HIPAA Compliance for Dentists
The issue of HIPAA compliance for dentists is not one that should be taken lightly. Research conducted by the American Dental Association shows dental practices are increasing in number and increasing in size, and – according to the National Association of Dental Plans – the number of US citizens with access to commercially or publicly funded dental care increased from 170 million (2006) to 248 million (2016).
As dental practices grow in size and gather larger databases of patient healthcare and payment data, they become more attractive targets for cybercriminals. Dentists covered under HIPAA need to ensure they comply with the HIPAA Privacy and Security Rules and – if an unauthorized disclosure of PHI occurs – the HIPAA Breach Notification Rule as the penalties for HIPAA violations by dentists can be significant.
Are Dentists Covered under HIPAA?
It depends on the circumstances. At one end of the scale, an individual dentist running his or her own dental practice will be a “HIPAA Covered Entity” if they electronically transmit any patient healthcare data for billing – for example, email a claim for payment to a health plan. Even if they use a third party such as a clearinghouse to submit the claim on their behalf, the dentist is still covered under HIPAA.
At the other end of the scale, a dentist employed by a dental firm is not covered under HIPAA – it is the dental firm that is the HIPAA Covered Entity. He or she will be expected to comply with HIPAA inasmuch as the dental firm will enforce HIPAA-compliant policies relating to the permissible uses and disclosures of PHI, but employees of dental firms are not considered to be dentists covered under HIPAA.
This explanation leaves a large gray area between either ends of the scale. Dentists in small practices should seek advice about whether they are dentists covered under HIPAA. If so, they must implement policies and procedures to achieve HIPAA compliance for dentists. If the practice is a Covered Entity, the dentist may still be involved in meeting the requirements of HIPAA compliance for dental practices.
What is HIPAA Compliance for Dentists?
As mentioned above, HIPAA compliance for dentists involves complying with the HIPAA Privacy, Security and Breach Notification Rules. The Rules cover how patient healthcare and payment data is created, used, stored and shared, and the circumstances in which data can be disclosed without patient authorization. The HIPAA Privacy Rule also gives patients rights over access to their health information.
The first stage of achieving HIPAA compliance for dentists is to appoint a Compliance Officer. The Compliance Officer can be the individual dentist, an existing employee of the dentist, or a consultant who will act as a temporary Compliance Officer until the first stages of compliance are achieved. The Compliance Officer will be responsible for:
- Conducting risk assessments to identify potential vulnerabilities in existing policies and procedures that could result in the unauthorized disclosure of patient data.
- Conducting risk analyses to identify the most appropriate way (as governed by HIPAA) to address the identified vulnerabilities and protect patient data.
- Implementing measures – which may include changes to working practices as well as technological measures – to protect the confidentiality, integrity and security of data.
- Developing policies and procedures to support the implementation of the HIPAA-compliant measures, plus a sanctions policy for the failure to comply with the policies and procedures.
- Training employees about the purpose of HIPAA compliance for dentists and why compliance is important, and explaining how any new procedures will work.
- Conducting due diligence on any third-party service providers with whom patient data is shared (Business Associates) and reviewing Business Associate Agreements.
- Developing contingency plans should a breach occur in order to minimize business disruption and potential penalties for non-HIPAA compliance for dentists.
It is important to note HIPAA compliance for dentists is not a one-off project. Compliance must be maintained and training regularly provided when further changes to work practices and new technology is implemented – even if the changes have nothing to do with HIPAA compliance. It is also important any risk assessments and analyses conducted when changes are implemented are chronicled.
HIPAA Compliance for Dental Practices
HIPAA compliance for dental practices is not dissimilar to HIPAA compliance to dentists, although the larger the dental firm, the more vulnerable it is to breaches of patients data and the more it is likely to be targeted by cybercriminals. With this in mind, special attention must be paid to service agreements with Business Associates and cybersecurity defenses.
Risk assessments and risk analyses will undoubtedly be more involved in larger dental firms, and it may be necessary to tailor training to the specific roles of employees. For larger multi-establishment dental enterprises (the highest growth area in dentistry according to the American Dental Association) it may be necessary to appoint separate (or multiple) HIPAA Privacy Officers and HIPAA Security Officers.
The Penalties for HIPAA Violations by Dentists
Penalties for HIPAA violations by dentists are not that common. The earliest recorded fine for dentists covered under HIPAA occurred in January 2015, when Joseph Beck of Comfort Dentists, Kokomo, Ind., was fined $12,000 for the unauthorized disclosure of thousands of patient records. Beck had engaged the services of a data company to destroy 63 boxes of patient records, but had failed to conduct due diligence on the company, and the boxes were found abandoned by a dumpster.
The imposition of penalties for HIPAA violations by dentists prompted the Chairman of the American Dental Association´s Council on Dental Practice – Dr. Andrew Brown to issue a statement urging healthcare providers in the dental industry to take HIPAA compliance for dentists seriously. He said: “There are steep consequences for healthcare providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in penalties.”