In December 2000, The United States Department of Health and Human Services (“HHS”) issued comprehensive privacy regulations, which it subsequently amended in August 2002.  These regulations arise from the 1996 Health Insurance Portability and Accountability Act (“HIPAA”).

A.     What is HIPAA?

  • HIPAA is legislation that creates national standards to protect individuals’ medical records and other personal health information.

B.     What does HIPAA do?

  • Gives patients more control over their “protected health information”
  • Sets boundaries on the use and release of health records
  • Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information

C.     Who is covered by HIPAA?

  • Health care providers
  • Health plans
  • Health care clearinghouses
  • Indirectly, any “Business Associate” of a covered entity (Business Associate is defined by HIPAA)


Under the rules, the basic concept is that orthodontists, as well as other healthcare providers may “use” and “disclose” a patient’s “protected health information” only as the patient permits or as allowed under the privacy rules.  Even where the use and disclosure of protected health information is permitted, orthodontists must adopt policies and procedures to safeguard and limit the use and disclosure of such information to the “minimum necessary” level required to accomplish the intended purpose of the use or disclosure.

Thus, the new patient privacy regulations contain restrictions on two things:  the use and disclosure of protected health information relates to what is done with the information inside the orthodontist’s office.  The “disclosure” of such information concerns the release of that information to anyone outside the orthodontist’s office.

For purposes of the rule, “protected health information” is “individually identifiable information” and includes names, dates,  phone/fax numbers, Email addresses, home addresses, social security numbers, and demographic data.  Employment records are excluded from the definition (and thus the rule) unless used in connection with the provision of treatment.  Likewise, any information in which such identifiable information has been removed is not subject to the rules and can be used or disclosed.

Practitioners may use and disclose protected health information for purposes of their own treatment, payment activities and “health care operations” without obtaining a patient’s consent.  Orthodontists may also disclose protected health information for the treatment activities of any health care provider, and for payment activities of other covered entities (i.e., insurance companies) without obtaining the patient’s consent.  Generally, to use or disclosure of the information for any other purpose requires the patient’s prior written authorization.

For purposes of the privacy rules, these terms should be understood.  Treatment includes consultations about the patient with other orthodontists, oral surgeons, periodontists, general dentists, etc.  Payment includes activities to obtain reimbursement for orthodontic services (i.e., determinations of and coverage eligibility, billing, collection activities and utilization review). The term “health care operations” includes competence and performance reviews, the sale or purchase of a practice, training, certification, securing professional liability insurance, accreditation and licensing.  Thus, for example, disclosures of protected health information can be made for purposes of state licensure or certification by the American Board of Orthodontics without obtaining the patient’s consent.  Similarly, protected health care information can be used and disclosed in connection with selling or purchasing a practice without obtaining the patient’s consent.

The privacy rules also give patients certain rights (i.e., the right to amend their protected health information, the right to an accounting of certain disclosures, etc.).  The rules also obligate orthodontists to implement internal office changes, such as appointing a “privacy official” and adopting a privacy policy.

We look forward to being HIPAA compliant as required by law.  If any information is desired regarding HIPAA, please contact our office “privacy official” Rachel, at 614-475-9800 or via email at rachel@berkybraces.com.