.svg){kind=icon}
Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"Our practice is in the process of eliminating all paper charts. We still have a wall of folders that we reference from time to time as we continue to get everything imported into our PMS. I’ve heard that HIPAA only applies to our electronic patient records. Is that true?"
Thank you for submitting this question! Protecting PHI is the law regardless of its format. But I understand where the confusion may have come from. Let’s take a look at what HIPAA says about protecting PHI that is not stored electronically.
The HIPAA Law
If you have watched my HIPAA overview videos in Bite-Size HIPAA® then you know that HIPAA is broken up into three primary rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Privacy Rule addresses how you can use and disclose patient health information. You can think of this as the bones of HIPAA. The Security Rule puts some meat on the Privacy Rule bones by defining the specific technical and non-technical safeguards that must be put in place to secure health information. Finally, the Breach Notification Rule basically outlines how you need to provide notification if the Privacy Rule is broken.
These rules are found at Section 164.300, 164.400 and 164.500 of the HIPAA law respectively. Each has a statement of applicability at the beginning of the rule that describes who and what the rule applies to. If we look at 164.302, we find that the Security Rule does, in fact, only apply to electronic protected health information. So, does that mean you don’t need to do anything to protect PHI contained in paper charts? No.
If we check the applicability statements for the other two rules, we will find that they do apply to all protected health information. Remember, PHI includes any information that relates to either an individual’s health, their payment for health care, and contains information that could reasonably be used to identify them. For example, anything that contains a patient name, date of birth, health insurance number, address, zip code, phone number, email address, or photo is PHI if it's in your possession.
Even though the Security Rule does not directly apply to non-electronic PHI, the Privacy Rule contains a requirement in Section 164.530(c) that effectively makes the same kind of safeguards mandatory for all PHI. In this section, the law states that covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of all PHI. This is essentially the same requirement in the Security Rule, just not spelled out in as much detail. If the specific requirements in the Security Rule were deemed reasonable and appropriate for ePHI, we can bet that the same requirements would be deemed appropriate with paper PHI as well.
Summary
To summarize, while the HIPAA Security Rule does not explicitly apply to non-electronic PHI, the Privacy Rule certainly does and it contains essentially the same requirements as the Security Rule. Here are a few suggestions to ensure you are adequately protecting the privacy and security of your paper records:
- Conduct a risk assessment focusing on your physical records to identify potential vulnerabilities. How could somebody gain access to them?
- Implement physical safeguards such as locked storage areas and only allow access to people who need access.
- Train your staff on the proper handling, storage, and disposal of paper records.
- Consider establishing a tracking system for accessing and transferring paper PHI.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.
