HIPAA Compliance for Dental Offices now stand in parallel with medical organizations in terms of having access to Protected Health Information (PHI). Meaning they must adhere to the same level of privacy and security safeguards as the rest of the medical community when protecting its patients health information. HIPAA rules and regulations are applicable to dental practices regardless of their size if they are a covered entity. According to the American Dental Association (ADA), “if a dental practice is a covered entity, the practice will need to take steps to comply with HIPAA” which include but are not limited to the following:
- Appoint a HIPAA Privacy and Security Officer;
- Implement a HIPAA compliance program;
- Maintain compliance in an ongoing manner;
- Perform a risk analysis;
- Train workforce members; and
- Develop Policies and Procedures.
HIPAA Compliance for Dental Offices Requires the Development of Policies and Procedures
Dental practices should carefully review their privacy and security policies, compile evidence that the policies have been implemented and enforced, and be able to demonstrate that they have reviewed and updated policies in accordance with the law, operations, and information technology standards. HIPAA compliance for dental offices affect the security of PHI and ePHI in the organization’s possessions or control, including the acquisition of new entities. These policies and procedures must be treated as living and breathing documents. Additionally, offices should create and update policies and procedures on topics that may not have been relevant in years past, but are crucial today. These include topics related to using hardware and electronic media, addressing security responsibilities and regular compliance monitoring, and restricting unauthorized access to all of its electronic information systems and the facilities in which they are housed (HCCA).
In order to ensure these policies and procedures are being followed, dentists are encouraged to develop an encryption report. Specific individuals within the practice should be responsible for ensuring that the organization enters into business associate agreements with vendors or suppliers who need access to PHI.
Dental healthcare providers should develop an enhanced Privacy and Security awareness training program. The training program should be held for all employees who have access to PHI and ePHI, and should include general instruction on HIPAA compliance for Dental Offices covering HIPAA Privacy and Security, and Breach Notification policies and procedures.
Dental offices should take steps toward eliminating risks, to do so an entity must first evaluate risks (e.g., unencrypted laptops, improper use of portable devices) present in all facilities and technologies, especially all electronic equipment, data systems, and applications storing or transmitting ePHI. Dental offices can then develop an organization wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis.
When Reviewing HIPAA Compliance for Dental Offices the focus on high-risk areas should include:
- Rights to amend and access PHI;
- Minimum necessary use and disclosure;
- Encryption of electronic transmissions, mobile devices, and devices containing protected health information (PHI) including USB drives;
- System Access controls;
- Notice of Privacy Practices; and
- Breach notifications.
Dental Office HIPAA Violations
Many dental offices are breaching HIPAA Privacy and Security laws without realizing it or have employees doing so without their knowledge. An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and later followed up with an apology in writing.
Report HIPAA Compliance Issues
Dentist Office HIPAA Violations have to be reported by March 1 to the U.S. Department of Health and Human Services Office for Civil Rights (HHS). Specifically, covered entities must report any breach of its electronic Protected Health Information (ePHI) that may have affected fewer than 500 individuals by that date. Breaches that may have affected more than 500 individuals have more strict timelines as practices only get a 60-day window to report incidents.
Dental practices must take every precaution necessary to prevent their practice from violating any HIPAA laws and regulations. Fines for not complying range from $100 to $50,000 per violation with a maximum of $1.5 million annually for violations of the same provision. Some violations may result in criminal charges, including jail time.
Performing a periodic HIPAA Privacy and Security Risk Analysis will reduce the chances of non-compliance and keep you off of the HHS Wall of Shame.