, there have been some unscrupulous lawyers lately checking websites for NPPs. When they don’t find one, the lawyers send a letter or call and tell you that you need to have it on there and they will report you if you don’t pay them to “help fix the problem.” If this sounds familiar, the same thing was happening a few years ago with the Americans with Disabilities Act for websites. That was successfully proven a scam, but the problem in the NPP issue is real and has to be dealt with!
Another HIPAA consent form you should have ready to go is the Authorization to Release Information. I usually put this one at the bottom of my Acknowledgement of Receipt of Notice of Privacy Practices for patients to sign either at their first visit, first visit after turning 18, or first visit after a change to our NPP.
This tells the office who they can discuss the patients services and account with. This HIPAA consent form should be completed by every patient over 18 (or a medically emancipated minor). It allows you to discuss care, treatment plans, and financials with parents, partners, spouses, children, or others as dictated by the patient. Without this you should not specifically disclose any information to anyone but the patient — remember that general appointment reminders are excluded from this requirement.
One other thing to note: any authorization to release information must include either an expiration date or event. The authorization remains valid only until that date or event has passed, or can be revoked in writing by the patient. If you do not have a valid expiration date or event, your release is not compliant and is therefore not usable or enforceable.
What we have talked about here is just the surface of the requirements, so I want to give you a quick, more complete list. If you need help, have questions, or want samples of these forms, just email me and I will be happy to help out however I can!
Notice of Privacy Practices – must be published on your websites and contain the following:
Please remember that while a signature is required for any restriction request or release of information — other than allowable disclosures for treatment, payment or operations which you do not need patient consent for — the patient is not required to sign your Acknowledgment of Receipt of NPP. They can refuse to sign and you can still treat them and still bill their insurance for their visit. You just have to make a good faith effort to get the signature or write “Refused to sign” on the Acknowledgement and move on with your day!
Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.