Cyberspace Law Sekminar
April 10, 2002
APPENDIX I CLINIC POLICY GUIDE
APPENDIX II DECLARATION OF CONFIDENTIALITY
APPENDIX III DUPLICATION REQUEST
Endnotes
In 1997, Judi Selig's employer, a South Carolina machinery
firm, discovered that Judi had been exposed to hepatitis several years
before. The employer then demanded that Ms. Selig undergo a blood test
and sign a medical release form so that the doctors in the employer's health
plan could access her records. Because Ms. Selig wanted to prove to her
employer that she was not a risk to her fellow employees she agreed to
the blood test. However, because she was equally concerned about retaining
control of the dissemination of her medical records she refused to sign
the release form. Because of Ms. Selig's decision, her employer suspended
her from work for a week without pay. Ms. Selig ended up leaving her job
because she did not want her privacy invaded.1 In 1997 Senator Edward M.
Kennedy articulated the general concern over patient privacy in his statement
that "video rental records have greater protection than sensitive medical
information."2
The concerns of healthcare providers and patients regarding
the decreasing control of medical records prompted Congress to pass HIPPA.3
Section 264 of HIPPA required Congress or the DHHS to "safeguard" the privacy
issues that individual patients were having difficulty protecting.4 Since
Congress failed to meet the August 21, 1999 deadline imposed by HIPPA,
the DHHS promulgated new privacy regulations on October 29, 1999 that create
privacy guidelines for electronic medical records.5 Considering that the
United States healthcare industry is made up of over twelve million providers,
suppliers, researchers and payers, in more than 500,000 companies, delivering
care through an estimated 2 billion patient encounters per year, HIPPA
will be an incredibly far-reaching piece of legislation.6
This paper will first chronicle how technology and the
advent of cyberspace has affected patient privacy. Second, this paper will
examine the new HIPPA regulations focusing on their treatment of the electronic
transmission and storage of patient records. This paper will then examine
the interactions between the field of dentistry, HIPPA, and electronic
media. Lastly, this paper will report specific patient privacy practices
at the University of Iowa College of Dentistry. The purpose of comparing
the practices at the University of Iowa College of Dentistry with the new
patient privacy regulations relating to electronic transmission of patent
records is to analyze the practical implications of HIPPA. The goal of
this paper is to provide dentists with information regarding their legal
and ethical obligations regarding the electronic transmission of patient
records. Additionally, to provide dental patients with information with
which to form a reasonable expectation of privacy regarding the handling
of the medical records in the digital age.
II. BACKGROUND
A. Electron Transmission of Patient Records-A Blessing
and A Curse?
Title II, Subtitle F of The Health Insurance Portability
and Accountability Act of 1996 ("HIPPA") sought to improve the "efficiency
and effectiveness of the health care system, by encouraging the development
of a health information system through the establishment of standards and
requirements for the electronic transmission of certain health information."7
In 1998, pursuant to, HIPPA the federal Department of Health and Human
Services ("DHHS") began releasing regulations involving privacy and electronic
code that will begin to take effect on February 26, 2003.8 Organizations
that will be affected by the new rules are classified as "covered entities"
and include health plans, health care clearinghouses, and health care providers
that transmit or maintain medical records via electronic mail ("e-mail").9
The impetus for such a wide reaching piece of legislation
can be traced to the significant impact technology has had on the health
care industry.10 Until recently, medical records were typically recorded
on paper, once, without a great deal of detail.11 It was standard practice
for the physician to simply remember certain details regarding a patient's
care.12 However, the recording and communication of patient records has
evolved into something much different than this informal process.13 High
storage computers connected by a modulator-demodulator ("MODEM") or a network
interface card ("NIC") enable health care entities to distribute, copy,
and record digitized patient records more quickly to more recipients.14
Patients benefit directly from these technology gains in areas such as
accuracy of recorded information, reliability of reliability information,
and indirectly through improved drug research through fast and accurate
patient data transmission to pharmaceutical companies.15
However, the quantum leap that technology has provided
in terms of transmission and duplication of patient records has created
concerns over patient privacy of sensitive health records.16 Patient records
can be handled by more than a dozen different organizations, each with
the ability to breach the expectation of privacy that the patient may have
with the health care provider.17 Understandably, many patients are concerned
that the increased number of touch points will lead to opportunities for
invasion of their privacy.18 For example, a recent survey of Fortune 500
