The problem of HIPAA compliance for dentists is not one that should be disregarded. Research carried out by the American Dental Association shows dental practices are rising in number and increasing in size, and – according to the National Association of Dental Plans – the number of US citizens with access to commercially or publicly financed dental care went up from from 170 million (2006) to 248 million (2016).
As dental clinics grow in size and gather larger databases of patient healthcare and payment data, they become more attractive targets for hackers. Dentists covered under HIPAA need to ensure they comply with the HIPAA Privacy and Security Rules and – if an unauthorized disclosure of PHI happens – the HIPAA Breach Notification Rule as the penalties for HIPAA violations by dentists can be major.
Are Dentists Governed by HIPAA?
It depends on the specific circumstances. At one end of the scale, an individual dentist conducting his or her own dental practice will be a “HIPAA Covered Entity” if they electronically transmit any patient healthcare data for invoicing – for example, email a claim for payment to a health plan. Even if they use an external third party such as a clearinghouse to submit the claim on their behalf, the dentist is still covered under HIPAA.
At the other end of the scale, a dentist working with a dental firm is not covered under HIPAA – it is the dental clinic that is the HIPAA Covered Entity. He or she will be expected to comply with HIPAA in that the dental firm will enforce HIPAA-compliant policies relating to the permissible uses and disclosures of PHI, but staff members of dental firms are not considered to be dentists covered under HIPAA.
This explanation leaves a uncertain area between either ends of the scale. Dentists in small practices should seek advice about whether they are dentists governed by HIPAA. If so, they must put in place policies and procedures to achieve HIPAA compliance for dentists. If the clinic is a Covered Entity, the dentist may still be involved in meeting the requirements of HIPAA compliance for dental clinics.
HIPAA Compliance for Dentists
As mentioned previously, HIPAA compliance for dentists involves complying with the HIPAA Privacy, Security and Breach Notification Rules. The Rules govern how patient healthcare and payment data is established, used, stored and shared, and the circumstances in which data can be shared without patient authorization. The HIPAA Privacy Rule also gives patients rights over access to their healthcare data.
The first part of achieving HIPAA compliance for dentists is to designate a Compliance Officer. The Compliance Officer can be the dentist, an existing employee of the dentist, or a consultant who will act as a temporary Compliance Officer until the first stages of compliance are met. The Compliance Officer will be charged with:
- Completing risk assessments to identify potential vulnerabilities in existing policies and procedures that could result in the unauthorized disclosure of patient data.
- Carrying out risk analyses to identify the most appropriate way (as governed by HIPAA) to address the identified vulnerabilities and protect patient data.
- Adapting measures – which may include changes to working practices as well as technological measures – to protect the confidentiality, integrity and security of data.
- Creating policies and procedures to support the implementation of the HIPAA-compliant measures, plus a sanctions policy for the failure to comply with the policies and procedures.
- Education employees on the purpose of HIPAA compliance for dentists and why compliance is important, and explaining how any new procedures will work.
- Embracing due diligence on any third-party service providers with whom patient data is shared (Business Associates) and overlooking Business Associate Agreements.
- Initiating contingency plans should a breach take place in order to minimize business disruption and potential fines for non-HIPAA compliance for dentists.
It is crucial to remember that HIPAA compliance for dentists is not a one-off project. Compliance must be managed and training regularly provided when further changes to work practices and new technology is adapted – even if the changes are not related to HIPAA compliance. It is also important any risk assessments and analyses completed when changes are implemented are recorded.
Dental Practices and HIPAA Compliance
HIPAA compliance for dental practices is very different to HIPAA compliance for dentists, although the larger the dental firm, the more vulnerable it is to breaches of patients data and the more it is likely to be targeted by hackers. With this in mind, special attention must be spent on service agreements with Business Associates and hacking defenses.
Risk assessments and risk analyses will no doubt be more involved in larger dental firms, and it may be necessary to tailor training to the specific roles of workers. For larger multi-establishment dental enterprises (the highest increase area in dentistry according to the American Dental Association) it may be necessary to designate separate (or multiple) HIPAA Privacy Officers and HIPAA Security Officers.
The Fines for HIPAA Violations by Dentists
Penalties for HIPAA violations by dentists are not seen often. The earliest recorded fine for dentists covered under HIPAA occurred in January 2015, when Joseph Beck of Comfort Dentists, Kokomo, Ind., was fined $12,000 for the unauthorized disclosure of thousands of patient files. Beck had hired a data company to destroy 63 boxes of patient records, but had failed to conduct due diligence on the company, and the boxes were found left by a dumpster.
The imposition of penalties for HIPAA breaches by dentists led to the Chairman of the American Dental Association´s Council on Dental Practice – Dr. Andrew Brown to release statement urging healthcare providers in the dental industry to take HIPAA compliance for dentists seriously. He remarked: “There are steep consequences for healthcare providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in penalties.”