From the Editor

Welcome to The Practice Solution Magazine!

The goal of The Practice Solution Magazine is to provide practice owners with practice management information that will assist them in achieving success.

It is a commonly known fact that the vast majority of owners have had little to no business administration training. It is this fact that causes many doctors to discover that owning and operating a practice is not as easy as they thought it would be and inhibits growth and prosperity. Technical training alone does not prepare doctors for many of the situations they encounter when running a practice.

Lack of knowledge about how to hire, delegate, train staff, market, budget, control the scheduling book, formulate office policy and implement efficient organizational techniques is a major cause of stress and dissatisfaction for doctors.

Our goal is to help practice owners by offering nuts and bolts solutions to management problems. We hope the information we provide in The Practice Solution Magazine helps each and every reader to reach the goals they set for themselves when they went into private practice.

We welcome your feedback and ideas for future issues. Let us know what problems you’d like to solve in your practice so we can tailor our magazine content to address your needs. We’re happy you found The Practice Solution Magazine online and I encourage you to visit often so you can take advantage of the solutions we offer.

Warm regards,

Ken DeRouchie

Preferred Provider? by Dr. Charles S. Horn, III, DDS

Interview concerning Practice Management with Dr. Charles S Horn

Some months back, we did an interview concerning practice management with Dr. Charles S. Horn. At the end of that interview, Dr. Horn told us about a letter he had written concerning working with insurance companies. He asked if we would like to look at it and possibly include it in our next issue. He sent it to us and we found it so “to the point” concerning the state of managed care today that we are including it in this issue of The Practice Solution Magazine. We hope you enjoy it as much as we do.




Dear Mr./Mrs. Insurance Company:

I read your letter with great interest. I am indeed honored to learn that I have been singled out of all the fine dentists in Delaware, by one of the fastest growing companies in the country, to be asked to join your health care organization. From the tone of your letter, it is humbling, indeed, to learn that I am one of the best and I am excited to hear about all the new patients that you assure me, will be flocking to my office. Though you mentioned something about my name on some sort of a list, I am sure it is a very short list and all of these patients will be coming to me. You asked me if I wanted a lot of new patients and then answered your own question by saying that I would get many new patients. I can hardly wait to greet these new people, eager to experience new and extensive dentistry, as you promised.

Your fee schedule was a little disappointing, since it seems you will be paying me about 40% less than I usually charge, but that’s OK, because of all the new patients I will be seeing. Considering all these wonderful things you will be doing for me, I feel compelled to ask a favor of you. Since my income will be cut by 40%, I must ask you to send a personal letter (not a form letter) to all the laboratories I deal with. This letter must inform them that I will discount their bills by 40% and not pay their normal charges; also a letter to all my supply houses (the names and addresses are enclosed on a separate sheet). My repair man may be upset, but, with the increased use of equipment, he will be called more often. You must be very tactful when you write to my wife, because, with a 40% cut, she will also have to cut back. My employees may be upset with a 40% pay cut, but, since we will be working so many extra hours with crown and bridge, precision partials and implants, they will not mind, I am sure. My accountant should understand since she will see from our records that we will be working longer hours yet producing less income, but that will be her problem. I will, of course, have to cut back on my vacation time since I will be spending more time in the office (with 40% less in fees). However, I could hire an associate at 40% less than the going rate, but he/she should understand. Our hygienist will have to cut down her appointment time from 1 hour or 45 minutes to 30 minutes, but I am sure she won’t mind. I think 30 minutes should be enough time to do a good prophylaxis, give oral hygiene instruction, take the necessary radiographs, answer questions and for me to do a thorough examination, a cancer exam, answer more questions and make the necessary recommendations.

With all these new patients, we will just have to work faster. With less time between patients, we will have to find short-cuts with our sterilization procedures, but if nobody gets sick or infected, I’m sure OSHA might not notice. We will no longer have time to establish a “dentist-patient” relationship, but that’s OK; with the increased volume, it will not matter that much anymore if we really get to know each patient. The patients might notice, but after all, they will be coming to me for cheap fees and average dentistry and that is what counts, isn’t it? Cheap dentistry? This should make up for the personal time I used to spend with them.

