HIPAA Compliance for Dental Offices: Best Practices to Sink Your Teeth Into

Dental offices and practices need to stay compliant with the Health Insurance Portability and Accountability Act (HIPAA).

If these practices aren't compliant with HIPAA, they can face massive penalties.

But, it's hard to stay compliant with the regulation if you don't know what HIPAA compliance for dental offices looks like.

The good news is that we're here to help. In this blog post, we'll give you an overview of HIPAA compliance for dental offices.

We'll cover what the regulation requires and some best practices for staying compliant.

Table of Contents

HIPAA From a High-Level

HIPAA compliance for dental offices exists in two main categories: covered entities and business associates.

A covered entity is a health plan, a healthcare clearinghouse, or a provider of healthcare services that transmits health information in electronic form. A business associate is a person or organization that performs certain functions or activities on behalf of a covered entity.

Dental offices exist as covered entities under HIPAA. This means that they need to take the same steps to adhere to the law just like the pediatrician up the street.

The HIPAA Security Rule

The first step in becoming compliant with HIPAA is to understand the security rule.

This rule requires covered entities (you as a dental organization) to put in place...

  • Physical Safeguards

  • Technical Safeguards

  • Administrative Safeguards

Each of those categories of safeguards exists to protect the confidentiality, integrity and availability of electronically protected health information (ePHI).

Since essentially everything is digital now, the Security Rule is always in effect.

The HIPAA Privacy Rule

The second step to take is to understand the privacy rule.

This rule requires you as a covered entity to...

  • Give patients the rights to their health information

  • Have procedures in place for handling protected health information (PHI)

  • Designate a privacy officer

  • Train your employees on these procedures

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule is another major requirement within the regulation that you need to know about as a dental organization. Essentially, it exists to guide you after a breach takes place.

Although it would be nice to think that your organization is impervious to a HIPAA breach...that's not realistic. Plenty of dental organizations has already had to pay fines for violating the regulation.

By having the proper procedures and protocols in place, you can help to prevent a breach from happening in the first place. But, if one does occur, you'll be able to take action quickly and minimize the damage.

Best Practices #1: HIPAA Training

You need to provide regular HIPAA training to your employees. This will ensure that everyone on your team is up-to-date on the latest compliance regulations. But, more importantly, it will help them to understand why these regulations are in place.

Both the Security Rule and the Privacy Rule have requirements in place regarding training.

The Privacy Rule's Training Requirement

The HIPAA Privacy Rule cites training as an Administrative Requirement (45 CFR § 164.530).

That requirement states that...

  • Covered entities train all workforce members on policies and procedures with respect to protected health information (PHI).

  • Employees receive training no later than the compliance date for the covered entity.

  • Workforce members take the training within a "reasonable period of time" after they join your team.

The Security Rule's Training Requirement

The HIPAA Security Rule also cites training as a requirement within its Administrative Safeguard section (45 CFR § 164.308).

It states that...

  • Covered entities need a security awareness training program for all workforce members.

  • Covered entities also need to establish periodic security updates.

What are you supposed to do?

Training is a requirement in both the Privacy Rule and Security Rule. But, both requirements seem "flexible".

If you don't have anything in place, you need to. There's no doubt that HIPAA requires that dental practices need to train their staff.

What is in question, though, is consistency. How often should you provide training to your staff?

What's a "reasonable period of time"? What's "periodic"?

These are great questions that have caused a lot of debate among law professionals since the very beginning of HIPAA.

But, since it's open to interpretation, it's up to the industry to decide the best practice.

Here's what you need to do in two easy steps...

  1. Attach HIPAA training to your onboarding process.

  2. Provide it to your employees on an annual basis.

Those two steps fill any potential gaps you might have in your HIPAA compliance about training.

Best Practices #2: Switch to Electronic and Modern Formats

I'm willing to bet that before you navigated to this blog post, you researched what the American Dental Association (ADA) has to say about HIPAA compliance for dental offices.

The answer is not a lot.

The ADA has published a few articles on the topic, but compliance isn't their focus.

In fact, the ADA maintained on its website that there wasn't a deadline to switch to using electronic records until Q4 of 2021.

via ADA

In December of 2021, the ADA announced a partnership with Health Level Seven International (HL7). The partnership's goal was to introduce and encourage practices to move towards HL7 data standardization practices.

Even so, the announcement maintains that "there is no standard for the exchange of patients' dental health information between dental providers..."

