It was just a few years ago when news broke that a dental practice had to pay a $10,000 fine to the Office of Civil Rights (OCR) for a HIPAA violation.

The practice in question disclosed protected health information (PHI) in response to a bad Yelp review that one of its patients left.

Although on the more extreme end, that’s a clear violation of the HIPAA Privacy Rule. Social media isn’t a great place to share and discuss patient information and what the practice did on Yelp is just one example of many.

Sharing PHI on a public forum is just one forbidden action of hundreds within the Privacy Rule. On top of that, the Privacy Rule is just one-half of the whole regulation. There’s also the Security Rule...which is the more complicated of the two main parts of HIPAA.

The point I’m trying to make with all of this is that there are so many requirements to HIPAA that many dental organizations and their workforces end up confused.

Any compliance “expert” would tell you that the breach that occurred to the dental practice who commented PHI on Yelp is the result of a poor training program.

What they usually won’t tell you is what you should include in your training program and how often you need to send it to your team.

That’s why I’m going to give you everything you need to know about HIPAA training for dental offices from requirements to content.

• HIPAA Requirements for Dentists

• HIPAA Differences for Dentists

• Relevant Examples Matter Most

• Timing is Everything

• Stay Up to Date

• Conclusion

If you search anything about HIPAA on Google that doesn’t include the word “dentist” in it, you’re going to get a lot of high-level information.

For example, I Googled the phrase “HIPAA” and the first result was from the CDC.

It’s a great webpage that gives a nice general overview of HIPAA, its nomenclature and its requirements. I’m not here to critique this webpage.

However, I want to bring attention to the verbiage used within the “Covered Entities” portion of this page.

The very first sentence of the section states that the types of organizations and individuals listed within that section need to adhere to the HIPAA Privacy Rule. The very first individual listed as a covered entity is “healthcare providers”.

It goes on to describe that every healthcare provider needs to follow the requirements listed within the HIPAA Privacy Rule as long as that individual or organization transmits health information electronically.

From that, you’re likely to think up two big questions.

First, who’s a healthcare provider and do dentists fall under that umbrella term?

Federal law defines dentists as healthcare providers. I imagine you already knew that, though.

Second, what kind of electronic information transmission is that section referring to?

The main forms of electronic information transmission that occur in dentistry are…

• Claims

• Eligibility requests

• Claim status inquiries

• Treatment authorization requests

The American Dental Association (ADA) maintains on its website that there isn’t a deadline to switch to an electronic format.

So, if you’re still using paper records and you handle everything in-house...you technically don’t have to follow HIPAA.

However, it’s unlikely that your practice relies entirely on paper. Not only would you face payment adjustments from Medicare starting way back in 2015, but you’d also lose patients to other more modern practices based on what certain generations prefer.

Even so, the ADA strongly recommends that all dental providers implement HIPAA’s required safeguards.

It wasn’t easy to get to the bottom of HIPAA’s requirements for dentists. Long story short, all dentist practices should pursue compliance toward healthcare’s biggest regulation.

Now that we know that every dental organization should pursue and maintain compliance with HIPAA, the next logical question is, “Are there any differences in HIPAA for dentists?”

The answer to this question doesn’t require as much investigation as the last section, thankfully.

Since HIPAA defines organizations who need to follow its rule as “covered entities”, it makes classification easy...even for dentists.

In other words, if a dental organization meets the criteria of a “covered entity” then it needs to adhere to every requirement listed within the law.

There aren’t any differences between HIPAA for dentists and HIPAA for general practitioners. It also isn’t different for business associates, or organizations who work closely with covered entities. The law doesn’t specify based on specialty, it stays general to apply to all who fall within its defined buckets.

Whether you’re creating your own HIPAA training for dentists or sourcing one from a third party, the most important thing to keep in mind is content.

Do you think your team will learn more effectively if their training goes over general examples about patient privacy? Sure.