When I went into dentistry many years ago, I wanted to be my own boss and make my own decisions. I understand that if I work for you, (as an employee of some sort), you will take care of me and help me out whenever you can. It will be reassuring to know that I will not have to make my own decisions anymore, about fees and those kinds of things, because you will make those decisions for me. When I read your “Participating Dentist Professional Service Agreement”, some things were just a little confusing. I am sure this “agreement” is in my best interest and you only have me at heart because you want to help me, my patients and your clients. After 30 years of dentistry and my patients calling me “Doctor”, you want to call me only a “provider”. My son is a provider for his dog. Would it be OK with you if I still call myself “Doctor” around my friends and only go by “Provider” with all the patients you will send me? Your contract also goes on to state that I can only refer to one of your member specialists or, if there are none, I must give you notice and get your permission. Does this mean that I have to get your permission before I am allowed to send a patient who is in pain, with a swollen face and a highly infected molar to an endodontist at 4:30 on Friday afternoon? On the leader page that you sent me, you stated “No Paperwork Required from Plan Dentist”, then on your “Service Agreement”, you state “Dentist will provide patient utilization information to (the plan) on forms provided by (the plan) or on such other forms as agreed to between the parties”. My question is… “Are there forms or no forms?” Also, you state that you can inspect any books and documents relating to the dental care services rendered… I assume this also means that I can come to your office and “inspect any books and documents relating to the dental care services rendered”.

I received a letter today, at my home in Pennsylvania, from your company. This letter stated that I can automatically be accepted to your dental plan because I own a certain credit card. It is obvious that the person sending me this letter did not know that I was also a dentist. I noticed, however, that everything you stated in the “credit card letter” does not seem to fit with what you say in your “Dental” letter. The most misleading statement is… “every (dentist) has been extensively prescreened and approved according to our (your) high quality standards”. Your “high quality standards” are… my fax number, my degree, number of dentists and hygienists, number of operatories, do I carry malpractice insurance, my office hours, languages spoken, and my date of birth. I would not consider these high quality standards. It is interesting to know that you consider “high quality standards”, but what about the rest of the card holders? I wonder what they would consider “high quality standards”? All the letter to the card holders talks about it “no charge”, “savings”, “reduced cost”, etc. Whatever happened to caring, good dentistry, cheerful, honesty, truthful, high tech, value, improved care, understanding, listening to patients and, sometimes, free dentistry for people who cannot really afford good dentistry. With you, it all seems to come down to money, not good dental care or a caring dentist, just your bottom line profit.

After writing this letter, I think it would be in the best interest of my patients, my staff, my wife, my laboratories, my suppliers, my accountant, my associates and, yes, even myself, if I just continue doing dentistry the way I have done in the past and the way I want to do it in the future. I might not need all the wonderful things you can do for me or even all the patients you promised. I like the kind of high quality dentistry I have been doing and I do not think I should lower my standards to just adequate care for discounted fees. You can, therefore, keep your forms, cut-rate fees and “Big Brother” tactics. I think I will be happier the way I am… a dentist doing the best dentistry I know how, the way I think it should be done, referring to top rank specialists who do not have to get on a list and being my own man, making my own decisions without someone looking over my shoulder. I also am happy charging what I would consider a reasonable fee without cutting prices so that an insurance company can increase its bottom line profit.

At the fees you quoted, my employees will be making more money than I will. Please do not attempt to contact me in the future, because your literature and that of other insurance companies like yours, is cluttering up my trash can.

Very truly yours,
Charles S. Horn, III, DDS

From Burned Out to Booming: A Case Study

After being in practice for some years this doctor was seriously considering closing down his practice and pursuing a different profession. His enthusiasm for practicing had reached an all time low and he was feeling burned out. He missed those days earlier in his career when the practice was growing at a good rate and when he looked forward to going to work every day. But he wasn’t sure what would need to happen to revive his interest or the practice.

He was seeing 25-30 new patients per month on an average and producing around $28,000 each month. The practice was neither growing or contracting; it was hovering around these levels for awhile.

Conditions in the practice began to change after he made the decision to hire a management consulting firm. After a very thorough analysis of the practice the consultant noticed a non optimum situation with his personnel. The consultant looked into this further by interviewing and testing the staff members involved. He reached the conclusion that the doctor had failed to place some of his staff in the positions they were best suited for. A shift in positions took place and dramatic changes began to occur almost immediately. Not only were the staff members happier, but this change translated into an increase in new patients and collections right away.

The consultant then began to work with the doctor to train all his staff in management techniques that they needed in order to perform their jobs well. The first step he took was to ensure the office manager received thorough executive training. She was then able to take over the day to day management duties in the practice, leaving the doctor free to concentrate on treating patients.

The OM made sure all the other staff were trained for their positions and implemented all the office policies and job descriptions provided by the consultant.

It was at this point that the doctor and his staff were able to competently handle all aspects of the practice.

They implemented collections and finance policies which increased the cash flow. Financial planning procedures were implemented that put the practice in a condition of strong viability. This, alone, relieved the doctor of a great deal of stress.

The consultant developed marketing plan for the practice and worked with the staff to implement them. The number of new patients grew.

A sharp eye was kept on efficiency. With more new patients coming in and the cash flow increasing, it was vital that the practice remain solvent and financially secure. The consultant monitored all the activity and helped the doctor make key decisions about hiring, staff bonuses, major purchases and work loads.

