Patient Rights

The Privacy Rule outlines a number of rights that patients have to be informed about how their protected health information (PHI) is used by their healthcare providers. Healthcare providers must inform patients of these rights in their Notice of Privacy Practices (NPP). The next paragraphs explain the patient rights.

The first patient right is the right to know how personal health information is used. The primary purpose of HIPAA is to protect patient confidentiality and to assure that patients know what is done with health information. The evidence of the fact that the dental professional told the patient about the use of the information is contained in the Notice of Privacy Practice.

How should the notice of privacy practices be incorporated into the existing paperwork processes at the front desk?

This is a question that many dental practices have already addressed. The regulations require that every patient be required to sign an acknowledgement that they have received the notice of privacy practices.2 This acknowledgement form should be filed in the dental record. In addition, most practices will record this in their computer system to track electronically. In dental practices with multiple sites, a computer tracking system is beneficial since the dental record may not always be in the practice location when the patient comes for a visit.

While most healthcare providers and facilities have long had statements regarding health information policies and procedures and protection of privacy, new federal regulations under HIPAA now require that each provider develop a Notice of Privacy Practices (45 CFR §164.520 through §164.528).3 describing how information is used and disclosed as well as a statement of the individual’s rights regarding the use of information. This notice must include:

  1. Information about whom and for what purpose health information is maintained with examples of the types of uses for treatment, payment, and healthcare operations. (TPO) At least one example of each use is required.
  2. Descriptions of other uses of information and disclosures made without the individual’s consent or authorization. The notice must explain that information is collected and used only for legitimate and lawful purposes. A statement must be included explaining that other uses and disclosures of information are not permitted without written authorization of the patient and the fact that the individual may revoke the authorization.
  3. Other uses of information such as appointment reminders, fundraising, release to sponsors of a health plan, marketing of special services.
  4. Accessibility by the patient to his or her own information and the right to inspect, to request amendment or request to correct it; obtain copies; restrict certain uses and disclosures (facility or provider not required to agree on the restriction and the right to receive an accounting of disclosures.
  5. Information about how the patient can file a complaint about a privacy violation with the healthcare provider and notification that the patient can complain to the Department of Health and Human Services.
  6. Penalties provided for persons who violate privacy laws and regulations and patient confidentiality.

The right to access their health information (inspect and copy)
Patients under HIPAA §164.524 have the right to access (meaning to inspect and obtain a copy of all protected health information in a designated record set).

Each dental practice has established procedures for how requests from patients to see their dental records are handled. This is not a new practice; patients have always requested dental records and films for various purposes. However, now all patients are informed about this right. This may increase the volume of requests received from patients to access their dental records. If this procedure has not been recorded in writing in the past, the practice needs to formalize and write whatever procedures are followed. HIPAA requires that state laws be followed concerning parental rights to consent for treatment and to access to medical and dental records and health information.

The right to request amendment to or correction of their health information
 This has been a common practice in hospitals and physicians offices but is not commonly seen in dental office. It is important to develop a policy regarding who can approve the requests for amendment, how this information will be communicated to the patient and how the request and the response will be documented in the dental record.

The right to know who has accessed the personal health information within the dental record
The patient has the right to receive an accounting of the names of the individuals and organizations which have received personal health information. This is called the Accounting of Disclosures. HIPAA regulations actually require less tracking or accounting of disclosures than many health care facilities are currently doing. HIPAA regulations do not require accounting for the following disclosures:

  • for treatment, payment, and health care operations (45 CFR §164.502)
  • to the individual (45 CFR § 164.502)
    for directory purposes, this is a hospital issue (45 CFR § 164.510)
  • to persons involved in the care of the individual (45 CFR § 164.510)
  • for national security or intelligence purposes or to correctional institutions or law enforcement officials (45 CFR § 164.512 (k)(5). 4
  • or for disclosures prior to the effective date of compliance.

So the only disclosures that have to be accounted for are those which do not fall into one of the listed categories, such as public health reporting and FDA product recalls.

There are state and federal laws mandating reporting of infections and communicable diseases, reporting suspected abuse of children and the elderly, suspected victims of crime and laws requiring the reporting and tracking of narcotics utilization. The dental professional should be cautious when making these disclosures to ensure compliance with HIPAA and following required reporting laws.

The individual responsible for HIPAA within the dental practice should review state reporting requirements to ensure all required disclosures are tracked. This is another policy that needs to be drafted so that everyone in the practice realizes what needs to be tracked and who in the practice is responsible for release of information. In addition to a policy for tracking the disclosures, another policy is necessary to address the process for accepting the patient’s request for the accounting of disclosures log, responding to the request and documentation of the process in the dental record or master accounting log.

The right to file a complaint regarding the use of health information
HIPAA regulations require covered entities such as dental practices to provide a mechanism for the patient to file an internal complaint within in the practice. They must also notify the patients of their right to file a complaint with the Secretary of the Department of Health and Human Services. This information should be provided to the patient in the notice of privacy practices. There is an Office of Civil Rights (OCR) in the Department of Health and Human Services which is going to review complaints and the OCR web site www.hhs.gov/ocr/hipaa has information for the public about how to file a complaint, The complaint form is available for download in English and Spanish from the OCR web site.

 

.