companies indicated that more than a third check medical records during
the hiring process.19 Employers can deduce illness such as HIV through
acquired knowledge of the prescription drugs taken by applicants or employees.20
Before DHHS issued the regulations pursuant to HIPPA in 1999 a patient's
entire medical record could be released to an employer even if the employer
requested only a portion of the record.21
Additionally, a patient's medical records can potentially
have an adverse impact on that patient's consumer status.22 Medical Records
can potentially affect bank loans, credit card applications, and insurance
availability and rates.23 Unscrupulous marketing companies have also used
patient records to target marketing efforts.24 For example, in 1999 two
pharmacy chains provided a marketing company with their customers' prescription
information without the customers' knowledge or consent.25 This marketing
company then used this information to send unsolicited marketing letters
to the names provided.26
Understandably, patient fears regarding their confidential
information have increased as their records become more portable through
increased telephony technology.27 A recent national survey found that over
50 percent of Americans felt that electronic patient records stored and
transmitted via telephony will make their health care information less
secure.28 Health care providers fear that this concern will hasten new
problems in providing health care.29 For example, the American Medical
Association ("AMA") notes that damaging the relationship of trust that
should be the cornerstone of the patient's relationship with her physician
can have dire consequences on the individual patients health as well as
the health of others.30 This observation has prompted some doctors to fear
that patients' fear of lack of privacy will be a deterrent in seeking medical
attention.31 Patient distrust for the sanctity of their privacy becomes
especially problematic if patients are reluctant to seek medical attention
for conditions that are contagious (i.e. sexually transmitted diseases)
or require immediate attention (i.e. mental illness or substance dependency).32
B. HIPPA's Provisions
Encompassing more than one hundred fifty single
spaced pages, HIPPA is separated into five different sections that include:
Title 1, addressing healthcare access, portability and
renewability; Title II, dealing with healthcare fraud; Title III, creating
medical savings accounts and speaking to long term medical care, consumer
protection and organ transplantation efforts; Title IV, regulating private
group health insurance plans; and Title V, amending the Tax Code in the
area of revenue offsets.33
Within Title II is Section 264 "Recommendations With
Respect to Privacy of Certain Health Information."34 Section 264 articulates
Congress' intent to protect the privacy of "individually identifiable health
information" ("IIHI") transmitted in electronic or digital form.35 Based
on recommendations from DHHS Congress was to pass legislation governing
the privacy of transmission of IIHI.36 However, because Congress failed
to reach agreement on how to pass legislation, DHHS promulgated final regulations
that would act as "a floor of minimum protection" and would not preempt
states from taking a stricter approach to electronic transmission of IIHI.37
On November 3, 1999, pursuant to HIPPA, DHHS promulgated its Proposed Rule
for Standards for Privacy of Individually Identifiable Health Information
("SPIIHI").38
These new rules are intended to implement "reasonable
and appropriate administrative, technical, and physical safeguards" for
the electronic transmission or electronic maintenance of medical records.39
The new regulations expressly focus on privacy guidelines for disclosure
electronic medical records that are maintained or transmitted by the health
care provider.40 The policy goal of the new rules is to provide guidance
for healthcare providers and patients regarding current and emerging storage
and transmisson technology.41
1. Rule of Nondisclosure
SPIIHI required that covered entities refrain from disclosing
protected health information except where disclosure was: (1) the minimum
necessary information needed to carry out treatment payment or health care
operations; (2) authorized by the individual; (3) consistent with certain
public policy purposes or for compliance purposes; or (4) de-identified
information.42 Of note is DHHS' treatment of transmission of records from
covered entities to non-covered entities which requires that covered entities
obtain from their business partners contractually-specified assurances
that protected health information will be appropriately safeguarded before
disclosure.43 Thus, DHHS requires covered entities to monitor the uses
of private medical information when that information was disclosed in the
course of their business.44
2. Recognition of Individual Privacy Rights
The new rules require covered entities to recognize several
new individual patient rights.45 Covered entities are required to adopt
new policies and procedures recognizing the patients' right to notice of
the covered entities' privacy rights and procedures.46 Additionally, patients
now have the right to inspect and amend protected digital health information
in covered entities control and to be given an account of all disclosures