The results:

The practice now stably produces over $100,000 per month. In other words, it produces in one week what it used to produce in one month. They average seeing 100 new patients per month. The doctor works less hours than he did previously and his morale, along with the staff’s, has risen tremendously. The practice has moved to a larger facility and other doctors frequently visit the practice to find out how he did it. It has become a model practice, with each staff member fully trained for the position they hold.

In the doctor’s own words, “Management training is the key to my success. I did not learn in school what I needed to know to establish a practice that was capable of flourishing year after year after year. I learned everything I needed to know technically and was very capable of delivering high quality of care to my patients but that only covered one aspect of owning a practice. I learned the hard way that technical training alone is not enough to sustain a successful business over the long haul. Thanks to the capable professionals of my consulting firm, I am a success, my staff is a success and my patients are receiving the best care and service available.” Dr. T.N.

Five Steps to HIPAA Privacy Rule Compliance

Help for Handling the
Frustrations of HIPAA Compliance

HIPAA, the Health Insurance Portability and Accountability Act, became law in 1996. Its original intent was to help employees change jobs and keep their health insurance by making their coverage “portable”. Lawmakers broadened the law to include the Privacy Rule which went into effect on April 14, 2003.

This guideline describes the basic steps you must take to comply with the Privacy Rule. However, you or whoever is in charge of the Privacy Rule should learn more about state and federal privacy law. The two links at the end of this guideline have several documents you can download, at no charge, to clarify and explain in greater detail, every aspect of the law.

We would like to thank Mike Chatalein for providing this information for inclusion in this issue of Solutions

Who Must Comply with the Privacy Rule

If you are a paper-based practice, meaning you do not transmit patient information electronically, compliance to the Privacy Rule is voluntary. However, for most practices, the speed, accuracy and cost savings of electronic billing is more beneficial than the HIPAA hassle. In fact, a different part of HIPPA simplifies electronic transactions which will save the industry billions over the next ten years. Electronic transmission includes sending any Protected Health Information (PHI) over the Internet or transferring PHI, such as billing data, with computer disks. Telephone and fax transmissions are not included in the definition.

Otherwise, all healthcare practices must comply with the Privacy Rule.

Go to for details about who must comply with the Privacy Rule.

New Term: Protected Health Information (PHI)

Protected Health Information (PHI) is a HIPAA term that is used throughout this guideline. PHI includes all medical records and health information of an individual.

A patient’s health information is protected in any form: paper, electronic, oral. You may control PHI in many forms: backup computer disks or tapes, insurance statements, prescription forms, lab reports, correspondence from other doctors, patient forms, email, explanation of benefits notices, treatment authorizations, collection documents, conversations between doctors and staff, faxes regarding patients and so on.

Five Steps to Privacy Rule Compliance

  1. Put someone in charge.
  2. Keep Protected Health Information (PHI) secure and private.
  3. Set up office policy, implementation procedures and training for your staff.
  4. Inform patients of their rights and support those rights.
  5. Limit access of patient information to businesses outside the practice.

1. Put Someone in Charge

The Privacy Rule requires you to assign responsibility to someone to implement the Privacy Rule. The Privacy Officer’s job is to get the other four steps in this guideline done and keep them in place. In small practices, this can be the doctor or office manager. In large practices, it may be a full-time job for a few weeks and a part-time job thereafter.

Privacy Officer Duties

  • Keep track of the steps you take to comply with the HIPAA Privacy Rule. For example, record the date you install a door lock to your file room.
  • Take any steps needed to keep all PHI under your control private and secure.
  • Create and update a Privacy Notice for your patients, a privacy policy for the staff, staff training material and other paperwork.
  • Ensure current and new staff are trained on the HIPAA Privacy Rule as it applies to your practice.
  • Enforce the practice’s privacy policy.
  • Arrange for all patients to receive and sign the Privacy Notice acknowledgement form.
  • Help individuals who wish to see and review their files, receive copies of their files, request changes to their PHI or other requests or questions.
  • Keep records of Privacy Rule activities including who has been trained and when, who has keys or combination codes, patients and outside parties who have requested PHI, patient complaints, patient requests and so on.
  • Store all forms and records related to the Privacy Rule for at least six years. Ask the Practice Owner for approval of your filing system. For example, will you keep the Privacy Rule paperwork in patient files, in separate Privacy Rule files or both.
  • Plug any PHI leaks as they come up.
  • Learn and implement state privacy rules that apply to the practice.

2. Keep Protected Health Information (PHI) Secure and Private.
You probably keep PHI private and secure already, so being in compliance will not be difficult. To comply with this part of the Privacy Rule, simply accept responsibility and use your judgement for keeping all PHI secure and private. The law does not require you to replace your file cabinets or build new walls. It says to take “reasonable” efforts to prevent unauthorized access to PHI.

