Are You Prepared for a HIPAA Dental Audit?

Why – or Why Not?

By D. Kellus Pruitt; DDS

If you are a dentist and pay ADA dues year after year to be kept better informed about protecting your patients as well as your practice, your ignorance of HIPAA is not entirely your fault. The ADA clearly dropped the ball. Nevertheless, you could still suffer fines as high as $1.5 million for what our leaders failed to emphasize.

It’s time members accept the shameful truth about the ADA Department of Dental Informatics, headed by Ms. Jean Narcisi. Narcisi, working under the direction of ADA Sr. Vice President Dr. John Luther, has been abysmally negligent in preparing members for HITECH HIPAA, and now the compliance deadline is only days away. It’s been months since any information about HIPAA has been published in any ADA publications. Why?

HIPAA Avoidance 

Why do ADA leaders avoid discussing HIPAA? They are ashamed, not unlike embarrassed scam victims. About six years ago, Newt Gingrich visited ADA Headquarters and “lied” to ADA Delegates about the future of eHRs in the US. Then he bribed the ambitious career bureaucrats in the crowd with millions of dollars in federal grants to play along with the scam. I can only imagine that the Delegates must have been star-struck by the former Speaker of the House, because nobody dared asked the tough questions.

Newt’s Slick

So here I am, Ms. Jean Narcisi. I’m again doing your job because your mistakes I pointed out years ago now have you frozen in shame. If you disagree, and consider self-respect as something worth defending, let’s discuss your innocence in front of everyone – including the ADA members who pay your salary. Or, you can continue to hide from your responsibilities. This crap will catch up with you soon enough, Ms. Narcisi, and Dr. Luther no longer has the courage to stick his neck out to protect you. He’s also scared of me. You are alone.


Dom Nicastro, senior managing editor at HCPro, edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. He posted an informative article on today titled “HIPAA Compliance Questions to Ask as HITECH Date Nears.”

The article features Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, Oregon. Mr. Apgar notes that “many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule.” Apgar adds, “I find this over and over when conducting compliance audits.”

The lack of compliance described by Apgar is consistent with the results from my study in 2008, “HIPAA Rules and Dentistry.”

Study Abstract

A survey of 18 dentists was performed using the Internet as a platform. The volunteer dentists’ anonymity was guaranteed. The dentists were presented with ten HIPAA compliancy requirements followed by a series of questions concerning their compliancy as well as the importance of the requirements in dental practices.

The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample.

Frustrated at Mandates

Frustration with the tenets of the mandate, as well as open defiance is evident by the written responses. In addition, it appears that a dentist’s likelihood of satisfying a requirement is related to the dentist’s perceived importance of the requirement. Even though this is a limited pilot study, there is convincing evidence that more thorough investigation concerning the cost and benefits of the requirements need to be performed before enforcement of the HIPAA mandate is considered for the nation’s dental practices. 


Questions to Consider

Apgar says that the security rule requires covered entities to consider these questions:

  • Has a risk analysis been conducted lately? Was it properly documented? Were damages mitigated and were the risks acceptable?
  • Is privacy/security training current? Have new workforce members who will have access to personal health information (PHI) been adequately trained? Has refresher training for all staff been accomplished? Have security reminders been provided?
  • Are the office policies and procedures complete, current and enforceable? Are workforce members trained on the policies and procedures they are required to respect?
  • Has a comprehensive audit program been implemented? (The security rule requires three periodic audits and an “evaluation” or compliance audit). Are evaluations current? Have audit findings been addressed and documented?
  • Have up to date disaster recovery and emergency mode operations plans been communicated and recently tested?
  • Are CMS’ remote access guidelines being followed? (These are not part of the rule, but CMS earlier indicated remote access management would be included as audit criteria).
  • Are data in transit and data at rest encrypted? Are non-electronic PHI being protected?

Office of Civil Rights

Mr. Apgar adds that even though the Office of Civil Rights isn’t saying when audits will start, if a complaint is filed with OCR alleging ”willful neglect,” OCR is mandated by statute to investigate. The fines for “willful neglect” are much more devastating than fines for simple carelessness. And “willful neglect” is a subjective judgment call made by inspectors … who work on commission.


