The rules of dental HIPAA compliance are no different from the rules governing other HIPAA Covered Entities and Business Associates. However, there may be more occasions when dentists and dental practices have to apply exceptions to the rules – or not apply the rules at all.
If you are a dentist or work in a dental practice, it is highly likely you have to comply with the HIPAA Privacy, Security, and Breach Notification Rules or comply with HIPAA policies implemented by your organization´s Privacy and Security Officers. The purpose of these Rules and policies is:
- Protect the privacy of individually identifiable health information
- Ensure the confidentiality, integrity, and availability of the information, and
- Notify subjects of the information in a timely manner when a data breach occurs.
The Rules and policies are necessary because health information is highly sought by criminals. Stolen health information can be used to commit identity fraud, take out finance in the victim´s name, and have expensive medical treatment paid for by the victim´s health plan.
Events of this nature affect everyone. When banks have to write off fraudulent loans, they recover the losses by charging other customers more. Similarly, when health plans are the victims of identity theft, premiums increase – which, when an employer is paying contributions, means less money to pay wages. Therefore, data breaches don´t just affect individuals. They affect everyone.
The Privacy, Security, and Breach Notification Rules
The three Rules against which dental HIPAA compliance is measured are the Privacy, Security, and Breach Notification Rules. They are not the only rules dentist and dental practices have to comply with because each jurisdiction has its own state rules for dentists; and, in cases where these have stronger privacy protections or provide patients with greater rights, state rules pre-empt HIPAA.
Dentists and dental practices also have multiple federal laws to comply with – from the PCI DSS regulations for businesses that process card payments to the continuous coverage provisions of COBRA. Few federal laws contradict HIPAA, but when there is a conflict between HIPAA and another federal law, the standards of the Privacy, Security, and Breach Notification Rules take precedence.
The HIPAA Privacy Rules for Dentists
The HIPAA Privacy Rules for dentists mostly explain what information is considered to be Protected Health Information, under what circumstances the information can be used and disclosed, how it should be used and disclosed (i.e., in compliance with the Minimum Necessary Standard), and what rights patients have to request copies of the information and corrections where errors exist.
It is important that dentists and members of a dental practice´s workforce understand these Rules because the most common HIPAA violations relate to impermissible uses and disclosures, disclosing more than the minimum necessary information, and failing to respect patients´ rights. Dental practices have been fined for non-compliance with the Privacy Rules of dental HIPAA compliance.
The HIPAA Security Rules for Dentists
The HIPAA Security Rule for dentists consist of the Administrative, Physical, and Technical safeguards, the Organizational Requirements (mostly relating to Business Associate Agreements) and the General Rules. The General Rules are possibly the trickiest part of the Security Rules to get to grips with because of the standard relating to the “flexibility of approach” (45 CFR §164.306(b)).
This standard complicates the Security Rules of dental HIPAA compliance by enabling Covered Entities and Business Associates to decide what reasonable and appropriate security measures to implement based on:
- The size, complexity, and capabilities of the Covered Entity or Business Associate.
- The business´s technical infrastructure, hardware, and software security capabilities.
- The cost of the security measures.
- The probability and criticality of potential risks to electronic PHI.
This standard very much leaves the remaining Security Rules of dental HIPAA compliance open to interpretation. Could a dental practice ignore some implementation specifications because the security measures are too expensive or because a practice is considered too small to be a target for a hacker? Whatever is decided, it has to be justified and documented in case of an audit or inspection.
Why the Breach Notification Rule is Important
The Breach Notification Rule is important for two reasons. First of all, by notifying affected individuals of a data breach as quickly as possible, affected individuals can take measures to mitigate the risk of a hacker using stolen credentials to commit identity theft and fraud – for example, warning their bank, credit card companies, and health plan to be on the lookout for unusual activity.
Secondly, by notifying HHS´ Office for Civil Rights of the breach, dentists and dental practices will likely receive technical assistance to help prevent future breaches. This tends to be HHS´ Office for Civil Rights preferred course of action rather than imposing fines and monitoring compliance with Corrective Action Plans (which can be just as expensive for dentists to comply with as a HIPAA fine).
Exceptions to Dental HIPAA Compliance
There are plenty of exceptions in HIPAA, and some are more likely to occur in dental practices than in hospitals or Organized Health Care Arrangements – for example, exceptions to the Administrative, Physical, and Technical safeguards of the Security Rule attributable to the “flexibility of approach” standard (although dentist-initiated exceptions have to be justified and documented).
Exceptions to dental HIPAA compliance are also more likely when dentists treat children. Contrary to the required uses and disclosures of the Privacy Rule, dentists do not have to provide parents with access to a child´s health information if the dentist believes the child “is subject to domestic violence, abuse, or neglect by the [parent] or doing so would otherwise endanger the individual”.
There are also exceptions to the Breach Notification Rule that relieve Covered Entities from notifying individuals and HHS´ Office for Civil Rights if it can be shown there is a low probability of Protected Health Information having been compromised. HHS´ Office for Civil Rights explains the criteria for non-notification of a breach in the definition section of this Breach Notification Rule Summary.
When the HIPAA Rules May Not Apply at All
As mentioned previously, when state laws have stronger privacy protections or provide patients with greater rights, state rules pre-empt HIPAA. Usually, it is the case that state laws pre-empt sections of HIPAA (i.e., biometrics, genetics, HIV treatments, etc.), but it is important to note some state laws cross state boundaries (i.e., Texas´ HB 300) and impact dentists practicing anywhere in the country.
Other examples of when dental HIPAA compliance may not be necessary is when a dentist provides services to a school or college. Students´ medical records are considered to be part of their educational records under FERPA and not subject to HIPAA protections. However, if a dental service is provided to both students and adults, HIPAA applies to the adults´ medical records.
One final example of when the HIPAA Rules may not apply to dentists and dental practices is if the practice does not qualify as a HIPAA Covered Entity. HIPAA only applies to healthcare providers that transmit health information electronically in connection with a transaction for which HHS has developed standards (i.e., eligibility checks, coordination of benefits, claims, remittances, etc.).
If a dentist or dental practice does not conduct any of these transactions electronically (voice communications over the phone and paper-to-paper non digital faxes do not count as electronic transactions), they are not a Covered Entity under HIPAA and not required to comply with the Rules of dental HIPAA compliance – unless a non-Covered dentist provides services for or on behalf of a Covered dentist as a Business Associate, in which case some – but not all – HIPAA Rules will apply.
Conclusion: Dental HIPAA Compliance can be Complicated
With there being many situations in which HIPAA does not apply, in which parts of HIPAA may be pre-empted by other laws, or in which the flexibility of approach allows for some implementation standards to be bypassed, it is fair to say dental HIPAA compliance can be complicated. If you are a dentist, or a Privacy/Security Officer for a dental practice, and you are not certain of your obligations under HIPAA, it is advisable to seek professional compliance help.