For example, perhaps you can change the file room door knob without a lock, to a door knob with a lock. Many file cabinets have a metal piece at the top you can punch out to install a lock. You may decide you only need to hang a sign that says, “Authorized Personnel Only”.

When employees stop working for the practice, you don’t need to replace or re-key your locks to protect PHI, unless that is your normal routine. Many practices simply change the burglar alarm code. Another good idea is to install door locks that you open with a combination code instead of a key.

The Privacy Officer should look through the practice, list all the potential PHI leaks and get them plugged. He or she should make a list of all changes made to prove, if needed some day, that the practice made reasonable efforts to comply.



  • Give all computer users their own computer password.
  • Set up your software to limit access to PHI to those who need it to do their jobs.
  • Keep computer backup copies secured or locked up.
  • Position computer screens so people passing by cannot read any PHI.
  • Set up screen savers that blank out the screen when not in use for a few minutes and require passwords to open again.
  • If you send or receive PHI through email, you need to encrypt the messages. An email system like may fit your needs.
  • When an employee leaves, cancel their computer password.

Files and Papers

  • Keep patient files and charts locked up when not in use.
  • Shred paper with PHI. Do not throw it away or recycle it.
  • Ensure the patient sign up sheet does not ask for .reason for visit..
  • If you use clear chart holders on doors, tape a piece of paper in the holder so patient charts cannot be read by people walking by.
  • Remove or hide patient schedules, progress charts, surgery schedules or other PHI where the public or patients can see them.
  • Publish patient names in your newsletter or promotional material only with their written consent.
  • Don’t leave documents, faxes or reports with PHI on desks or counters when not in use. Put them in folder or turn them over so they cannot be read.


  • Lower your voice when discussing PHI with patients, doctors or staff where other patients can overhear you.
  • Check your waiting areas to ensure patients cannot overhear telephone conversations.
  • When leaving messages for patients on a machine or with a person, keep the message brief and use good
    judgement. For example, an abortion clinic or drug-rehab facility should be very discreet while a dentist or chiropractor has less to worry about.
  • Send reminder postcards with good judgement as well. Even an envelope from certain types of practices can make patients feel their privacy is at risk.
  • When in doubt, ask the patient what he or she wants. “When we get your lab results, how should we contact you?”
  • When calling out names to waiting patients, do not also mention their service. You can say, “Bob Jones? Come this way.” Do not say, “Bob Jones? Ready for your chemo?”

Minimum Necessary Uses and Disclosures

As well as protecting PHI, you need to release or provide access to PHI when required.

You do not block PHI access to the patient, anyone authorized by the patient, anyone who needs the data for treatment purposes, or uses/disclosures required by law.

Use your judgement on how much to allow. For example, a temporary receptionist does not need access to patient records, but does need access to scheduling information. An insurance company request for information may only require a progress report and not the entire file.

3. Set up Office Policy, Procedures and Training for Your Staff

The Privacy Officer needs to train the current staff and future staff on the Privacy Rule. “Staff” includes doctors, partners, associates, spouses, part-time and full-time employees, independent contractors and anyone else who works in the office. New employees must be trained within a reasonable amount of time. Business associates are not included (see Step 5).

Written guidelines are the easiest and best way to train people. So the first step is to tailor the rules to your practice. See Attachment 1 “How to Write Your Office Privacy Policy”.

Create a checklist of all the written material required to be read as part of the training. Attach this material as part of the office policy. You can require all staff to read this guideline and its attachments as part of your training process.

Hold a staff meeting to go over the written material. Have everyone sign a form stating they understand the material and will enforce the office policy.

During the training sessions, go over all forms of PHI in the practice and how it must be kept private and secure. Explain the patient’s rights and how the practice will support those rights. Ensure everyone understands the law and has no confusion or unanswered questions.

Additional training material is available from the links at the end of this guideline.

4. Inform Patients of their Rights and Support those Rights

You need to inform your patients of their privacy rights under the HIPAA Privacy Rule. This includes their right to see their PHI, to change or amend their PHI, and to get assistance to their privacy complaints.

“Notice of Privacy Practices” Wording

Except for the first paragraph in Attachment #2 “Sample Notice of Privacy Practices,” you can use any wording you like to explain the patients. rights as long as it is written in plain language.

The notice should include the patient’s rights under the HIPAA Privacy Rule, how to file a complaint, the name and number of the Privacy Officer, when the rule goes into effect, the practice’s right to change the notice, the right of patients to request tighter restrictions to their privacy and so on. Details about the notice can be found in section 164.520(b) of “Standards for Privacy of Individually Identifiable Health Information” (the HIPAA Privacy Rule). You can download this document at

Privacy Notice and Acknowledgement

The HIPAA Privacy Rule requires you to give the patient a “Notice of Privacy Practices”. See Attachment #2 “Sample Notice of Privacy Practices”. Tailor a notice to fit your practice and your needs.

