HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for Dentists

HIPAA compliance for dentists is a complicated topic due to the many different ways in which dental practices can operate. Consequently, it is important for dentists to be aware of their HIPAA “status”, understand who within the organization is responsible for compliance, and ensure all dental practice workers comply with privacy and security policies and procedures.

The Administrative Simplification Regulations of HIPAA can be difficult to understand for any type of Covered Entity or Business Associate. Furthermore, not only can the complex nature of the regulations confuse organizations required to comply with them, but it can also confuse the public – evidenced by the fact that two-thirds of complaints to the Department of Health and Human Services´ Office for Civil Rights – the enforcer of HIPAA – are dismissed after review.

HIPAA compliance for dentists and dental practices can be particularly complicated. This may be because some dentists do not qualify as Covered Entities and are therefore not required to comply with the HIPAA Privacy and Security Rules, it may be because state privacy laws pre-empt HIPAA, or because a dental practice is part of a Dental Service Organization which itself may be part of an Affiliated Covered Entity or Organized Health Care Arrangement.

Are Dentists Covered by HIPAA?

Some dentists are covered by HIPAA. Some aren´t. According to the Department of Health and Human Services (HHS), Covered Entities include dentists, “but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard”. The transactions for which HHS has adopted standards include (but are not limited to):

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

  • Payment and remittance advice
  • Claims status
  • Eligibility
  • Coordination of benefits
  • Claims and encounter information
  • Enrollment and disenrollment
  • Referrals and authorizations
  • Premium payment

Voice communications by phone and paper communications by non-digital fax are not considered “electronic”, and it is possible for a dentist to operate a business using only these channels of information – in which case they would not be required to comply with the HIPAA regulations for dental offices. Dentists might also not be covered by HIPAA if they work at a school because students´ medical records are covered by the Family Educational Rights and Privacy Act.

However, if a dentist or dental practice uses (for example) email to make a claim for payment, but non-digital fax for every other operation for which HHS has adopted standards, the dentist is covered by HIPAA for all transactions and must comply with the rules of HIPAA for dental offices. Also, dentists are covered by HIPAA if they do not transmit electronic transactions themselves but use a third party to (for example) make a claim for payment on their behalf.

Confusingly, it is possible for a dentist who does not qualify as a Covered Entity to be subject to the HIPAA Privacy and Security Rules if they provide a service for, or on behalf of, a dentist who does qualify as a Covered Entity. As dentists that fail to comply with HIPAA can be subject to substantial penalties, it is important for all dentists to understand if their dental practice is covered by HIPAA; and, if so, what the HIPAA regulations for dental offices are.

Who is Responsible for Dental HIPAA Compliance?

When a dentist qualifies as a Covered Entity or as a Business Associate by providing a service for, or on behalf of a Covered Entity, the responsibility for dental HIPAA compliance depends on the structure of the dental practice. A solo practitioner is naturally responsible for his or her own compliance with HIPAA and must designate themselves as the dental office HIPAA Compliance Officer (or HIPAA Privacy Officer) on their Notices of Privacy Practices.

When a dentist is employed by, or contracted to, an organization, the organization becomes the Covered Entity. The organization is responsible for appointing (or designating) a HIPAA Privacy Officer and a HIPAA Security Officer – these roles being responsible for developing and implementing policies and procedures that comply with the Privacy and Security Rules. The Officers must also develop policies and procedures to comply with the Breach Notification Rule.

When a dental practice is part of a Dental Service Organization, Affiliated Covered Entity, or Organized Health Care Arrangement, it is usual for all the entities to share Privacy and Security Officers. What this usually means is that all the dental practices in the group have the same Notice of Privacy Practices and apply the same policies and procedures. It also allows them to share PHI for treatment, payment, and health care operations without a Business Associate Agreement.

It is important to note that members of an organization´s workforce (employees, contractors, volunteers, students, etc.) are not Business Associates for the purpose of HIPAA compliance for dentists. Nonetheless, they are considered responsible for complying with the policies and procedures implemented by the Privacy and Security Officers and can be held personally liable for the wrongful disclosure of individually identifiable health information.

What is HIPAA Compliance for Dentists?

HIPAA compliance for dentists involves complying with the HIPAA Privacy, Security and Breach Notification Rules. The Rules cover how patient healthcare and payment data is created, used, stored, and shared, and the circumstances in which health and payment information can be disclosed without patient authorization. The HIPAA Privacy Rule also gives patients´ rights over access to their health information.

  • As mentioned above, dentists and dental practices should appoint a Dental Office HIPAA Compliance Officer (or Officers). This is the first stage of HIPAA compliance for dentists as the Compliance Officer is responsible for:
  • Conducting risk assessments to identify potential vulnerabilities in existing policies and procedures that could result in the unauthorized disclosure of patient data.
  • Conducting risk analyses to identify the most appropriate way (as governed by HIPAA) to address the identified vulnerabilities and protect patient data.
  • Implementing measures – which may include changes to working practices as well as technological measures – to protect the confidentiality, integrity, and availability of data.
  • Developing policies and procedures to support the implementation of the HIPAA-compliant measures, plus a sanctions policy for the failure to comply with the policies and procedures.
  • Training workforce members about the purpose of HIPAA compliance for dentists, why compliance is important, and explaining how any new procedures will work.
  • Conducting due diligence on any third-party service providers with whom patient data is shared (Business Associates) and reviewing Business Associate Agreements.
  • Developing contingency plans should a disaster occur in order to minimize business disruption and potential penalties for non-HIPAA compliance for dentists.