of that information.47
3. Administrative Obligations
Covered entities are required to take significant measures
to insure that the new privacy rules are being followed.48 These measures
include posting a privacy policy, establishing a process for privacy complaints,
educating staff on the new privacy procedures, and establishing a sanction
policy for privacy violations.49 Additionally, covered entities are
required to document their compliance procedures which may be subject to
administrative review by the DHHS, submit compliance reports to the DHHS
and fully cooperate with DHHS regarding inspection and disclosure of relevant
information.50 Finally, the compliance rules expressly forbid "intimidating
or retaliatory acts against whistleblowers."51
C. Technology, HIPPA and the Field of Dentistry
The "digital transformation" of dental care "will redefine
virtually every dimension of clinical [dental] practice and related business
activity."52 Although much of the commentary relating to HIPPA has focused
on hospitals, HIPPA will also have a significant impact on the field of
dentistry.53 Because most dentists qualify as a "health care provider who
transmit information in electronic form"54 most dentists are considered
a "covered entity" under HIPPA and are subject to the same rules and sanctions
as any other healthcare provider using electronic technology to transmit
patient care.55
However, the dental profession is different from the
field of a traditional medical practice in several important ways.56 Primary
among these differences is the fact that the "political, economic, and
regulatory" forces that have influenced the field of medicine have had
less impact on modern dentistry.57 Dentists have had much less exposure
to managed care and governmental health policy than physicians.58 For example,
a recent study indicates that 97.7 percent of dentists still work in a
small organizations comprised of less than 20 employees, whereas only 4.5
percent of organizations classified as general hospitals are comprised
of fewer than 20 employees.59 Because of the independence that is typical
of dentists, trust and quality of care are paramount and the cost of service
is secondary for the patients.60 The independent dentist is required to
be much more "entrepreneurial" than the physician working in a large managed
care facility.61 This means that dentists are responsible for keeping overhead
costs low and may not be able to afford the same level of technology that
a large, health care organization can afford.62 For the small dental office
the requirements of HIPPA may be extremely burdensome.63
D. The University of Iowa College of Dentistry-Practices
and Procedures
The University of Iowa College of Dentistry dental clinic
("the clinic") provides professional education, patient service, and dental
research.64 Each year approximately 9,000 patients come to the clinic,
resulting in 118,000 patient visits.65 The clinic offers patient care in
every major dental specialty.66 In addition to dental care, the clinic
houses a pharmacy and research facility.67
The clinic is obviously not representative of the majority
of private practicing dentists.68 The clinic is a state run organization
with access to many technological resources and most dentists practice
within small organizations with more limited overhead budgets.69 However,
both HIPPA and the American Dental Association's ("ADA") Principles of
Ethics and Code of Professional Conduct makes no distinction for dentists
working in large practices or small practices.70
Current clinic policy regarding patient records was disseminated
to all students, staff, and faculty in 1984.71 All patients admitted to
the clinic are informed of their patient rights.72 Additionally,
patients are told "to expect that all communications and records pertaining
to your care will be treated as confidential within the dental team."73
Current clinic guidelines expressly state that "release of patient information
is restricted to the patient only."74 Clinic policy stipulates that with
patient consent records can be released to other dentists "by phone or
in writing, but should be documented in the patient record."75 Clinic employees
found to have violated the confidentiality of the patient are subject to
disciplinary action including possible dismissal and civil and criminal
liability.76
Because the clinic rules were adopted before the advent
of significant telephony technology electronic storage and transmission
of dental records is not mentioned in the clinic policy.77 However, the
policy does clearly set a standard of informed consent regarding all patient
records.78 Interestingly telephone communication is expressly limited to
"79future scheduling information only." Again, telephone voice communication
is not differentiated from telephone data communication so the language
of the policy can be construed to prevent all communication via telephone
save scheduling (i.e. transmission of patient records).80
Generally, the clinic guidelines seem to be more stringent
regarding transmission than the DHHS rules. However, the clinic policy
is clearly outdated and not consistent with practice because the clinic
transmits patent records via fax.81 This raises the question of applicability
of the current rules to accepted dental practice within the clinic.