Unfortunately for the nation’s dentists, the statute invites disgruntled patients and employees to celebrate revenge via federal inspectors. And, the more dentists are fined, the more the inspectors make. That can’t end well. Where are you hiding, Jean Narcisi? You’ve been silent far too long. Let’s talk. Don’t make me come get you.

Editor’s Note: The applicability of this post to all medical specialties is obvious.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:


FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Product Details 

ADA President and Broken Promises

The Future President

By Darrell K. Puritt; DDS


The election for a future ADA president occurs the first week in October in Hawaii at the 2009 annual meeting. A couple of days ago, the ADA News Online posted the ADA President-elect candidates’ statements.

All three sound like they support meaningful dialogue with membership: Candidate Dr. Raymond Gist says one of his goals is: “To protect and preserve ownership of the intellectual property of the ADA while demonstrating transparency and fostering an understanding of how our system works.” Candidate Dr. William Glecos says “My first goal will be to coordinate and improve our communication efforts within the ADA. To make sure we are engaging all our members and imparting a sense of connection and transparency.” Candidate Dr. Marie Schweinebraten says “… communication, internal and external, must be improved to respond in today’s world … barriers must be eliminated to allow member input and volunteer involvement when solving specific issues.” I’ve seen candidates use these same buzzwords before, but not mean them. Dentistry is being severely threatened right now, and I’m too young to retire. So I want to see a future leader confident enough to walk through fire with me on behalf of my patients.

Promises from ADA President-elect candidates have been very disappointing so far. Past President Dr. Mark Feldman, President Dr. John Findley and President-elect Dr. Ron Tankersley each promised “transparency.” Feldman and Findley broke their promises very early, and so far, Tankersley has done no better. Nine months ago I invited Dr. Tankersley to a conversation about the future of electronic dental records and he chose to insult me with silence rather than respond. I took it personally, Ron, and I’ll never forget it. Because all three of these presidents are simply rude people, it wouldn’t bother me to never ask any of them for friendship. 

So do you think our fresh leaders are any more sincere about transparency with membership? Or are they also hoping to be safely elected. This could be an opportunity for one or more of the three to break loose and be counted as a brave leader… or not. Let me show you what Feldman, Findley and Tankersley have gotten us into. Below is a list of duties expected of dentists with NPI numbers that came out today on ANCO Online. If any of you three candidates have the courage to respond to my challenging comments about what I consider to be a perfect example of a renegade department, jump right in. Concerned members need to be warned about the courage we can count on. If you cannot defend the Department of Dental Informatics, just say so. We’ll all be better off. And on truth, we can build. What an opportunity for you! I bet one could easily gain the delegates’ attention by doing the right thing, even if it is unpopular at first to those who may have helped you to power.

Responding to this article in a respectful, professional way could be just what it takes to get a person elected to the highest position in the American Dental Association. That’s what you intensely want, isn’t it? You just have to recognize what I am spelling out for you, Raymond, William and Marie. Just look at the growing discontent with the ADA on the Internet. Whoever is the first to show sincerity and courage, will become a hero to those of us who feel betrayed by those we once trusted. Victory will never be easier. I’ve had a look around. Believe me when I tell you that things are soo bad that even I could be a contender. Don’t make me run for the job.

Here is the first issue for discussion if you are interested: For dentists who were persuaded by the ADA Department of Dental Informatics to quickly volunteer for the 10 digit identifying number, let me ask you this: If you had been told what ADA employees are paid to tell you, which you can read below, would you have applied for an NPI number? And if you were forced to apply for a number by a managed care contract with BCBSTX, Delta Dental or other discount dentistry broker, would that be considered an unfair business practice?

Let’s look at fairness: Who does the NPI number help? Dental patients or BCBSTX? Or perhaps the ADA? We were told again and again in ADA News Online articles written by Arlene Furlong that the best reason for the NPI number was convenience. She said office managers would love it because it would replace numerous identification numbers. When one reads the list of NPI obligations a dentist volunteers their office manager for, all those other numbers don’t seem so bad after all. Why was HIPAA so important that the ADA Department of Dental Informatics forced employees under its supervision to intentionally mislead membership? Does the ADA work for dentists and their patients or for CMS? There you go, Dr. Raymond Gist, Dr. William Glecos and Dr. Marie Schweinebraten. It’s your turn now. If you have the guts to step up to a challenge, it could pay off big. Besides, even if you get elected without first responding to my concerns doesn’t mean you’ll get rid of me. Oh heaven’s no.

