For HIPAA compliance, a dentist office must implement administrative, physical, and technical safeguards to protect patient health information, such as conducting regular risk assessments, training staff on HIPAA regulations, securing patient records, using encrypted communication channels, ensuring secure disposal of PHI, obtaining necessary Business Associate Agreements with third-party service providers, and establishing policies for PHI access, disclosure, and breach notification, to ensure the confidentiality, integrity, and availability of patient information as required under HIPAA.
The table below provides a list of the main tasks a dentist office needs to do for HIPAA compliance.
| HIPAA Compliance | Task Description |
|---|---|
| Privacy Policies | Develop comprehensive privacy policies that govern the use and disclosure of PHI, ensuring these policies are accessible to staff and patients and include necessary consent and authorization forms. |
| Security Measures | Implement robust security measures including encrypted digital storage, secure filing systems for physical records, and regular updates to security software to protect against data breaches. |
| Staff Training | Conduct thorough and regular training sessions for all staff members on HIPAA regulations, emphasizing the importance of confidentiality and the correct procedures for handling and sharing patient information. |
| Patient Rights | Uphold patients’ rights under HIPAA, including the right to access their health records, request amendments, and receive an accounting of disclosures of their PHI, ensuring transparent and respectful handling of patient information. |
| Risk Assessment | Perform comprehensive risk assessments routinely to identify potential risks to the security and privacy of PHI, and take appropriate measures to mitigate these risks. |
| Business Associate Agreements | Formalize agreements with all third-party service providers (business associates) who have access to PHI, ensuring they also comply with HIPAA regulations and safeguard patient information. |
| Secure Communication | Utilize secure communication channels, such as encrypted email and messaging services, for any communication involving PHI to protect against unauthorized access and data breaches. |
| Breach Notification Protocol | Establish a clear and efficient protocol for responding to and reporting any breaches of PHI, including notification to affected patients and relevant authorities in a timely manner. |
| Record Keeping | Maintain meticulous records of PHI handling, including disclosures, consents, training documents, and risk assessments, ensuring these records are accessible for audits and reviews. |
| Patient Consent and Authorization | Obtain explicit patient consent and authorization for uses and disclosures of PHI not covered by HIPAA, ensuring patients are fully informed and their preferences are respected. |
| Physical Security | Enhance physical security measures in the office, such as secure locks, restricted access areas, and surveillance systems, to prevent unauthorized access to physical records of PHI. |
| Audit Controls | Implement audit controls to regularly review access and activity related to PHI, helping to identify and address potential privacy concerns proactively. |
In the past, dental offices may have felt less concerned by the Health Insurance Portability and Accountability Act, more often known as HIPAA, but this changed in 2015 when Dr Joseph Beck, a dentist, received a fine due to an alleged HIPAA violation, the first dentist to receive such a sanction. HIPAA compliance is important for dentist offices because it ensures the protection and confidentiality of patient health information, a fundamental aspect of patient trust and professional responsibility in healthcare. Dentist offices handle sensitive patient data, including medical histories, treatment plans, and payment information. By complying with HIPAA, they establish safeguards against unauthorized access, use, or disclosure of this information, thereby reducing the risk of privacy breaches that can lead to legal liabilities and damage to the practice’s reputation. HIPAA compliance creates a culture of privacy and security within the office, ensuring that staff are aware of and adhere to best practices in handling patient information. This not only protects patients but also aligns the practice with legal and ethical standards, avoiding potential fines and penalties associated with non-compliance. Adherence to HIPAA regulations demonstrates a commitment to maintaining the highest standards of patient care and confidentiality, which is essential in building and maintaining trust with patients, a cornerstone of any healthcare practice.
Who can issue HIPAA penalties to Dentists?
This fine did not come from the Department of Health and Human Services’ Office for Civil Rights, the federal authority charged with enforcing HIPAA, but instead was issued by the Office of the Attorney General of Indiana. State Attorneys General can pursue HIPAA violations and in this instance Dr Beck was fined $12,000 as a result of the alleged mishandling of protected health information (PHI) relating to 5,600 people.
While HIPAA violations continue to occur and the ensuing sanctions continue to be handed down, dentists and dental offices have been rather unscathed. However, this may change with the increased focus and attention that state attorneys general and the OCR have put on dentists. Dental offices are liable to be audited for HIPAA compliance just like any other HIPAA-covered entity if they use electronic dental claims.
In the past, the OCR restricted itself mainly to issuing technical guidance in lieu of financial sanctions. As time goes on, however, dentist offices have been given ample opportunity to implement any necessary changes and procedures, so it may be that the OCR has somewhat lost its patience.
Advice from the ADA
In 2016, the American Dental Association urged dentists to take their obligations under HIPAA seriously. Dr. Andrew Brown, chair of the ADA Council on Dental Practice at the time, said, “there are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”
Dentists must ensure they are in compliance with all relevant aspects of HIPAA. Even dental offices that have not already been contacted by the OCR and asked to demonstrate HIPAA compliance will likely be contacted in the future. Auditors can conduct on-site visits and may request many different types of documents, for example documents relating to procedures, standard practices, and manuals which will all need to be in order.
Cyber security
An aspect which many may initially overlook is the threat posed to PHI by cyber attackers and other malicious online actors. Internet and cyber security may not seem like priorities and may not be fully understood by staff in your dental practice but it is essential that they be sufficient to comply with HIPAA rules. As it is so easy for a cyber attacker to instantly gain access to hundreds, thousands or even millions of patient records electronically, and as the OCR opens investigations into data breaches that affect the PHI of over 500 people, it is easy to see how a single successful attack can lead to a large amount of trouble and put many people at risk.
Given the simplicity with which a HIPAA violation can occur via electronic means, either by phishing scams, fake email attachments, stolen laptops or smart phones and many other ways, HIPAA-covered entities must protect their patients and themselves. Smaller practices may be easier targets for attackers and are therefore a prime target for the OCR to audit. It is therefore essential for dental offices to check their requirements under HIPAA and work to bring themselves in line with these necessities as quickly as possible.