You give each patient a copy at his or her next appointment and ask him or her to sign the acknowledgement. The patient can have a copy if he or she wants one.

If the patient is a minor or represented by a guardian, have the parent/guardian sign for the patient. This same person can also act for the patient in obtaining copies of the patient’s PHI, submitting changes for the file, or filing a complaint on the patient’s behalf.

In an emergency situation, the notice can wait until the emergency is over.

Each new patient will also need to sign the acknowledgement at their first visit.

Once the patient has signed the acknowledgement, file the form.

You can wait until April 14, 2003 to start this step. However, if you expect a lot of questions or time-consuming problems, you might want to start sooner. Either way, all patients must receive and acknowledge the notice before receiving services from April 14, 2003 onward.

The law requires you to make “reasonable efforts” to do this step. If you cannot get a patient to sign the acknowledgement, write down what happened and file it as you do the other forms.

As well as handing the notice to patients, the law requires you to post the notice in a prominent location, such as on the wall in your reception area. We suggest you frame it with glass so it continues to look professional through the years.

If your office gives services through email, send the patients the notice just before giving the next email service. Ask the patient to acknowledge receiving the notice via email. He or she may also have a paper copy, if requested.

Finally, if you have a web site, you need to post your privacy notice there as well.

(Note: in the original law, you were supposed to get a signed consent for all uses of PHI. Then in March 2002, the law was changed and you were only required to post the notice. But then the August 2002 final rule came out and it says you need to hand each patient a notice and get a signed acknowledgement as well as post the notice.)


If you wish to share a patient’s information to an outside company, such as a marketing list company, you need written consent from each patient.

Marketing your own services or products directly to your patients, or giving samples or literature yourself, is not a violation of the Privacy Rule.

Extra Privacy Restrictions

As described in the patients. Privacy Notice, any patient may request additional privacy restrictions. For example, he or she may request that only a certain doctor may read the PHI.

Ask the patient to submit the request for extra privacy in writing. The Privacy Officer reviews the request, makes a recommendation and submits the request to the Practice Owner for approval or denial.

You (the doctor) are not required to approve these requests, but you must consider them. If you agree to an extra privacy restriction, you must keep your word.

Keep the related paperwork on file.

Confidential Communications

The Privacy Notice states the patient may receive communication from your office in a specific way. For example, he or she may not want you to call him or her at work. The HIPAA Privacy Rule requires you to follow these instructions if at all possible.

If the request is difficult, you can refuse. For example, the patient wants his statement sent via email and only on Wednesday evenings. Instead, offer a solution that is not a difficulty for the practice. For example, have the patient prepay the copayment so no statement is necessary. Or suggest he ask for a copy at his next visit.

Never ask the patient to explain why he or she has the request.

If the request is reasonable, you must do it.

Releasing PHI to the patient

Patients have the right to see their PHI upon request within 30 days. If you need more time, you can extend the deadline by 30 days if you provide the individual with a written statement of the reasons for the delay. However, a well-organized practice can fulfill such requests quickly.

State laws may have stricter rules which will override the federal law (see State Laws subchapter at the end of this guideline). Examples: California law gives you five days to show the PHI and 15 days to provide copies.

Florida law says to provide the patient his or her information “in a timely manner, without delays for legal review”.

Colorado law says you must provide access or copies within a “reasonable amount of time”.

Maryland law says, “The provider must respond within a reasonable time, but no more than 21 days after receipt of the request”.

Virginia law gives you 15 days.

So be sure to check the laws of your state (see before releasing any PHI.

Have the patient write down his or her request to see the PHI or obtain copies of PHI. Ask the patient to note if he or she wants anything in particular, such as financial records, or all the PHI you have.

Create a form for your practice, if you wish.

The Privacy Officer should record all requests to access or receive copies of PHI. He or she should then send you (the doctor) the request and the patient’s file for a decision.

According to HIPAA law, you (the doctor) may deny access to some or all of an individual’s PHI if it contains psychotherapy notes, if the information will be used in a lawsuit or government action, if you received the information under a promise of confidentiality and releasing it would reveal the source, and other legal reasons.

When in doubt, check the Privacy Rule and state privacy laws available through the web sites at the end of this guideline. Or get an attorney’s assistance.

You may also deny access if you (the doctor) feel that releasing PHI might endanger the individual or another person (e.g., releasing child abuse information to the potential abuser). In this case, the individual may request a review of your denial.

If the individual requests a review, you designate a licensed healthcare professional who is not involved in your decision, as the reviewer. He or she reviews the PHI and your denial and provides the individual with a written notice of his or her decision.

Under the Privacy Rule, if you deny a request, you must provide a written explanation. You must also include the details about a review you have arranged and instructions on how to file a complaint to you or the Department of Health and Human Services.