D. Kellus Pruitt; DDS


**** CMS NEWS ****

This message is for health care providers, particularly physicians and other practitioners, who have obtained National Provider Identifiers (NPIs) and have records in the National Plan and Provider Enumeration System (NPPES). The Centers for Medicare & Medicaid Services (CMS) recommends that each health care provider, including individual physicians and non-physician practitioners: · Secure and maintain their own NPPES account information (i.e., User ID, Password, and Secret Question/Answer) for safety and accessibility purposes. Health care providers should maintain the confidentiality of their User ID, password, and Secret Question/Answer in order to protect their NPPES information from unauthorized access. Reset their NPPES passwords at least once a year.

See the NPPES Application Help page at and select the ‘Reset Password Page’ for applicable rules. Those rules indicate the length, format, content and requirements of NPPES passwords. Review their NPPES records in order to ensure that the information reflects current and correct information. Covered health care providers are required to update their NPPES information within 30 days of the effective date of the change.

Viewing NPPES Information Health care providers, including physicians and non-physician practitioners, can view their NPPES information in one of two ways: (1) By accessing the NPPES record at and following the NPI hyperlink and selecting Login. The user will be prompted to enter the User ID and password that he/she previously created. If the health care provider has forgotten the password, enter the User ID and click the “Reset Forgotten Password” button to navigate to the Reset Password Page. If the health care provider enters an incorrect User ID and Password combination three times, the User ID will be disabled. Please contact the NPI Enumerator at 1-800-465-3203 if the account is disabled or if the health care provider has forgotten the User ID. OR (2) By accessing the NPI Registry at

The NPI Registry gives the health care provider an online view of Freedom of Information Act (FOIA)-disclosable NPPES data. The health care provider can search for its information using the name or NPI as the criterion. Information regarding NPPES data that are FOIA-disclosable can be found at by selecting ‘Data Dissemination’. Please note: Business Mailing Address and Business Practice location information (full address and corresponding telephone numbers) are key data elements that are FOIA-disclosable.

Health care providers should not report their residential address unless it is their Business Mailing Address or Business Practice location. The NPPES data appearing on the NPI Registry cannot be deleted; however, it can be updated or changed. Updating NPPES Information Health care providers, including physicians and non-physician practitioners, can correct, add, or delete information in their NPPES records by accessing their NPPES records at and following the NPI hyperlink and selecting Login. The user will be prompted to enter the User ID and password that he/she previously created.

Please note: Required information cannot be deleted from an NPPES record; however, required information can be changed/updated to ensure that NPPES captures the correct information. Certain information is inaccessible via the web, thus requiring the change/update to be made via paper application. The paper NPI Application/Update Form (CMS-10114) can be downloaded and printed at

Deactivating the NPI Health care providers, including physicians and non-physician practitioners, can deactivate their NPIs if the NPIs are no longer required or needed. Reasons for deactivation include retirement, business dissolved, or death of the health care provider. A request for deactivation must be submitted via paper application. The paper NPI Application/Update Form (CMS-10114) can be downloaded and printed at

Health care providers should review the instructions located on the application regarding deactivations in order to properly complete the deactivation request. The Power of Attorney or Executor of the Will may complete the application for deactivation due to death of the health care provider.

Need More Information?

Providers can apply for an NPI online at or can call the NPI enumerator to request a paper application at 1-800-465-3203. Visit CMS’ dedicated NPI web page at for additional NPI information.

Channel Surfing

Have you visited our other topic channels? Established to facilitate idea exchange and link our community together, the value of these topics is dependent upon your input. Please take a minute to visit. And, to prevent that annoying spam, we ask that you register.  


Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Executive-Post – is available for seminar or speaking engagements. Contact: 

Get our Widget: Get this widget!

Usual and Customary UnitedHealthcare?

