HIPAA compliance for dentists is a challenging topic due to the multiple ways in which dental practices might function. As a result, dentists must be aware of their HIPAA “status,” understand who within the business is accountable for compliance, and ensure that all dental practice workers follow privacy and security policies and procedures.
HIPAA’s Administrative Simplification Regulations can be confusing for any kind of Covered Entity or Business Associate. Furthermore, the complexity of the regulations can confuse not only the organizations required to comply with them but also the general public, as evidenced by the fact that two-thirds of complaints to the Department of Health and Human Services Office for Civil Rights – the HIPAA enforcer – are dismissed after review.
Every dental office must adopt policies that explain how to use procedures, disclose PHI (protected health information), and protect this sensitive information. This is true for colleagues and patients, as well as third-party service providers and other business partners.
A brief overview of HIPAA compliance
Understanding HIPAA compliance, in general, may be helpful before delving further into HIPAA compliance for dental offices.
The Health Insurance Portability and Accountability Act, or HIPAA, was created in 1996. It is a set of regulations that control the use and disclosure of protected health information (PHI). HIPAA is regulated by the Department of Health and Human Services and enforced by the Office for Civil Rights.
Any type of information that could be used to identify a client or patient of a HIPAA-compliant entity is considered PHI. PHI contains the following:
- Medical records
- Phone numbers
- Full facial photos
- Financial information
- Social Security numbers
- And Eleven other PHI Identifiers
PHI that is accessed, stored, and sent electronically is also subject to HIPAA regulations and is referred to as ePHI, or electronically protected health information. HIPAA Security Rule, an addition to the HIPAA regulation created to account for changes in medical technology, regulates ePHI.
The rules of HIPAA
HIPAA has a number of different rules. Here is a basic overview of the laws that all entities must be aware of:
- HIPAA Privacy Rule: Sets national standards for patient rights and personal health information (PHI). Some of the standards outlined include patients’ rights to access PHI, providers’ requirements to completely protect PHI access, the contents of HIPAA release forms, and more.
- HIPAA Security Rule: Sets the national standard for the secure handling, transfer, and maintenance of ePHI.
- HIPAA Breach Notification Rule: The Breach Notification Rule specifies the standards that must be followed in the case of a PHI or ePHI data breach.
- HIPAA Omnibus Rule: To make HIPAA applicable to business associates and other covered entities, a HIPAA rule addendum was passed.
The significance of HIPAA compliance for dentists
Protecting patient health information (PHI) should be a top priority for all healthcare organizations. One reason for this is that ransomware attacks are likely to target the healthcare sector more than any other.
These attacks take place when a hacker gains access to the internal network and steals or encrypts confidential information, or they demand money to get it back.
Some small-sized medical practices, particularly dental offices, do not believe they require protection from attacks. This isn’t the case, unfortunately, smaller offices and practices are now more than ever the target of hackers.
Some people believe that the patent information kept by modern dental offices is safe, yet a lot of data could be used to conduct financial fraud or steal someone’s identity. PHI, including names, phone numbers, addresses, insurance details, Social Security numbers, medical information, and credit card information, are usually included in dental files. As a result, HIPAA compliance is essential.
Who is in charge of ensuring dental HIPAA compliance?
The responsibility for dental HIPAA compliance depends on the structure of the dental practice when a dentist qualifies as a Covered Entity or as a Business Associate by providing services for or on behalf of a Covered Entity. A single practitioner must identify themselves as the dental office’s HIPAA Compliance Officer (or HIPAA Privacy Officer) on their Notices of Privacy Practices because they are naturally responsible for their own compliance with HIPAA.
An organization becomes a Covered Entity when a dentist is hired by or under contract with it. A HIPAA Privacy Officer and a HIPAA Security Officer must be appointed by the organization; it is their responsibility to create and carry out policies and practices that comply with the Privacy and Security Rules. To comply with the Breach Notification Rule, the Officers must also create policies and procedures.
It is common for all businesses to share Privacy and Security Officers when a dental practice is a part of a Dental Service Organization, an Affiliated Covered Entity, or an Organized Health Care Arrangement. This typically means that the same Notice of Privacy Practices and set of rules are followed by all of the group’s dental practices. They can also do so without a Business Associate Agreement when sharing PHI for treatment, payment, and other aspects of operating the health service.
