With regard to protecting the privacy of patient data from unauthorized access, HIPAA defines the type of information that must be protected by health care providers who conduct certain electronic healthcare transactions, health plans, and healthcare clearinghouses (referred to in HIPAA as "covered entities"), as well as the circumstances required before identifiable health information can be released from one party to another. Policies, procedures, and mechanisms required to ensure the privacy of this information are required by HIPAA, as well. "Covered entities" has been defined by the act as health plans, healthcare clearinghouses and healthcare providers who transmit healthcare data electronically.

With regard to standardization of code sets and transmission protocols, HIPAA aims to improve the efficiencies, protect the privacy of electronic data in any state, and reduce the cost of exchanging this information from one authorized entity to another. In order to reach these objectives, HIPAA goes further by mandating the way health information is captured, transmitted, stored, and managed, which in turn affects existing information technology procedures and policies.

The standardization of code sets and transaction protocols, as well as patient identifiers, providers and health plans, was first proposed by a report published in 1992 by the Workgroup for Electronic Data Interchange (WEDI). HIPAA utilizes this report's findings and recommendations to establish standards and protocols.

In connection with the so-called administrative simplification rules that were issued under HIPAA, four important standards exist with which covered entities must be familiar:

1. Standards for Electronic Data Interchange (EDI) Transactions and Code Sets. The compliance date (except for small health plans) was October 16, 2002. National Information Services is compliant with these HIPAA standards. If you are using another vendor to submit electronic claims, it is important to note that National Information Services is not responsible for outside vendors and has no way of knowing if they are compliant.
2. Standards for Privacy. The compliance date (except for small health plans) was April 14, 2003. Dentrix Dental Systems and National Information Services are compliant with these HIPAA standards.
3. Standards for Security. The compliance date (except for small payors) was April 21, 2004. Dentrix Dental Systems and National Information Services are compliant with these HIPAA standards.
4. National Provider Identifier (NPI). The NPI is a unique all numeric 10 digit number that is assigned by Centers for Medicare & Medicaid Services (CMS). The NPI replaces all payer-assigned Provider Identifiers, individual and facility, and will be the single provider identifier you use to do business with health plans. Providers who are covered entities (as defined by HIPAA) began applying for NPIs on May 23, 2005. NPIs must be used by providers and payers as a means to identify provider covered entities by May 23, 2007; the compliance date for small health plans is May 23, 2008 (see final HIPAA regulations for definition of small health plan).

  Standards for Electronic Transactions (EDI) and Code Sets

The HIPAA transactions standards clearly set forth a special role for healthcare clearinghouses to provide services to translate electronic data that is not in the HIPAA-dictated format into standardized data that complies with the HIPAA-dictated formats (referred to as the X12 format). National Information Services (NIS) has provided customers with this "translation" service as part of our electronic claims service before the compliance date of October 16, 2002. Stringent testing and evaluation of electronic claims transmissions by Claredi resulted in full certification that all claims transactions and protocols were compliant with all electronic transaction and code set requirements mandated by HIPAA.

If you are not currently submitting claims electronically through National Information Services, or you are not using the eTRANS version of the eClaims software, contact National Information Services at 1-800-734-5561.

back to top

  The Privacy Standard

HIPAA clearly defines exactly what information, if maintained by those providers and plans that are subject to HIPAA, must be protected from unauthorized use or disclosure. The privacy standards apply to individually identifiable health information that is used, transmitted or stored in any form, such as paper, electronic, data, or verbally, that concerns the individual's past, present, or future health, or that addresses the individual's means of receiving that care (such as payment for health care). Examples of identifiable information protected by HIPAA: names, addresses, cities, phone numbers, fax numbers, e-mail addresses, web addresses, license numbers, zip codes, account numbers, and birth dates.

HIPAA also affords patients a number of new rights under these standards. They have the right to receive privacy policies from providers who are subject to HIPAA, the right to access and copy their own health information, the right to a history of certain types of disclosures of their information, and the right to request an amendment of their information. Covered entities are required to adopt processes in order to notify patients of their rights, and to handle patient requests to exercise their rights. The administrative requirements under the HIPAA privacy rules are many, including a requirement that covered entities appoint privacy officers and train all their work force in privacy issues.

In connection with certain types of disclosures of health information, covered entities are generally permitted to transfer the protected health information to their contractors known as business associates, as long as written contractual assurances are in place with those business associates, requiring the business associate to safeguard the information as required by the HIPAA regulations. Note that a contract for disclosure of health information is not required when that information is being passed from one provider to another for purposes of treatment (e.g., from a general dentist to an orthodontist).

The Health and Human Services Office of Civil Rights has been charged with enforcing the privacy rules and its standards. The Office of Civil Rights has stated that it will focus on encouraging voluntary compliance with the rule; however, HIPAA does establish severe civil and criminal penalties for covered entities that fail to adhere to the law.

back to top

  The Security Standard

The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.