It is important to note HIPAA compliance for dentists is not a one-off project. Compliance must be maintained, and training regularly provided when further changes to work practices and new technology is implemented – even if security changes have nothing to do with HIPAA compliance. It is also important any risk assessments and analyses conducted when changes are implemented are documented and retained for a minimum of six years.

HIPAA Compliance for Dental Practices

HIPAA compliance for dental practices is not dissimilar to HIPAA compliance to dentists, although the larger the dental firm, the more vulnerable it is to breaches of patient data and the more it is likely to be targeted by cybercriminals. With this in mind, special attention must be paid to cybersecurity defenses and service agreements with Business Associates.

Risk assessments and risk analyses will undoubtedly be more involved in larger dental firms, and it may be necessary to tailor training to the specific roles of employees. For larger multi-establishment dental enterprises (the highest growth area in dentistry according to the American Dental Association) it may be necessary to appoint a Dental Office HIPAA Compliance team.

Unlike in Dental Service Organizations, Affiliated Covered Entities, or Organized Health Care Arrangements, it may also be necessary to develop and implement different policies for different dental practices. This will most likely occur in larger, multi-state dental firms where a state privacy law in one state pre-empts HIPAA, but the same law does not apply in another state.

The Penalties for HIPAA Dental Violations

Penalties for HIPAA violations by dentists are not that common. The earliest recorded fine for dentists covered under HIPAA occurred in 2015, when Joseph Beck of Comfort Dentists, Kokomo, Ind., was fined $12,000 for the unauthorized disclosure of thousands of patient records. Beck had engaged the services of a data company to destroy 63 boxes of patient records but had failed to conduct due diligence on the company, and the boxes were found abandoned by a dumpster.

The imposition of penalties for HIPAA violations by dentists prompted the Chairman of the American Dental Association´s Council on Dental Practice – Dr. Andrew Brown – to issue a statement urging healthcare providers in the dental industry to take HIPAA compliance for dentists seriously. He said: “There are steep consequences for healthcare providers that don’t comply with the law, and we don’t want to see any dentists having to pay tens of thousands of dollars in penalties.”

As dental practices grow in size and gather larger databases of patient healthcare and payment data, they become more attractive targets for cybercriminals. Dentists covered under HIPAA need to ensure they comply with the HIPAA Privacy and Security Rules and – if an unauthorized disclosure of unsecured PHI occurs – the HIPAA Breach Notification Rule as the penalties for HIPAA dental violations can be significant.

HIPAA Compliance for Dentists: FAQs

Have there been further penalties for HIPAA violations by dentists?

Yes. In 2019, Elite Dental Associates in Dallas, Texas, agreed to a $10,000 settlement and a Corrective Action Plan for impermissibly disclosing patients´ ePHI on Yelp, failing to implement appropriate privacy policies, and failing to provide patients with a Notice of Privacy Practices.

Why is a Notice of Privacy Practices important?

The Notice of Privacy Practices explains to patients how dentists are allowed to use individually identifiable health information and when they are allowed to disclose it without first obtaining the patient´s authorization. The Notice should also explain the circumstances in which authorization is required and provide contact details for the practice´s Privacy Officer in case the patient has a question or reason to make a complaint.

Has a dental office employee ever been held liable for a HIPAA violation?

Yes. A former receptionist at a New York dental surgery was sentenced to 2 to 6 years for abusing her access rights and stealing the individually identifiable health information of 653 patients. The information was passed onto a co-defendant in the case, who used the data to steal identities and make fraudulent purchases of high value items.

What HIPAA training do employees of dental practices require?

All members of a dental practice´s workforce (whether employed, students, volunteers, etc.) have to undergo security and awareness training regardless of whether or not they have access to Protected Health Information. Individual workforce members need to be trained on the dental practice´s privacy, security, and breach notification policies and procedures that apply to their functions.

Are there some privacy practices that apply to all workforce members?

It is a good idea to train all workforce members on subjects such as permissible uses and disclosures of Protected Health Information, the minimum necessary standard, and the difference between patient consent and patient authorization. It may also be helpful to explain the background to the Privacy and Security Rules and what their objectives are.

What type of business associates might a dental practice share PHI with?

There is a wide range of third-party service providers with whom dental practices might share PHI – for example, a software developer, a cloud-based data storage service (i.e., AWS, Azure, Google Cloud Services, etc.), an accreditation service, an accountant, or a lawyer.

Before PHI is shared with any third-party service provider, the dental practice must conduct due diligence to ensure any PHI shared with the service provider will be used, disclosed, and secured in compliance with HIPAA, and have a Business Associate Agreement in place detailing how PHI shared with the service provider can be used.

Why “might” dentists not be covered by HIPAA if they work at a school?

Although students´ medical records are covered by the Family Educational Rights and Privacy Act (FERPA), some educational institutions – i.e., teaching colleges – provide medical services to members of the public as well as students. In such cases, although students´ medical records are covered by FERPA, the medical records belonging to members of the public are covered by HIPAA.