If the request is approved, you may charge a reasonable fee. However, if requests are infrequent, you may wish to help the patient at no charge as a goodwill gesture. Check your state’s law for any guidance on fees.

Of course, make sure the person you are giving access to or copies of PHI is the right person (check ID if you don’t know him or her personally).

Keep all paperwork secure in case you need to prove in the future you followed the rules.


Patients can ask you to change some aspect of their PHI. For example, he or she disagrees with your diagnosis regarding a pre-existing condition.

Per the Privacy Rule, you have 60 days to respond to an amendment request, but for best service, you should respond within a week.

If you approve or disapprove the patient’s request, let him or her know. Either way, explain your decision.

Tell the individual he or she has the right to submit a statement for the file or that their request can be included in the file. Also explain how he or she can file a complaint with the Department of Human Services.

If you do not have the PHI the patient wants changed, let him or her know this and where the PHI is located.

Keep the paperwork on file.


If a patient complains about your privacy practices to the Department of Human Services, you may be investigated. So you want the patient or guardian to feel comfortable giving you their complaint so you can resolve the problem.

Ask the patient to put the complaint in writing. Investigate the problem. Write a letter to the patient explaining what you did to resolve the problem. Attach quotes from the law if the patient is actually complaining about your compliance to the law. Then meet with the patient, go over the letter and make sure he or she is happy.

Fully resolve any privacy weaknesses or errors with better staff training or new procedures so the problem never repeats.

As with all privacy paperwork, keep it on file.

5. Limit Access of Patient Information to Businesses Outside the Practice

So the rule is: don’t sell your patient information to outside companies without the patients’ consent. Since you probably never have nor will sell patient information, compliance with this rule is easy.

Other types of businesses and individuals may have access to your patient records if they sign an agreement. For example, you might hire a consultant who looks at patient files to evaluate your patient management strengths and weaknesses. The consultant needs to sign an agreement with you that protects the privacy of the patient information. See Attachment #3 “Business Associate Protected Health Information Agreement”.

Businesses and individuals who come to your office as part of normal business do not need to sign an agreement. For example, people who clean, repair or maintain your facility or equipment.

Examples of organizations with which you must have business associate agreements as they deal with PHI:

  • Telephone answering services
  • Billing companies
  • Consultants
  • Accountants and bookkeepers
  • Attorneys
  • Collection agencies
  • Software companies
  • Computer technicians
  • Transcription services
  • Internet backup services
  • Quality insurance/credentialing services
  • Malpractice carriers
  • Document destruction firms
  • Research agencies
  • Schools

The following are usually not business associates as they do not deal with PHI even though they may be in your office:

  • Janitors
  • Maintenance or construction workers
  • Couriers
  • Equipment technicians
  • Patient finance firms

These individuals and groups are not normally classified as business associates as they are part of routine treatment and payment procedures:

  • Other healthcare providers and staff
  • Home care providers
  • Hospitals
  • Labs
  • Imaging centers
  • Pharmacies
  • Managed care plans
  • Insurance companies that cover your patients. services
  • Government agencies
  • Someone who is required by law to perform a function
  • Employees, associates or others who receive your privacy law training

Your written agreement with Business Associates must state he or she will safeguard the PHI and not use or disclose the information beyond the terms of the contract or by law. The agreement can be part of a larger agreement with the Business Associate, or a separate agreement.

You do not need to monitor your Business Associates use of the PHI you provide. However, if there is a complaint or problem with the Business Associate, you must deal with it.

See Attachment #3 “Business Associate Protected Health Information Agreement” for a sample wording for occasional PHI use by the Business Associate whose purpose is to assist the practice (e.g., management consultant, software technician, etc.). If the relationship involves complex activities with your files or significant involvement with PHI, get an attorney to assist you with the contract. The Department of Health and Human Services has created and posted sample wordings for a Business Associate contract at

State Laws

Many states have privacy laws which you should already be following, even if you are a paper-based practice. If a state law is stricter than the federal HIPAA law, the state law applies. For example, state laws often require consent before you can pass on the results of an HIV/AIDS test to anyone besides the patient, with some exceptions. How you deal with certain PHI of minors also varies from state to state.

Health Privacy Project ( has compiled a terrific, easy-to-understand summary of privacy laws for each state. With a few clicks and a few minutes of reading, you can learn what you need to know about your state privacy laws.

Additional Information

Hire an attorney that specializes in healthcare privacy law if the Department of Health and Human Services contacts you or wants to give you a compliance review.

Before dealing with a complicated request from a patient, make sure you know what you are doing. You might save a lot of time and money if you read the law or related document before calling an attorney. Fortunately, the Internet has a wealth of valuable information on the HIPAA Privacy Rule.

While there are dozens of useful web sites, books and workshops, these two web sites are the most useful. Any questions you have about HIPAA are most likely covered in one of them. The information at both sites is free.

