Are dentists covered by HIPAA?
In general, dentists are considered “Covered Entities” under HIPAA, so they must meet all of the compliance requirements. However, there are a number of situations in which they may be not meet the definition of a Covered Entity, and therefore do not have to meet all of the stipulations regarding Protected Health Information. The question “does HIPAA apply to dentists”, then, has a complicated answer.
The Department of Health and Human Services lists defines “Covered Entities” as healthcare clearinghouses, health plans, and healthcare providers. However, healthcare providers – which includes dentists – are only covered entities if they “transmit information in an electric form in connection with a transaction for which the Department of Health and Human Services has adopted a standard”. These transactions can include authorizations, eligibility checks, referrals, and enrollment.
One part of this definition in particular should be highlighted. Dentists are only considered to be Covered Entities if they transmit information in an electronic form. Of course, with the widespread use of modern technologies such as HIPAA compliant email, text messages, and other online forms, the vast majority of dentists will meet this definition. Even if dentists only use transmit protected health information (PHI) electronically for some of their transactions, all transactions that are undertaken by that dentist must be HIPAA compliant.
However, there may be a minority that does not meet this definition as they never transmit patient information electronically.
In some cases, HIPAA will not apply to dentists because a different, more stringent privacy rule takes precedent. This is the case when dentists are treating students. A student’s dental records are considered to be part of their education records, and are therefore covered by the Family Educational Rights and Privacy Act (FEPA). FERPA is more stringent than HIPAA, so it takes precedent. HIPAA may be similarly superseded by other State-level legislations that have more stringent requirements.
If a dentist works across different scenarios, some of which require HIPAA compliance, it is considered to be a hybrid entity. This may be the case if, for example, the dentist is based part-time in a school.
HIPAA applies to dentists if they are contracted by other dentists to carry out specific tasks by another dentist. In these cases, a dentist is considered to be a Business Associate, and is subject to HIPAA. Their duties under HIPAA, and responsibilities in terms of the use and protection of PHI, will be laid out in the Business Associates Agreement between the dentist that is the Covered Entity and the BA.
To ensure HIPAA compliance, dental practices must appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These roles may be combined into a single “HIPAA Compliance Officer”. Indeed, if a dentist practices by themselves, they must appoint themselves the privacy officer.
In summary, the answer to “does HIPAA apply to dentists” is not straightforward. However, in the majority of cases, HIPAA does apply to dentists, either because they meet the definition of a Covered Entity or because they are a Business Associate of a HIPAA-covered dental practice.