III. ANALYSIS
A. Criticisms of DHHS Regulations
Surprisingly, DHHS regulations allow health plans to
use electronic patient records for many broadly defined reasons providing
that patients are notified that their electronic medical records are being
disseminated.82 This position is clearly in contrast to the link between
patient's lack of confidence and the quality of healthcare.83 The notification
method is different from informed consent, which requires that patients
be consulted before their electronic records are shared with a third party.84
Because many healthcare facilities will not release electronic medical
records without the patient's express consent the new rules may inadvertently
create a loss of privacy control.85
In some respects this concern is more relevant for hospitals
and other larger healthcare facilities than it is for the majority of dentists
in small private practices. Because of the solitary nature of the practice
the majority of dentists stand very little to gain through exposing their
patient's records to a third party to develop clinical guidelines or evaluating
performance. Additionally, because the majority of dentists rely financially
on customer satisfaction and repeat business, it could be extremely costly
to actually reduce (or to give patients the perception that) the control
their patients currently have regarding their medical records.
Another criticism of the new rules is that they will
be extremely costly to implement.86 A recent study indicates that initial
costs of implementing HIPPA will total 23.4 billion dollars over five years.87
Another study estimates that compliance will increase healthcare costs
by $43 billion dollars over the next five years.88 Although the independent
estimates vary widely from the DHHS estimates, it is safe to say that HIPPA
will increase the cost of healthcare in the United States.89
Unfortunately, it will be easier for large organizations
such as hospitals to absorb this cost or pass the costs on to patients
than it will be the typical dental practice of less than twenty employees.90
This result may cause an undue burden on small organizations such as independent
dental offices which wish to transmit and store digital patient records.
An unfortunate affect of these increased costs may be that independent
dentists may need to form partnerships to reduce the cost burden.
B. A Comparison Between DHHS Rules and University of
Iowa Dental Clinic Policy
The existing clinic guidelines regarding nondisclosure
seem to be stricter that those proposed by the DHHS. First, the clinic
makes no distinction between digital and non-digital records.91 The clinic
requires that informed consent be given before release of records except
for the following: (1) internal administrative review of records; (2) the
clinic's malpractice insurance carrier and/or lawyer; (3) approved research
projects; and (4) referrals within the clinics which contribute to the
continuity of care.92 By contrast, DHHS rules merely require that patients
be told that their records are being disseminated electronically.
Additionally, the clinic's policy is that telephone communication "should
be restricted to future scheduling information only.93 Strictly construed,
this provision would ban transmission via fax or e-mail of patient information.
The new DHHS rules will require the clinic to formally
recognize several new individual patient rights. The current clinic policy
has no stipulation for patients that wish to inspect or amend their digital
records. Additionally, the current clinic rules do not provide a basis
for a patient to request an accounting of all disclosures of protected
health information. These differences may be due to the fact that the clinic's
release of patient information policy guide was created in 1984 before
significant technological gains in computer telephony and data storage
which make storage and communication of records easier.
Obviously, many of the new administrative requirements
regarding the DHHS rules will be new to the clinic because they are specific
to the new rules. However, the clinic currently already complies with many
of the new requirements. The clinic currently posts the privacy policy
and procedures and has privacy officials designated with a clear reporting
path for patients. The clinic proactively educates its staff regarding
patient records (electronic and otherwise) and clearly establishes sanctions
for privacy violations.94 The primary gaps between current practice and
the new DHHS rules involve DHHS specific requirements.