However, don’t you think it would be more effective if your HIPAA training contained actual, real-world scenarios that occurred in the dentistry space?

I think it’s safe to assume that the second option is what you and most other dental organizations would want.

An excerpt from the book Mind, Brain, and Education: Neuroscience Implications for the Classroom, states, “Often, the learner’s emotional reaction to the outcome of his efforts … shapes his future behaviour.”

In other words, if a student doesn’t find that their lesson is relevant, there’s a high chance that the material isn’t going to sink in.

Although from a classroom perspective, that same mentality carries over to the business world, arguably more so. You see, given the current burnout situation within the healthcare industry, your team most likely doesn’t have much time for anything else other than patient care.

Thus, if the HIPAA training program you send to your team doesn’t contain relevant examples...the material isn’t going to land.

That’s why you need to include relevant examples and scenarios throughout.

Alright, we’ve figured out that…

• You should train your dental employees on HIPAA

• The law’s requirements don’t change among industries

• Relevant examples help with getting the material to stick

Even after all of that, though, you probably still have at least one more major question, “When should I train my employees?”

That’s another question that deserves some investigation because the law isn’t as helpful in this regard.

Don’t get me wrong, training is an…

• Administrative requirement within the Privacy Rule (45 CFR §164.530)

• Administrative safeguard within the Security Rule (45 CFR §164.308)

Yet, if you look at what’s stated within those two sections...the training requirements are what you could call “flexible”.

You see, the Privacy Rule requires that each new member of your workforce receives training “within a reasonable period of time after the person joins”. 

The Security Rule adds to the Privacy Rule’s training requirement by stating that it should happen on a “periodic” basis.

In other words, the Privacy Rule says it should happen at some point when a new employee comes on board. The Security Rule mandates that ongoing training should also happen. They’re both super vague and open to interpretation.

Maybe the ADA can provide some guidance on the matter.

Unfortunately, the ADA’s webpage about HIPAA training for dentists just reiterates what the law requires. That’s not that much of a surprise, the ADA isn’t the organization that enforces HIPAA.

But, if the requirements on training remain ambiguous, what’s the best thing to do?

First, have your employees take your HIPAA training on their first day. It’s unlikely that they'll have to deal with any PHI on their first day, take advantage of that by teaching them how to handle it properly.

Second, enforce that your entire workforce retakes your training program on an annual basis.

Those two easy policy implementations are not only best practices, but they also satisfy what’s mandated.

Let’s say that after reading this blog post you go out and find a HIPAA training program that’s made for dentists. Awesome.

However, this training program won’t do you any good if it’s outdated.

You see, the Department of Health and Human Services (HHS) doesn’t believe being 100% compliant with HIPAA is attainable. Instead, it believes that compliance with the law is ongoing and ever changing.

In other words, the training that you enforce upon your employees needs to stay up-to-date and change with new amendments to it.

The ADA also reflects this philosophy in the same paragraph I provided in a previous section.

But, what kind of “updates” should your training include and how do you find them?

I’ll give you an example.

In March of 2021, the HHS proposed roughly 15 changes to the HIPAA Privacy Rule. Most of the changes to make certain parts of the law more flexible in order to account for COVID-19 and the opioid pandemic.

A few months later, in May 2021, the ADA made comments on some of the proposed changes stating that they may overburden dental offices.

Including what those proposed changes are and the ADA’s criticisms of them are two imperative topics to include in your HIPAA training program.

I imagine when you clicked the link to this blog post you didn’t realize how involved and meticulous the HIPAA training requirements are for dentists. 

Hopefully, by the end of it, you have a better idea as to what’s required of you and how to implement a HIPAA training program that’s effective for your dental organization.

Out of everything, though, the biggest takeaway is that the requirements don’t change across healthcare specialties. Regardless of whether you’re a general practitioner or a specialty dentist, your HIPAA training mandates as a covered entity don’t change.