Dentist and HIPAA Compliance need to be strongly considered as research conducted by the American Dental Association indicates dental practices are increasing in number and increasing in size, and – according to the National Association of Dental Plans – the amount of US citizens with access to commercially or publicly funded dental care rose to 170 million (2006) to 248 million (2016).
As dental clinics increase in size and gather larger databases of patient healthcare and payment data, they become more attractive targets for hackers. Dentists subject to HIPAA need to ensure they comply with the HIPAA Privacy and Security Rules and – if an unauthorized sharing of PHI happens – the HIPAA Breach Notification Rule as the penalties for HIPAA violations by dentists can be major.
Does HIPAA Incorporate Are Dentists?
It depends on the specific circumstances. You could have an individual dentist running his or her own dental practice will be a “HIPAA Covered Entity” if they electronically transmit any patient healthcare data for billing – for example, email a claim for payment to a health plan. Even if they use a third party such as a clearinghouse to file the claim on their behalf, the dentist is still subjected to HIPAA.
Alternatively you could have a dentist employed by a dental firm is not governed by HIPAA – it is the dental firm that is the HIPAA Covered Entity. He or she will have to comply with HIPAA inasmuch as the dental firm will enforce HIPAA-compliant policies relating to the allowable uses and disclosures of PHI, but employees of dental firms are not considered to be dentists covered under HIPAA.
Dentists in small clinics should seek advice about whether they are dentists covered under HIPAA. If so, they must put in place policies and procedures to achieve HIPAA compliance for dentists. If the practice is a Covered Entity, the dentist may still be involved in meeting the requirements of HIPAA compliance for dental clinics.
HIPAA Compliance for Dentists Explained
As mentioned previously, HIPAA compliance for dentists involves adhering with the HIPAA Privacy, Security and Breach Notification Rules. The Rules cover how patient healthcare and payment data is formulated, used, stored and shared, and the circumstances in which data can be shared without patient authorization. The HIPAA Privacy Rule also gives patients rights over access to their health details.
The first stage of achieving HIPAA compliance for dentists is to designate a Compliance Officer. The Compliance Officer can be the dentist, an existing employee of the dentist, or a consultant who will be the temporary Compliance Officer until the first stages of compliance are completed. The Compliance Officer will be charged with:
- Completing risk assessments to identify potential flaws in existing policies and procedures that could result in the unauthorized disclosure of patient information.
- Completing risk analyses to spot the most appropriate way (as governed by HIPAA) to address the identified flaws and protect patient data.
- Adapting measures – which may include amendments to working practices as well as technological measures – to protect the confidentiality, integrity and security of information.
- Developing policies and processes to support the implementation of the HIPAA-compliant measures, plus a sanctions policy for the not adhering with the policies and processes.
- Training staff about the purpose of HIPAA compliance for dentists and why compliance is crucial, and explaining how any new processes will work.
- Carrying out due diligence on any third-party service providers with whom patient data is shared (Business Associates) and overlooking Business Associate Agreements.
- Creating contingency plans should a breach occur in order to minimize business disruption and potential fines for non-HIPAA compliance for dentists.
It is crucial to note HIPAA compliance for dentists is not a once-off project. Compliance must be maintained and training regularly given when further changes to work practices and new technology is implemented – even if the changes have absolutely nothing to do with HIPAA compliance. It is also important any risk assessments and analyses carried out when changes are implemented are chronicled.
Dental Clinics & HIPAA Compliance
HIPAA compliance for dental clinics is not dissimilar to HIPAA compliance to dentists, although the larger the dental clinic, the more vulnerable it is to breaches of patients data and the more it is likely to be attacked by hackers. With this in mind, special attention must be given to service agreements with Business Associates and cybersecurity measures.
Risk assessments and risk analyses will undoubtedly be more involved in larger dental clinics, and it may be necessary to design training to the specific roles of staff. For larger multi-establishment dental businesses (the highest growth area in dentistry according to the American Dental Association) it may be necessary to designate separate (or multiple) HIPAA Privacy Officers and HIPAA Security Officers.