Since there isn't a spelled out standard or requirement in place for dental organizations to switch to modern data formats. There's a good chance that some might still rely on paper.

Hopefully, you don't fall within that bucket. If you do, you should switch as soon as possible.

Using paper records opens up the door to unnecessary operational risks such as...

  • Patients saw records from other clients left on desks in common areas.

  • Losing records because they weren't filed away properly.

  • Improper disposal of records leads to exposure of sensitive information.

  • Destruction of records due to a catastrophic event like an office fire.

  • Delivering records to the wrong address.

Those are just five examples of unintentional HIPAA violations that have already happened in the real world because of relying on paper.

If you switch to an electronic format, you're immediately inheriting a more secure way of handling your patient's sensitive data.

Depending on your level of encryption, you might even be able to send emails containing PHI.

Best Practices #3: Be Selective Over Who You Work With

As I alluded to earlier, HIPAA classifies the organizations you work with as business associates.

You need to have what's called a business associate agreement (BAA) in place with each of them.

This agreement ensures that they're also handling PHI in a HIPAA-compliant manner.

If you don't have agreements with your business associates and they violate HIPAA, you're accountable right alongside them.

It's also possible that organizations you want to use aren't willing to sign a BAA.

For example, let's say that you want to be a modern practice and accept payments from your patients via Apple Pay. Your next likely question is, "Is Apple Pay HIPAA Compliant?" That's a long story, but the short answer is no. To make matters worse, Apple isn't going to sign a BAA with your organization either. That potentially means that accepting Apple Pay would make you liable for a HIPAA violation.

This leads me to two points. First, you need to carefully vet any organization you plan on working with before officially agreeing via a BAA. Second, you need to completely avoid working with organizations that won't sign a BAA.

Trust me, the last thing you want is to receive a breach notification from one of your business partners stating that they exposed your client's data. Try explaining that to your patients.

Best Practices #4: Understand The Auditing Process

The Office of Civil Rights is fairly transparent about the HIPAA auditing process on its website.

They break it down into two phases based on a mandated round of audits that took place between 2016 and 2017.

via HHS

OCR Audit Phase 1: Desk

The first phase was a series of desk audits given to both covered entities and business associates. The desk audits took a look at compliance with specific Privacy Rule, Security Rule and Breach Notification Rule requirements.

Covered entities and business associates had to provide documents that proved HIPAA compliance with the requirements provided to the OCR.

OCR Audit Phase 2: Onsite

The second phase of auditing involved onsite visits of OCR auditors.

The auditors reviewed documentation and shared their findings with the entities they visited. Once reviewed, auditors then created a full report that described the methods used and discussed findings.

Best Practice #5: Have Documentation of Everything You Need

I know, you're reading the headline of this section and saying to yourself, "Have everything I need? I don't even know all of what I need yet!"

Don't worry, that's why this section exists.

If you ever get audited, you might have as little as 10 days to submit everything to the Office of Civil Rights to prove your compliance with HIPAA.

The documents you'll need to provide include...

  • The results of a security risk assessment

  • Security, Privacy and Breach Notification policies and procedures

  • Notice and acknowledgement of privacy practices

  • Proof of training (certifications of completion, grades, etc.)

  • Explanation and proof of sanctions imposed on workforce members for noncompliance

  • Breach notification letters (digital and physical)

  • Authorization forms

  • Documentation of complaints

You're probably thinking, "That's it? This is easy!" I'm being facetious. To make matters a little more difficult, HIPAA has a data retention requirement. According to 45 CFR § 164.316 (b)(2)(i), you're required to retain your documents that relate to HIPAA for six years from their creation.

If already have that on hand, great. You're ready for a HIPAA auditor at any point. You're also in the minority.

Most dental practices aren't prepared for a HIPAA audit and are likely in violation if one were to occur.

Don't let that happen to you. Stay ahead of the curve by being proactive about your compliance. Create these documents if you haven't and ensure you keep them on hand, even if you create revisions.

Best Practice #6: Run a Risk Analysis

If an auditor walked through your doors right now, could you provide them with information about the operating risk of your organization?

The HIPAA risk analysis requirement exists in §164.308(a)(1)(ii)(A).

If you read the requirement, it doesn't seem like much. Yet, it's a massive undertaking for dental organizations.

So what is a risk analysis?

It's an accurate and thorough analysis of each electronic asset your organization uses to create, maintain, or transmit PHI. More specifically, it evaluates any potential vulnerabilities, and threats and assesses risk in terms of likelihood and severity.