  1. US Department of Health and Human Services, Office for Civil Rights – HIPAA of their documents, found at, lists the answers to 157 frequently asked questions about the Privacy Rule. You will learn how to deal with employee fitness exams, how to do research with PHI, workers. compensation privacy, and questions you never thought to ask.
  2. Health Privacy Project provides current information about HIPAA, a summary of each state’s privacy laws and several useful links: their well-written 37-page explanation of the HIPAA Privacy Rule, go to luck!


    1. : “How to Write Your Office Privacy Policy”
    2. : “Sample Notice of Privacy Practices”
    3. : “Business Associate Protected Health Information Agreement”

    How to Write Your Office Privacy Policy

    The sample policy below must be modified to fit your practice. For example, add your practice name and the name of your Privacy Officer. Write out your specific security procedures (who locks what and when) and include it in this policy or in an attachment.

    Study the HIPAA Privacy Rule and privacy laws for your state to see if there is anything else you should add for your practice.

    Keep the policy simple and easy to understand. Attach anything else you wish the staff to learn as part of their training.

    The practice owner or CEO must review and approve the final policy wording.

    Have all staff members sign the policy as part of their training.

    Office Policy on Privacy (Sample)

    Protecting our patients. privacy is important to this practice. We also wish to make every effort to comply with state and federal privacy laws.


    1. We are responsible for keeping our patients. Protected Health Information (PHI) confidential.PHI includes all medical records and health information of an individual. PHI is in many forms: paper, electronic, oral and includes our computer files, paper files, computer disks or tapes, insurance statements, prescription forms, lab reports, correspondence from other doctors, patient forms, email, explanation of benefits notices, treatment authorizations, collection documents, conversations between doctors and staff, faxes regarding patients and so on.
    2. Our practice has a Privacy Officer who makes sure we comply with the privacy laws. See him or her for any questions regarding patient information privacy. Send all information, questions and paperwork related to this policy to the Privacy Officer including patient forms, complaints, requests for file changes, questions, violation reports, contracts and requests for or access to PHI.
    3. All staff, including doctors, part-time staff and others who work here must be trained in the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule. Reading this policy is part of that training. You will be asked to sign a form stating you have read and understand your role in maintaining our patients. privacy.
    4. All current patients and all future new patients will be given a copy of “Notice of Privacy Practices” that explains their rights according to the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.We will ask each patient to sign the notice showing they received the notice and keep the form on file. Each patient may have a copy of the notice.This Privacy Notice is attached. Please read it to ensure you understand and will support our patients. rights.
    5. PHI is available to those in the practice who need it to do their jobs. The Privacy Rule does not restrict its use in treatment, payment or routine healthcare operations. For example, when we refer a patient to another doctor, he or she can have as much access to PHI as he or she needs or wants.However, if you or others do not need access to PHI to do your job, your access is restricted.
    6. When we release PHI to non-healthcare people, we will only release the PHI that is needed for their purpose and only after the Privacy Officer and doctor approve the release.For example, if a patient wants a copy of his last five billing statements, that is all we provide. We do not give him a copy of his entire file unless he asks for it and even then, we may not give him everything as state and federal laws want the doctor to use judgement in giving PHI to patients (e.g., information that may harm the patient or someone else).As another example, if a life insurance company has signed permission from a patient to release his or her exam results, we only give the exam results.

      So when asked for PHI, simply get the request in writing and promise to pass it on to the Privacy Officer.

    7. Except for ourselves, we do not allow anyone to use our patient lists or information for marketing purposes.
    8. Outside firms and workers, who do not work here, may have access to PHI if they sign a Business Associate contract. For example, a software technician or consultant may look at PHI as long as he or she has signed the contract.
    9. Do your part to keep PHI private and secure. For example, follow all the procedures for security and privacy the Privacy Officer gives you. If you discuss cases outside the office, do not include anything that can identify the person, such as the individual’s name.
    10. Any violations of the Privacy Rule, the state privacy laws or this policy must be corrected. All violators will have reports of the violation filed in their personnel files. Repeat violations may result in a suspension or termination.
    11. If you see or know of a violation of this policy or the privacy laws, please report it to the Privacy Officer, preferably in writing. By law, you cannot be punished for reporting a violation.
    12. This practice can be fined and violators can be jailed for violations of this law.For example, if one of our staff members secretly made a copy of our overweight patient’s names and mailed a letter to these patients to sell a weight-loss product, that person could be fined and jailed by the government and then sued by the patients. The practice could also be penalized for hiring and trusting such a dishonest person.On the other hand, the lawmakers understand slips and mistakes are inevitable. For example, you accidentally mention a patient’s name and condition to the wrong person. Just be sure to take steps to prevent similar mistakes in the future.