Join Our Mailing List

More on “Sleazy” Healthcare Stakeholders


[By Darrell K. Pruitt; DDS]

If the leaders of the American Dental Association have the power and stoic determination to casually sweep aside trouble-making members who might tarnish their image, one would think that they could certainly avoid associating with sleazy healthcare stakeholders; such as UnitedHealthcare.

The Insurance Giants 

Have you ever suspected that insurance giants like UnitedHealthcare, WellPoint, Aetna and Cigna (and other members of the National Association of Dental Plans) lie to patients when the say a dentist’s fees are above “usual, customary and reasonable” levels?  You could be correct.  NY Attorney General Andrew Cuomo says UnitedHealthcare, WellPoint, Aetna and Cigna lie to physicians’ patients – understating New York state physician’s fees up to 28 percent.  Why would the crooks treat dentists’ patients any differently?

Employing Tapeworms to Control Fat

Cuomo caught UHC and others cheating their customers with smoke, mirrors and Ingenix – its wholly-owned data mining and consulting subsidiary.  Who would have guessed that UHC would tweak Ingenix to manipulate claims data to favor UHC and other insurance companies who subscribe to their services?  These are the same parasites who want to run the nation’s Pay-For-Performance (P4P) mandate – a cornerstone of President Bush’s healthcare reform ideas.  They want to tweak professional reputations for healthcare reform and the common good. 

And of Ingenix 

Ingenix is a full-service consulting business for insurers, backed with the credibility of 14 years of accumulated health claims it is privy to.  The “friend in the business” not only cooks the data to produce profit-enhancing Usual, Customary and Reasonable (UCR) fee schedules, Ingenix is also active in “pay-for-performance program assessment, strategy, planning, design, implementation, evaluation and improvement.”

So if you like the way UnitedHealthcare dental consultants treat you now, just wait until they are given authority to determine your worth to society using Ingenix leveraging tools.


I first read about pay-for-performance [P4P] in dentistry in February 2006 in an email from Patrick Cannady who is an employee in the ADA Department of Dental Informatics.  He told me that nation-wide quality control in dentistry is an important benefit of having a HIPAA-compliant, paperless dental practice – and that the Department of Dental Informatics is very excited about the opportunity to help prepare US dentists for the future.  A month or so later, I learned that the NPI number the ADA still pushes on membership is the crucial legal link to government-approved P4P data-mills like Ingenix – a wholly-owned UnitedHealthcare profit center.  Do you think it is odd that the NPI is “voluntary,” yet irreversible?

AMA’s Award 

In January, the AMA was awarded $350 million in a lawsuit against UnitedHealthcare and Ingenix on behalf of physicians, and they plan to sue other major insurance companies as well.  So what has the ADA done to discourage UnitedHealthcare’s and other NADP members’ atrocious behavior that undeniably harms dental patients?  You won’t believe it when I tell you. Here’s more:  In a recent Associated Press interview, Sen. Jay Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee, said UnitedHealthcare is nothing but a company of cheats.  He says, “They’re lowballing deliberately. They deliberately cut the numbers so the consumer has to pay more of the cost.”

So if Cannady’s department is all for P4P and other benefits from interoperable digital records, the question on most ADA members’ minds should be:  What does the ADA think of UnitedHealthcare?

ADA News Online

Two weeks ago the ADA News Online posted an advertisement that looks like an article (with no byline) for the spring meeting of the American Association of Dental Consultants (AADC) on May 7-9 in Scottsdale, Arizona.

Since it is so well known that UnitedHealthcare is the major funding sponsor of the AADC, the word in the neighborhood says AADC, like Ingenix, is another UnitedHealthcare profit center awaiting the wrecking-ball.



Last year’s annual meeting of the dental consultants – who deny dental claims to protect the ethics in dentistry – featured ADA Senior Vice-President Dr. John Luther as a guest speaker.  Dr. Luther is Cannady’s boss.  He oversees the Department of Dental Informatics.  Yep.  The ADA is tight with UnitedHealthcare. One can tell a person’s character by the company he or she keeps. 


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:


Product DetailsProduct DetailsProduct Details      

%d bloggers like this: