One of the most common questions we get from dentists is “How do I get my patient’s records to a referral provider and comply with HIPAA?” There’s no simple, one-size-fits-all answer. Providing patient records to other healthcare providers is a common function and should be reviewed for compliance with HIPAA Privacy and Security requirements to avoid unauthorized disclosure. The following may be helpful in your review of your procedure for providing records to referral providers.
Is the patient’s dental record being transmitted electronically?
If information is not being transmitted, but rather provided by hard copy on paper or digital media (such as a DVD), you should review compliance with your HIPAA privacy policy, including but not limited to, the following:
- Is the person receiving the hard copy record the patient or an authorized representative of the patient?
- Is the person receiving the hard copy record the referral provider or authorized representative of the referral provider?
If the information is misplaced or lost in transit, maintaining another kind of record – including the receiving party’s signature and the date and time the record was received – may be helpful in proving that the information was given to an authorized person. If the record is sent by delivery service, such as a courier, USPS, or FedEx, a lost record is your responsibility unless you can document that the referral provider or patient received the package.
Does the transmission method meet the standard and implementation specifications under Transmission Security 45 CFR 164.312(e)(1)?
If the information is being transmitted electronically, you should review compliance with the requirements of the HIPAA Security Rule, including Transmission Security 45 CFR 164.312(e)(1):
“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Encrypted Email
Standard email communications may not meet the requirement unless the message and attachments are encrypted. An email may be relayed over several networks to get from your email provider to your recipient’s, and you don’t have any way of ensuring that all the transmissions are encrypted. Using an email encryption service, or encrypting the email using encryption software, are options if you want to transmit patient information using email.
Risk Analysis and Policies and Procedures
A regular risk analysis and review of your policies and procedures can help determine the security measures that are reasonable and appropriate for protecting health information when sending patient records to a referral provider. If you haven’t performed a risk analysis in the past year, or if your current risk analysis does not cover the method(s) used to send records to referral providers, don’t put it off another day. Contact your Henry Schein representative to find out more information about tools and services that can help you conduct a risk analysis.
About the Author: Katie Lay is co-founder and CEO for CAEK™, Inc. Since co-founding CAEK™, Inc., Ms. Lay has provided HIPAA Security compliance information and education for medical associations, insurance brokerage firms, public health agencies, and educational seminars and content for Medical Economics and Physician’s Practice magazines. She is co-author of the Texas Medical Association publication HIPAA Security: Compliance and Case Studies.