HIPAA - Guide to Patient Privacy and Security Rules (PDF)‚Äč

(The following information is taken from a workshop presented by Dr. Warren Hamula of Colorado Springs, CO at the 2005 AAO Annual Session, an article in the October 2003 issue of the Journal of Clinical Orthodontics, and various Federal references to the Health Information Technology for Economic and Clinical Health Act. It has been updated by Dr. Kirt Simmons of Little Rock, AR.) (Please note that the applicability of HIPAA rules will vary according to your individual office situation and use of electronic transmission of records.)

The Health Information Privacy and Accountability Act (HIPAA) set forth rules on how doctors protect the privacy of a patient’s protected health information (PHI in government parlance). The basic premise is that PHI should be disclosed only as the patient permits and only as allowed under the privacy rules. 


Fortunately, because of the nature of the information that orthodontists share with their patients, the specialty falls in what is called the minimum regulations category. However, orthodontic office designs should still incorporate physical and technical barriers, as well as administrative safeguards, to protect the security of patients’ PHI.


The U.S. Department of Health and Human Services, which is responsible for HIPAA enforcement, recognizes that all risk of disclosure cannot be eliminated and that overheard conversations are unavoidable. Restructuring or soundproofing an entire office, or retrofitting private rooms to accommodate all sensitive conversations, is not required.  Simply providing privacy panels and sound treatment around areas where treatment is discussed, such as stand-up consultation areas, would demonstrate the intent to comply with HIPAA’s regulation that doctors show “reasonable effort” toward privacy safeguards. “Likewise, lowering voices and asking patients to stand a few feet away from a counter used for patient consulting or scheduling would be considered a reasonable effort.”  Also, a private consultation room or office should be available in cases where sensitive information is to be discussed (pregnancy of a young patient, HIV status, drug use or suspicion, etc.) or if the patient requests it.


Privacy and Reception Areas

The contemporary style of a reception desk that is completely open to the reception room has become popular among orthodontists. This open concept helps create a friendly, welcoming office atmosphere, and it also has the advantage, in medium-to-large practices, of allowing two or more scheduling stations to operate simultaneously during peak hours. Even before HIPAA, doctors with open reception desks often needed to incorporate principles of sound control at the front desk simply for clarification issues.


This photo shows an open desk with prefabricated fiberglass sound panels on the walls behind it to mute conversations between patients and the receptionist. Note also that the ceiling and the underside of the soffit are treated with blown-on acoustical plaster, which creates an esthetic stucco-like surface. Additional sound panels are strategically placed opposite the end of the counter, which is the main appointment station. People seated in the reception room have difficulty overhearing conversations at the desk because of an alcove with acoustical treatment.  If adjacent scheduling stations are present a panel can be incorporated between them to confine conversations in each station.  These panels can be of a clear or frosted material to maintain the illusion of openness and do not need to extend above the normal height at which a patient would be conversing with the staff member.


Patient Education/Stand-Up Consultation Station

This area is used for education as well as to motivate patients in a semiprivate environment. It can double as a good-bye mirror for patients. The station should be at least 10 feet from any on-deck area to maintain “reasonable” confidentiality under HIPAA; a location halfway between the reception room and the operatory will save steps for parents and staff.  For space conservation, the stand-up consultation station is often placed in a wide hallway or an alcove leading to the operatory.


Another consideration in office design/décor is the often popular practice of posting patient photos in the office.  “Full frontal photos or similar” are considered PHI and any use of them MUST be accompanied by acceptable consent FOR THAT USE.  Obviously, if a practice had a monitor, digital photo frame, TV, etc. displaying these images this would also apply.



HIPAA and Operatory Design

The traditional open-bay operatory, with chairs placed approximately six feet apart on center, is not currently in jeopardy under HIPAA. Although some orthodontists like to have privacy panels between chairs, these provide only “visual privacy,” which is not a HIPAA requirement. A privacy panel between the main treatment bay and adult chairs, when space permits, has always been advisable because it creates a semiprivate atmosphere for adult treatment. However, acoustical five-foot-high panels between chairs have a limited effect on audio privacy and require considerably more space. The Americans with Disabilities Act expects a 32-inch aisle between each side of a panel and the adjacent chair. Therefore, if a narrow panel is placed between two chairs, the chairs must be at least 7’6” apart on center. A four-chair open bay without panels would be 25 feet wide, whereas the same operatory with panels would have to be 29 feet wide. This is significant additional square footage, especially with open bays that have as many as six chairs.


The type of delivery and chairside cabinet system used may have an impact on privacy under HIPAA. A rear-delivery cabinet with a mounted computer screen facing the patient is best for privacy because the screen will not be within direct sight of operatory traffic, on-deck seating, or patients in adjacent chairs.  Add-on “privacy screens” over the computer screen further protects privacy and further constitutes a “reasonable attempt” to provide privacy. Side-delivery cabinetry, although popular among orthodontists, places the computer screen with potentially sensitive information facing the patient, traffic flow, and, in some cases, people seated in the on-deck area. Pulling up information about the patient’s health, treatment or payment schedule will require caution and good judgment so this design is no longer a good choice if one plans to mount a monitor in that area.  A secure tablet or even smart phone that can be held by the staff in their lap when needed and placed face down (or in their pocket) when not could be used in this situation.  If tablets are to be used one MUST ensure they are secure and cannot be removed from the office/operatory area with any PHI contained OR any unsecured access to PHI possible. Alternatively, if the operatory staff needs sensitive information, it could be accessed on a computer, tablet or smart phone elsewhere in the office, which is inefficient from a time-and-motion standpoint.


Regarding computers, tablets, smart phones, etc. in the office it must be kept in mind that the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires that all PHI must now be encrypted, if exchanged it must be encrypted and an “integrity protected link” must be implemented, ALL “actions related to electronic health information” MUST be recorded (date, time, patient identification, user identification) whenever the information is created, modified, deleted, or printed (with an indication of which of these actions occurred), and if the information is transmitted it must be verified it has not been altered in transit.  The penalties for breaches in both the HIPAA and HITECH areas have also been increased.  Regarding practice design, the security of ALL computer terminals, routers, electronic storage devices (such as digital cameras, digital radiographic equipment even some printers which can store data), tablets, etc. must be taken into account.  Both physical (i.e. a locked room with limited access for instance for routers, locking cables for terminals/tablets, etc.) and technological security measures (passwords, fingerprint devices, electronic proximity alarms, disabling apps, etc.) should be employed.  Every office also must designate an individual as their “compliance officer” and must have a written policy in effect regarding PHI. 


Unfortunately, the dental profession has not been immune to prosecution and the levying of fees and sanctions by the Department of Health and Human Services, so these recommendations should not be dismissed as irrelevant.  As Jane Duke, one of the U.S. Attorney Generals stated, after prosecuting a recent breach in Arkansas, “We are committed to providing real meaning to HIPAA. We intend to accomplish this through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA for economic or personal gain or malicious harm.”  Consequently, one must consider that all complaints regarding PHI violations will be followed up on, so it is important to maintain the impression upon everyone in the office that the privacy and security of all patient information is vitally important and any suspected breaches will be dealt with in “an appropriate manner”.