However, the fact that the clinic policy does not specifically
address electronic transmission and storage of digital patient information
is a glaring difference with the DHHS rules which were specifically designed
to address electronic storage. Healthcare workers in the clinic currently
store patient records electronically, send patient information via e-mail
internally as well as externally, and send patient information via facsimile
phone line transmission fax internally as well as externally. These activities
are all done on a regular basis. The fact that the current rules do not
address electronic transmission has the potential to create areas of ambiguity
within the clinic's policy. For example, the only express methods of obtaining
a release of adult patient information is by phone or, in some instances,
in writing. However, obtaining a release via e-mail is not expressly stipulated
in the clinic's policy.95
IV. RECOMMENDATIONS
The new DHHS rules have been put in place to protect
patients from organizations using technology to invade the relationship
they have with their healthcare provider. Based on the recent abuses and
the clear erosion of the doctor/patient relationship, rules protecting
patients are needed. Unfortunately, these protections will inevitably mean
an increase in the cost of providing care. Additionally, because many of
the administrative and infrastructure costs are more easily borne by large
healthcare organizations such as the University of Iowa Dental Clinic,
the typical dentist may find the initial stages of compliance difficult.
However, when considering the price of compliance dentists
should not forget the cost of non compliance. Immediately the DHHS rules
provide very stiff penalties. For inadvertent violations penalties can
be up to $25,000 per year for each violation. For certain intentional IIHI
disclosures criminal penalties can range from up to ten years in jail to
fines of up to $250,000.96 Additionally, the greater cost of non-compliance
could be loss of the patient's trust.
The DHHS has pledged to engage in outreach and education
programs to ease the implementation of this rule for small business through
various professional organizations97 and dentists should look to the ADA
for guidance in this matter. Additionally, covered entities are allowed
a high degree of flexibility in achieving compliance through appropriate
technology based on an individual security risk analysis.98
The first step in this process is to arrange for a legal
briefing on the most current security rules as well as other applicable
federal and state laws. Again, the ADA is an excellent source for establishing
a resource for this information. Second, covered entities should prepare
for security certification by appointing or hiring a security officer.99
After the security officer is identified organizations should conduct an
internal security risk analysis with the goal of determining the gaps between
current technology and equipment and the new privacy rules. Finally, covered
entities should amend any affected contracts and training staff.
V. CONCLUSION
By Feburary 26, 2003 any dentists that are storing or
transmitting digital patient records electronically will be required to
be in full compliance with the DHHS's new rules relating to patent privacy
and electronic patent records. Based on an analysis of the University of
Iowa Dental Clinic's policies and procedures, many dental organizations
will undoubtedly have certain areas that are more compliant with the new
DHHS rules than other areas. Iowa clinic's primary problem was not in the
protection that its policy provided patients it was that its policy was
outdated and did not reflect how its employees are currently using technology
to practice dentistry. Although most practitioners will not have the technological
resources available at the clinic, many will be able to implement the required
changes quicker and at a lower cost.
Practitioners are encouraged to take a proactive approach
in gaining compliance with these new rules as they are established to protect
patients and improve the relationship that healthcare providers have with
their patients. Additionally, noncompliance could result in criminal and
civil liability. The field of dentistry is unique because it supports a
very high rate of small businesses. Practitioners in small practices are
encouraged to work through professional organizations like the American
Dental Association in order to establish the procedures that will be required
to be in compliance.
APPENDIX I CLINIC POLICY GUIDE [in four brief files: https://www.nicholasjohnson.org/cls02/sheppard/pol1.pdf, https://www.nicholasjohnson.org/cls02/sheppard/pol2.pdf, https://www.nicholasjohnson.org/cls03/sheppard/pol1.pdf, and https://www.nicholasjohnson.org/cls02/sheppard/pol4.pdf.]
APPENDIX II DECLARATION OF PATIENT INFORMATION CONFIDENTIALITY
APPENDIX III RADIOGRAPH/RECORD DUPLICATION REQUEST
1 Sharon J. Hussong, Medical Records and Your Privacy:
Developing Federal Legislation to Protect Patient Privacy Rights, 26 AM.
J.L. & MED. 453, 453 (2000) (citing Karen Gullo, Privacy Rules for
Patients Debated, ASSOC. PRESS WRITER, February 17, 2000, at 1, available
at 2000 WL 14321242).