It is critical to understand that employees, contractors, volunteers, students, and other team members are not considered business associates for HIPAA compliance for dentists. However, they are accountable for complying with the rules and regulations put in place by the privacy and security officers, and they may be held personally liable for the improper disclosure of personally identifiable health information.
What is HIPAA compliance for dentists?
Dentists must follow the HIPAA Privacy, Security, and Breach Notification Rules in order to be in compliance with HIPAA. The Rules specify how patient healthcare and payment data is generated, utilized, kept, and shared as well as the situations in which such data may be revealed without the patient’s consent. Patients are also given access rights to their health information under the HIPAA Privacy Rule.
- As mentioned above, dentists and dental practices should appoint a Dental Office HIPAA Compliance Officer (or Officers). This is the first stage of HIPAA compliance for dentists as the Compliance Officer is responsible for:
- Conducting risk assessments to identify potential vulnerabilities in existing policies and procedures that could result in the unauthorized disclosure of patient data.
- Conducting risk analyses to identify the most appropriate way (as governed by HIPAA) to address the identified vulnerabilities and protect patient data.
- Implementing measures – which may include changes to working practices as well as technological measures – to protect the confidentiality, integrity, and availability of data.
- Developing policies and procedures to support the implementation of HIPAA-compliant measures, plus a sanctions policy for the failure to comply with the policies and procedures.
- Training workforce members about the purpose of HIPAA compliance for dentists, why compliance is important, and explaining how any new procedures will work.
- Conducting due diligence on any third-party service providers with whom patient data is shared (Business Associates) and reviewing Business Associate Agreements.
- Developing contingency plans should a disaster occur in order to minimize business disruption and potential penalties for non-HIPAA compliance for dentists.
It’s crucial to understand that HIPAA compliance for dentists is a continuous process. Even if security modifications have nothing to do with HIPAA compliance, compliance must be maintained, and training must be frequently offered when more changes to work processes and new technology are adopted. The documentation of all risk analyses and assessments made when changes are adopted must be kept for at least six years.
What counts as a HIPAA violation?
A HIPAA violation is a breach in your compliance program that jeopardizes the integrity of your ePHI or PHI.
It is critical to understand that data breaches and HIPAA violations are different things. Moreover, not all data breaches are HIPAA violations because they do not involve PHI. A data breach will be considered a HIPAA violation if it is the result of an outdated, inaccurate, or ineffective HIPAA compliance program or a direct violation of your office’s HIPAA policies.
If a data breach occurs, HIPAA regulations require that specific measures be followed. The specifics of this are defined in the HIPAA Breach Notification Rule, which covers how business associates and entities are expected to respond and what actions to take after a breach occurs.
Penalties for HIPAA dental violations
Penalties for HIPAA violations by dentists are uncommon. In 2015, Joseph Beck of Comfort Dentists in Kokomo, Indiana, was fined $12,000 for the unauthorized disclosure of thousands of patient records. Beck engaged a data company to destroy 63 boxes of patient records, but because Beck didn’t do her homework on the organization, the boxes ended up abandoned by a dumpster.
Dr. Andrew Brown, Chairman of the American Dental Association’s Council on Dental Practice, issued a statement asking healthcare providers in the dental industry to take HIPAA compliance for dentists seriously in response to the enforcement of penalties for HIPAA violations by dentists. He declared: “Healthcare providers that break the law face significant consequences, and we don’t want to see any dentists facing fines of tens of thousands of dollars.”
Dental practices become more ideal targets for cybercriminals as they expand in size and gather larger databases of patient medical and payment information. The consequences for HIPAA dental violations can be severe, thus dentists covered under HIPAA must make sure they abide by the HIPAA Privacy and Security Rules as well as the HIPAA Breach Notification Rule if an unauthorized disclosure of unsecured PHI takes place.
Is your dental office HIPAA compliant?
Meeting HIPAA compliance regulations is important for dentists. If you do not comply, you will face penalties and fines. Additionally, a breach of patient data might lead your patients to lose trust in your services and office, limiting your capacity to grow your business.
Understand the HIPAA requirements for dentists, as well as the most common violations that may occur, if you want to avoid a HIPAA violation or being non-compliant in any way. When you have this information, you can be confident that you are ready for anything and that you have the tools and resources to help you mitigate an attack or breach. Being informed is the most effective method to ensure that your practice is HIPAA compliant now and in the future.