    1. “Notice of Privacy Practices”
    2. Practice Guideline, “Five Steps to HIPAA Privacy Rule Compliance”

    Written by ________
    Approved by ________
    Employee Acknowledgement

    I _____________________ have read and understand the Office Policy on Privacy and its attachments. I will comply with and help enforce each part of the policy.

    Signed ________________________________ Date _____________

    ABC Clinic Notice of Privacy Practices (Sample)

    This notice describes how your health information may be used and disclosed and how you can access this information. Please review it carefully.

    At ABC Clinic, we have always kept your health information secure and confidential. A new law requires us to continue maintaining your privacy, to give you this notice and to follow the terms of this notice.

    The law permits us to use or disclose your health information to those involved in your treatment. For example, a review of your file by a specialist doctor whom we may involve in your care.

    We may use or disclose your health information for payment of your services. For example, we may send a report of your progress to your insurance company.

    We may use or disclose your health information for our normal healthcare operations. For example, one of our staff will enter your information into our computer.

    We may share your medical information with our business associates, such as a billing service. We have a written contract with each business associate that requires them to protect your privacy.

    We may use your information to contact you. For example, we may send newsletters or other information. We may also want to call and remind you about your appointments. If you are not home, we may leave this information on your answering machine or with the person who answers the telephone.

    In an emergency, we may disclose your health information to a family member or another person responsible for your care.

    We may release some or all of your health information when required by law.

    If this practice is sold, your information will become the property of the new owner.

    Except as described above, this practice will not use or disclose your health information without your prior written authorization.

    You may request in writing that we not use or disclose your health information as described above. We will let you know if we can fulfill your request.

    You have the right to know of any uses or disclosures we make with your health information beyond the above normal uses.

    As we will need to contact you from time to time, we will use whatever address or telephone number you prefer.

    You have the right to transfer copies of your health information to another practice. We will mail your files for you.

    You have the right to see and receive a copy your health information, with a few exceptions. Give us a written request regarding the information you want to see. If you also want a copy of your records, we may charge you a reasonable fee for the copies.

    You have the right to request an amendment or change to your health information. Give us your request to make changes in writing. If you wish to include a statement in your file, please give it to us in writing. We may or may not make the changes you request, but will be happy to include your statement in your file. If we agree to an amendment or change, we will not remove nor alter earlier documents, but will add new information.

    You have the right to receive a copy of this notice.

    If we change any of the details of this notice, we will notify you of the changes in writing.

    You may file a complaint with the Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F, Washington, DC 20201. You will not be retaliated against for filing a complaint.

    However, before filing a complaint, or for more information or assistance regarding your health information privacy, please contact our Privacy Officer, Jill Jones, at (123) 456-7890.

    This notice goes into effect as of April 14, 2003.


    I have received a copy of the ABC Clinic Notice of Privacy Practices. Date ______________

    Signed __________________________________ Print Name ____________________________

    If signing as a parent or guardian, please note the name of the patient ____________________________

    Business Associate Protected Health Information Agreement

    This Agreement, made on the ______ day of _____________, 200___, is by and between _____________________________________ (referred to as “The Healthcare Practice”) and
    _____________________________________ (referred to as “Business Associate”).

    The Healthcare Practice has the responsibility for safeguarding Protected Health Information (referred to as “PHI”) of its patients. PHI includes all medical records and health information of an individual in any form including paper, electronic and oral.

    Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

    Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI beyond the terms of this Agreement.

    Business Associate agrees to report to The Healthcare Practice any use or disclosure of the PHI not covered by this Agreement of which the Business Associate becomes aware.

    Business Associate agrees to ensure that any agent, representative or employee of Business Associate, including a subcontractor, to whom it provides PHI from The Healthcare Practice, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate.

    Business Associate agrees to make PHI and related records obtained from The Healthcare Practice available to The Healthcare Practice and the Department of Health and Human Services to determine The Healthcare Practice’s compliance with the Privacy Rule.

    The Healthcare Practice agrees to disclose PHI to Business Associate the minimum amount of PHI necessary for the Business Associate’s purposes.

    Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of The Healthcare Practice, provided that such use or disclosure does not violate the Privacy Rule.

    If Business Associate violates the terms of this Agreement, The Healthcare Office will make reasonable attempts to resolve the violations. If a resolution is not feasible, The Healthcare Office will report the violation to the Department of Health and Human Services.

    Either party may terminate this Agreement at any time without reason or notice.

    Upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from The Healthcare Practice. Business Associate shall retain no copies of the PHI.

    The rights and obligations of Business Associate of this Agreement shall survive the termination of this Agreement.

    Any ambiguity in this Agreement shall be resolved to permit The Healthcare Practice to comply with the Privacy Rule.

    This Agreement goes into effect as of the ________ day of _____________, 200________.

    The Healthcare Practice
    Business Associate