2 Helena Gail Rubinstein, If I Am Only For Myself, What
Am I? A Communitarian Look at the Privacy Stalemate, 25 AM. J.L. &
MED. 203, 203 (1999) (Citing Richard C. Turkington, Medical Record Confidentiality,
Law, Scientific Research and Data Collection in the Information Age, 25
J.L. MED. & ETHICS 113, 115 (1997)).
3 See Craig Eddy, A Critical Analysis of Health and Human
Services' Proposed Health Privacy Regulations in Light of the Health Insurance
Privacy and Accountability Act of 1996, 9 ANNALS HEALTH L. 1, 4-14 (2000)
(describing the causes of public outcry and the resulting legislative response
including the recounting of legislative anecdotes such as a healthcare
worker sending the names of four thousand HIV positive patients to a Florida
newspaper and The National Enquirer publishing a story about country singer
Tammy Wynett's liver decease that was obtained through nefariously obtained
medical records).
4 Id.
5 Hussong, supra note 1, at 454.
6 See Eddy, supra note 3, at 12 (citing a study done
by Robert E. Nolan Company, Inc., Cost and Impact Analysis: Common Components
of Confidentiality Legislation 2 (Fall 1999), available at http://www.renolan.com/healthcare/privacy.htm.
7 Mary Beth Johnson, HIPPA Becomes a Reality: Compliance
With New Privacy, Security, and Electronic Transmission Standards, 103
W. VA. L. REV. 541, 541 (2001) (citing 42 U.S.C. § 1320d (2000)).
8 Johnson, supra note 6, at 542.
9 Id. (noting that 42 U.S.C. § 1320d(2) defines
a "health care clearinghouse as a public or private entity that processes
or facilitates the processing of non-standard data elements of health information
into standard data elements").
10 Titus K.L. Schleyer, Degital Dentistry in the Computer
Age, JADA 1713, 1713 (Dec. 1999); Hussong, supra note 1, at 455.
11 Eddy supra note 3, at 2
12 Id.
13 Id.; Hussong, supra note 1 at 455-57; Helena Gail
Rubinstein, If I Am Only For Myself, What Am I? A Communitarian Look at
the Privacy Stalemate, 25 AM. J.L. & MED. 203, 203 (1999).
14 Hussong, supra note 1, at 455.
15 Id.
16 Eddy, supra note 3, at 2
17 Hussong, supra note 1, at 455.
18 Id.
19 Id. (citing Alex Keto, Clinton Announces Electronic
Medical Record Privacy Rules, DOW JONES NEWS SERV., Oct. 29, 1999, available
at WL 10/29/99 DJNS 09:58:00).
20 See Hussong, supra note 1, at 455 (noting President
Clinton's concern over the "ease with which a Pennsylvania company obtained
detailed information about its employees' prescriptions").
21 Hussong, supra note 1, at 455.
22 Id. at 455-56.
23 See Id. (noting that "credit card companies frequently
assess patients' treatment information" and that the new DHHS rules "bar
disclosure of patients' treatment information to banks and credit card
companies").
24 Id.
25 Lance Chilton, Privacy Protection of Health Information:
Patient Rights and Pediatrician Responsibilities, 104 PEDIATRICS 973, 973
(1999); see also id. (citing Chilton).
26 Hussong, supra note 1, at 455.
27 Id. (Telephony is "a term used frequently to refer
to computer hardware and software that performs functions traditionally
performed by telephone equipment," Telephony, available at http://www.pcwebopedia.com/TERM/t/telephony.html).
28 See Eddy, supra note 3 at 14 (citing California Healthcare
Foundation, Americans Worry About the Privacy of Their Computerized Medical
Records (Jan. 1999) available at http://www.chcf.org/press/viewpoints.cfm?itemID=362.
29 Id., at 456-57.
30 See Id. (quoting AMA member Joseph Heyman, M.D. "there
is nothing as important for the physician/patient relationship as the privacy
of medical records, because if you haven't got the privacy you haven't
got the relationship").
31 Id.
32 Id.
33 See Eddy, supra note 3, at 17-18 (providing a summary
and overview of HIPPA).
34 Health Insurance Portability and Accountability Act
of 1996, Pub. L. No. 104-191, 110 Stat. 1936; Id.