In other words, you'll likely have to evaluate all of your practice's devices and determine how risky they are to your organization presently and in the future.

Not so easy, is it? Let me pile on a little bit more.

There's another big requirement that exists within the same section as risk analysis that you need to do. A risk management plan(§164.308(a)(1)(ii)(B)).

Conducting an assessment is one thing, using the results from that assessment to implement better compliance is another.

Risk management plans happen after you've conducted the analysis. It exists to ensure that you implement measures to reduce the risks associated with the results of your analysis.

So, this section is two-pronged.

Best Practice #7: Incident Response Plan

If you experience a breach, don't panic. It's not a good scenario to be in, but you wouldn't be the first dentist practice to experience a HIPAA violation.

If you're feeling uneasy and don't want to ever experience a HIPAA violation, that's a good thing. Embracing that feeling will only lead to a more compliant organization.

The result of this section should also help bring your mind at ease as well.

The reality is that breaches happen often. They're almost an inevitability at this point (especially if you look at the trends going on with ransomware).

That's why it's important to have an incident response plan (IRP) in place.

An IRP is a set of procedures and protocols that your organization will follow in the event of a data breach or other type of security incident.

You should customize it to your specific organization and needs. You should keep it updated as your organization evolves but having something is better than nothing.

Best Practice #8: Answer a Pre-Screening Questionnaire Early

Let's talk about audits again.

When that pesky HIPAA auditor comes by they're going to send you the OCR's official pre-screening questionnaire.

Why do I know that?

The OCR has the entirety of this questionnaire displayed on its website.

via HHS

Although a grueling task, audits aren't filled with "gotcha" moments. Everything that's required from dental offices from a HIPAA perspective is publicly available.

Since that's the case with the pre-screening questionnaire, why not go through it right now as a step in your preparation?

It's not as thorough as going through a gap or risk analysis, but it will help you understand the scope of a HIPAA audit before it happens.

Best Practice #9: Conduct a Practice Audit

I promise you that this is the last section of this blog about audits. I know that you're probably tired of reading about them. But, they're the "big bad" when it comes to HIPAA.

Anyway, by now you've familiarized yourself with the OCR's auditing process and fill out the pre-screening questionnaire.

What's left? Conducting a practice audit, of course.

Based on what we learned from best practice #4 within this blog post, we know that most audits will be "desk audits".

A desk audit is a fancy term for auditors reviewing your documents remotely. They don't visit your dental office in person.

Keep in mind that on-site audits do happen, though. That type of audit takes 3 - 5 days depending on the size of your dental office. They're also more comprehensive than desk audits and cover a wider range of HIPAA requirements.

You can run a practice audit over either time. I recommend both.

Either way, the best way to hold a practice audit is by running a series of role-play exercises. These exercises should include having your staff...

  • Take turns asking each other questions about the OCR's audit protocol.

  • Find answers to audit-related questions within your practice's compliance documents.

  • Demonstrate how your office complies with HIPAA.

Best Practice #10: Don't Panic

It seems like every week we hear about a new healthcare organization that had to pay a massive fine because of a HIPAA violation. Some of these even happen because of celebrities.

Although the fines associated with HIPAA are increasing, you shouldn't panic.

At the end of the day, your dental office has to stay compliant with HIPAA. That fact isn't going to change. But, the law exists to ultimately make your organization better.

After making efforts toward HIPAA compliance, you're going to have more protections in place that secure's your client's sensitive data.

What practice wouldn't want that for their patients?

via OCR

It's important to note that the OCR doesn't view HIPAA compliance as an attainable goal. It's something that's constantly changing and requiring your attention.

The OCR has also mentioned that the ultimate goal of its audits is to improve compliance activity. Audits help the OCR understand compliance efforts across the healthcare landscape and determine how they can help.

Again, that doesn't mean fines don't happen. We know that they do because we hear about them all the time (here are a few more that happened because of social media).

We also know that HIPAA breaches affecting 500 or more individuals get posted on the OCR's public "Wall of Shame". You definitely don't want this to happen to your organizations, so use it as motivation.

Conclusion

Staying compliant with HIPAA can be a daunting task, but it's important to remember that you're not alone.

Every healthcare organization regardless of specialty is a covered entity under HIPAA.

HIPAA compliance for dental offices means that you have a lot of work ahead of you. But going through and accomplishing its requirements helps make your organization a safer option for your clients.

Also, there are plenty of resources available to help you, including the OCR website and our blog. We can even help you accomplish some of these best practices, like HIPAA training.