HIPAA Rules for Dentists

HIPAA Regulations for Dental Offices

Although many dental offices are self-contained entities, the HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically.

If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business associate – who has access to individually identifiable health information – the HIPAA regulations for dental offices also apply and must be adhered to.

Furthermore, policies must be developed to instruct dental office employees on procedures for the use, disclosure and safeguarding of the PHI – not only to patients and colleagues, but also to business associates and third-party service providers.

What are the HIPAA Rules for Dentists?

The HIPAA Rule for Dentists  consists of the Privacy Rule (2003), Security Rule (2005) and Breach Notification Rule (2009). Dentists and Dental Offices should also ensure they are familiar with any relevant changes to these Rules enacted in the HITECH Act (2009) and Final Omnibus Rule (2013). The key areas of the HIPAA Privacy Rule for dentists are:

  • The personal HIPAA identifiers considered to be Protected Health Information.
  • The permissible uses and disclosures of Protected Health Information.
  • Safeguards to implement to protect the privacy of patient health information.
  • An explanation of the Minimum Information Necessary rule.
  • Restrictions on the use of Protected Health Information for marketing.
  • Patient access to medical information and notice of privacy practices.

Information about all these elements of the HIPAA Privacy Rule for Dentists, plus details about signing Business Associate Agreements with any non-employee who has authorized access to patients´ records, can be found in our HIPAA Compliance Guide – a comprehensive guide to the HIPAA rules for dentists, which includes an explanation of the Breach Notification Rule, and the updates to the HIPAA Privacy and Security Rules enacted in the HITECH Act and Final Omnibus Rule.

The HIPAA Security Rule for Dentists

The HIPAA Security Rule is primarily comprised of three sets of “requirements” – technical requirements, physical requirements and administrative requirements. The technical requirements cover how patient information should be communicated electronically (for example email is not allowed, nor is SMS or Skype). The technical requirements also detail the processes and controls that have to be implemented in order to protect PHI when it is at rest or in transit.

The physical HIPAA regulations for dental offices concern the security of computer systems and the environment in which the computer systems are situated. Responsibilities included in the physical HIPAA regulations for dental offices include establishing a faculty plan and a contingency plan in the event of an emergency, and implementing validation procedures to restrict physical access to PHI stored on the computer systems.

The administrative HIPAA rules for dentists require that system administrators are appointed to select and implement a compliant communications system. Administrators are also responsible for developing “best practice” policies, training dental office employees on the use of the compliant communication system, and for monitoring activity on the system. Administrators are also responsible for ensuring HIPAA compliance by Business Associates.

A Solution for the HIPAA Security Rule

Whereas meeting the Business Associate, privacy and breach notification HIPAA regulations for dental offices can be achieved without too many issues, complying with the HIPAA Security Rule can present a headache for many dental offices. A solution to the HIPAA Security Rule is to implement a system of secure messaging.

Unlike email, SMS or Skype, secure messaging is conducted within a private network only accessible by authorized users. The authorized users can access patient data and communicate it with other authorized users only after they log in to secure messaging apps which require user authentication via a unique centrally-issued username and password.

All patient data is encrypted at rest and in transit, so it is perfectly safe to send text messages, share images or conduct video calls over public Wi-Fi services via a mobile device. The secure messaging apps can also be used on desktop computers, and a time-out feature automatically logs users out of the network when a computer or mobile device is unattended, to prevent unauthorized access to patient data.

In addition to safeguards that prevent patient data being saved to an external hard drive, copied and pasted or forward outside of the dental practice´s private network, the messaging platform through which all communications travel monitors activity on the network. Administrators can ensure that secure messaging policies are being adhered to, or PIN-lock an app if the device it is downloaded onto is lost, stolen or disposed of.

Additional Benefits of Secure Messaging

Secure messaging solutions were originally developed to enable HIPAA covered entities to comply with the industry regulations for privacy and security. However, a series of efficiency-increasing and cost-reducing benefits have resulted from the implementation of secure messaging solutions – many of which will be applicable in a dental office environment:

  • Dentists and dental office employees can receive secure messages on any desktop computer or mobile device – enabling them to access patient data “on-the-go”.
  • Images and documents can be attached to secure messages, which can then be shared among dentists if collaboration is required on the treatment of a patient.
  • Secure messages can also be used in scenarios where a patient cannot attend a dental office and their condition can be diagnosed at home or in another medical setting.
  • Time consuming phone tag and the need for follow-up calls is significantly reduced due to automatically-produced delivery notifications and read receipts.
  • When the secure messaging solution is integrated with an EHR, authorized personnel can load patient notes directly onto the system from a mobile device.

These features and benefits ensure that secure messages are transmitted to the correct recipient, reduce the time and money that may be wasted between sending messages and receiving replies, and protect the integrity of patient data in compliance with the HIPAA rules for dentists.

Are You Complying with the HIPAA Rules for Dentists?

Secure messaging solutions are not difficult to implement. As all communications and access to patient data goes through a cloud-based “Software-as-a-Service” platform, there is no additional hardware to purchase and no need to engage the services of an IT specialist to install complicated software.

The secure messaging apps have a text-like interface similar to commercially available messaging apps, so little training will be required before the solution is up and running and the HIPAA regulations for dental offices are being complied with.

Naturally, secure messaging solutions only take care of the requirements under the HIPAA Security Rule. Dental offices will have to research and adapt other privacy measures before they are in full compliance with the HIPAA rules for dentists.