35 Id.
36 Id.
37 See id; See also Hussong, supra note 1, at 452-56;
See also Johnston, supra note 7, at 542-46 (providing a description of
HIPPA's requirements of both Congress and DHHS and Congress' failure to
meet those requirements by enacting legislation according to HIPPA's self-imposed
deadline).
38 Eddy, supra note 3, at 20; Hussong, supra note 1,
at 453-454; Johnston, supra note 7, at 550.
39 Id.
40 Hussong, supra note 1, at 454.
41 Id.
42 See Johnston supra note 7, at 550-551 (citing 45 C.F.R.
§ 164.504-510).
43 Johnston, supra note 7, at 551.
44 Id.
45 Id. at 551-52.
46 See Id. At 551-552 (citing 64 Fed. Reg. at 59, 949-50,
§§164.512-164.522 for a thorough summary of the new individual
privacy rights).
47 Id.
48 Id.
49 Id.
50 Id.
51 Id.
52 William C. Bauer & William T. Brown, The Digital
Transformation of Oral Health Care, 132 JADA 204, 204 (Feb. 2001).
53 See id. (describing the impact technology has had
on the field of dentistry).
54 45 C.F.R. 160.102 (a)-(c).
55 Hussong, supra note 1, at 457.
56 Bauer & Brown, supra note 31, at 204.
57 Hussong, supra note 1, at 457.
58 Id.
59 Jim Hopkins, Big Business Can't Swallow These Little
Fish, USA TODAY, March 27, 2002, at 1B-2B.
60 See id. at 2B (citing the practice of Chip Hill, a
Dentist in San Francisco as a typical example of the 111,497 dental practices
within the United States. Dr. Hill is a sole practitioner that works with
only three employees in his practice).
61 See id. (noting differences between small "solo" firms
and large organizations).
62 Id.
63 See Eddy supra note 3 at 32-33 (describing the small
business assistance outlined by SIPPIHI).
64The University of Iowa College of Dentistry Home Page,
available at http://dentistry.vh.org/care.html#provideroptions.
65 Id.
66 Id.
67 Id.
68 Id.
69 See generally The University of Iowa College of Dentistry
Home Page supra note 61; See also Hopkins supra note 57 (describing both
the University of Iowa's resources as well as the challenges that dentists
in small practices face).
70 See Johnston supra note 9 (describing "covered entities");
see also AMERICAN DENTAL ASSOCIATION PRINCIPLES OF ETHICS AND CODE OF PROFESSIONAL
CONDUCT (2000) (describing that all ADA members are subject to the ADA
code).
71 See Appendix I infra.
72 See Appendix II infra.
73 Id.
74 See Appendix I infra.
75 Id.
76 See Appendix II infra.
77 Id.
78 Id.
79 Id.
80 Id.
81 See Appendix III (noting that at the bottom of the
duplication request form there is the clear option to sned records via
fax).
82 See Hussong, supra note 1, at 459 (describing the
reasons assessing the performance of healthcare workers, developing clinical
guidelines, setting insurance premiums, and investigating insurance fraud).
83 See Eddy, supra notes 29 & 30 (describing the
link between lack of patient confidence and the general quality of health
care).
84 Id.
85 Id.
86 Id.
87 See Eddy, supra note 3, at 39-40.
88 Id. (citing American Political Network, Medical Privacy:
"Sweeping' Regulations Cause Much Debate, Am Health Line, (Nov. 1, 1999)
available at WL 11/1/99APN-HE 3). The costs to health insurance companies,
healthcare providers, and health plans would come from retraining employees,
hiring privacy experts, rewriting contracts, and implementing new technology,
"draconian" penalties for noncompliance, increased potential for costly
litigation. Id. at 460; Johnston, supra note 7, at 552-53.
89 See Id. at 40-42 (describing the differences between
DHHS estimates and estimates from independent research organizations).
90 Hopkins, supra note 57.
91 Infra, Appendix I.
92 Id.
93 Id.
94 Infra Appendix II.
95 Id.
96 Eddy, supra note 3,at 32-33.
97 Eddy, supra note 3, at 33-34.
98 Johnston, supra note 7, at 547-49.
99 See Id. (giving a description of these steps as they
relate to physicians).