The summary in the rule states: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the AdmiNational Information Servicestrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The compliance date for the Security Standard (except for small payors, below $ 5 million) was April 21, 2005.

back to top

  NIS HIPAA Position Statement

We trust that the electronic standards and code sets and subsequent objectives of HIPAA will improve the general efficiency in which healthcare is administered. More importantly, we are confident that HIPAA will provide for the security and confidentiality of an individual's health information and provide specific, undeniable rights to the patient with regard to the handling and administration of that information. Under those auspices, National Information Services will provide products and services that are designed to comply with the law and to help you comply in a timeframe mandated by law. National Information Services customers can rely on us to support them to this extent. However, National Information Services cannot give you legal advice on all your obligations under HIPAA, and software and services alone cannot make a dental practice HIPAA compliant.

National Information Services has submitted to all required testing and certification of its products and services covered by HIPAA. Additionally, National Information Services invested in significant resources to analyze and revise all company policies and procedures to ensure complete compliance.

As we have done for more than 13 years, we will continue to provide our customers with significant upgrades and enhancements, many of which will assist our customers in their efforts to become compliant. Please note that HIPAA standards require our customers to address internal policies and procedures and change their practices in ways that extend beyond the scope of our products and services; it is not possible for us or any other software package to make customers "HIPAA-compliant." While we will continue to provide our customers with product upgrades and information that will assist customers in becoming compliant, we also strongly encourage our customers to become familiar with all HIPAA regulations and how they impact their own respective practices.

back to top

For more information on DENTRIX and HIPAA contact: hipaa@dentrix.com

  National Provider Identifier (NPI)

One of the latest requirements under is the introduction of a National Provider Identifier (NPI). The NPI is a unique all numeric 10 digit number that is assigned by Centers for Medicare & Medicaid Services (CMS). The NPI replaces all payer-assigned Provider Identifiers, individual and facility, and will be the single provider identifier you use to do business with health plans. Providers who are covered entities (as defined by HIPAA) began applying for NPIs on May 23, 2005. NPIs must be used by providers and payers as a means to identify provider covered entities by May 23, 2007; the compliance date for small health plans is May 23, 2008 (see final HIPAA regulations for definition of small health plan).

Dentrix Dental Systems and National Information Services are committed to helping you understand the NPI process and benefit from the new system. Both Dentrix Dental Systems and National Information Services have had the capability to utilize the NPI for several months, well ahead of the May 23, 2007, deadline. Below is some basic information to help you understand the regulation and its requirements.

Who Needs an NPI?

If you answer "yes" to any one of the following questions, you are considered a "covered entity" under the NPI standard and are required by federal law to obtain an NPI.

• Have you submitted claims electronically?
• Have you submitted claims attachments electronically?
• Have you used the Internet to verify eligibility or check on the status of a claim?

• One simple identifier eliminates the need to maintain and match identification numbers to specific payers for transactions.
• The NPI allows professionals to relocate practices or change specialties without requiring new identifiers from multiple payers.
• Standardized identifiers will help reduce costs and simplify health care transactions throughout the system.
• The NPI will contribute to more efficient coordination of benefits.
• Some, although not all, health plans may choose to require NPIs on all transactions.

• Replaces other identifying numbers currently used in electronic transactions, such as the Medicaid, Blue Cross and Blue Shield, UPIN, CHAMPUS and other "legacy" numbers.
• Does not replace social security numbers, DEA numbers, taxpayer ID numbers, taxonomy (specialty) numbers or state license numbers, since these are used for purposes other than general identification.
• Issued by the government through a contractor, who is responsible for processing applications and assigning numbers.
• All individual health care providers (including dentists) and organizations such as clinics and group practices are eligible to obtain an NPI.
• Only "covered entities" as defined under HIPAA are required to obtain one (see "Who Needs an NPI?").
• Acquiring an NPI does not make you a covered entity.
• 10-digit numbers that are unique to each health care provider or organization.
• Random numbers that contain no coded information about the provider or organization (such as specialty or location).
• Permanent identifiers that do not change over time or expire.

The Application Process

Applying for your NPI is free and takes about 20 minutes to complete.

1. Visit https://nppes.cms.hhs.gov
2. Complete the application and follow instructions to submit either online or by mail. Faxes are not accepted.
3. After confirmation of the receipt of your application, you should receive your NPI via e-mail within one to five business days if you submitted the application online. Mailed applications may require up to 20 days to process.

• Each health care payer will notify you when they are ready to begin accepting NPIs in place of other identifiers on transactions.
• Health care professionals who are considered "covered entities" are required to begin using NPIs on electronic transactions no later than May 23, 2007.
• Health care payers and clearinghouses are required to accept NPIs on transactions no later than May 23, 2007.
• If any of the data related to your NPI changes, you are responsible for submitting these updates to the NPS within 30 days of the changes. Examples include name or address changes.

Want to Learn More?

• https://nppes.cms.hhs.gov
• http://www.cms.hhs.gov/NationalProvIdentStand/
• http://www.cms.hhs.gov/apps/npi/npiviewlet.asp

back to top

  How to Enter an NPI Number into DENTRIX

1. Open DENTRIX.
2. Go to the Office Manager.
   
   
   
   
3. Go to Maintenance | Practice Setup | Practice Resource Setup.
   
   
   
   
4. Highlight the appropriate provider ID and click edit.
   
   
   
   
5. Enter the NPI number in the NPI box on the right side.
6. Click OK.
7. Repeat steps 4 - 6 for each provider.
8. Click Close when done.