HIPAA Training for Dental Offices

HIPAA training for dental offices has the same objectives as HIPAA training for other types of covered entity inasmuch as workforce members must know how to protect the privacy and confidentiality of individually identifiable health information and comply with the dental office’s HIPAA policies and procedures. However, complying with the HIPAA training requirements for dental offices may not be enough to prevent inadvertent HIPAA violations

Dental offices are typically smaller than most other types of covered entity and often have fewer resources available to provide HIPAA training to members of the workforce and monitor compliance. In addition, members of a dental office’s workforce may not have any knowledge of HIPAA prior to working for the dental office, yet may be required to perform multiple functions in which the risk of an impermissible disclosure exists.

For these reasons, it is important all members of a dental office’s workforce receive HIPAA training beyond the “required” training to ensure they have a robust knowledge of the HIPAA regulations and a full understanding of the dental office’s HIPAA policies and procedures. The provision of additional HIPAA training will not only reduce the risk of inadvertent HIPAA violations, but will also reduce the burden of monitoring workforce HIPAA compliance.

HIPAA Training Requirements for Dental Offices

The “required” HIPAA training requirements for dental offices are that all members of the workforce must receive training on HIPAA policies and procedures “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” (§164.530(b)), and that – regardless of their access to Protected Health Information (PHI) – all workforce members participate in a security awareness training program (§164.308(a)(5)).

Policy and procedure HIPAA training for dental offices involves training members of the workforce on the policies and procedures developed by the dental office to comply with HIPAA. For example, policy training may be about discussing a patient’s health, treatment, or payment information with them in a private area where they cannot be overheard, while procedure training may be about how to respond when a patient exercises their HIPAA rights to view and request amendments to their PHI.

There are no requirements for security awareness training programs to be HIPAA-centric, but it is important for members of the workforce to understand (for example) why they can send an appointment reminder to a patient via SMS, but not send information about a patient to an insurance company using the same channel of communication. It is also important to explain why members of the workforce should not use unsanctioned apps or online services “to get the job done”.

The Challenge of Complying with the HIPAA Training Requirements

In smaller dental offices, the challenge of complying with the HIPAA training requirements is that a single member of the workforce may be responsible for multiple functions – for example, booking appointments, assisting the dentist, verifying insurance information, and processing payments – some of which will be unsupervised. This means there may be more HIPAA policies and procedures to learn than if the member of the workforce worked for a larger covered entity.

It is also the case that, while qualified dentists acquire an understanding of HIPAA during their medical training, most new members of a dental office’s workforce have no previous experience of HIPAA’s privacy and confidentiality regulations. This can reduce the effectiveness of HIPAA policy and procedure training if (for example) a receptionist does not understand what is considered PHI under HIPAA when a patient requests access to – or an amendment of – their PHI.

To make HIPAA training for dental offices more effective, it is advisable to provide new members of the workforce with additional privacy awareness training, even if they have worked for a covered dental practice previously. This will help put the dental office’s HIPAA policy and procedure training into context and reduce the risk of inadvertent HIPAA violations attributable to a lack of HIPAA knowledge or the failure to understand the dental office’s HIPAA policies and procedures.

Privacy Awareness Training for Dental Practices

The additional privacy awareness training for dental practices should include an explanation of what PHI is, why it has to be protected, and the consequences to the patient, the practice, and the individual of impermissibly disclosing PHI. Privacy awareness training for dental practices should also explain the circumstances in which disclosures of personally identifiable (non-health) information may not be covered by HIPAA, but may be covered by a state regulation.

Other topics to include in privacy awareness training for dental practices include the minimum necessary standard, incidental disclosures of PHI, and discussing a minor patient’s treatment with parents. When discussing any patient’s treatment with a third party – in person, over the phone, or by email – it is also necessary to be aware of verifying the identity of the third party and any privacy protections requested by the patient that limit what PHI can be disclosed.

One further consideration when providing additional privacy awareness training for dental practices is that a waiting room environment is different from a calm learning environment. Some patients will be emergencies, others may be nervous, while others may be disruptive or English may not be their native language. In these scenarios, new members of the workforce must be prepared to protect the privacy and security of PHI in challenging circumstances.

Security Rule HIPAA Training for Dental Offices

Initial Security Rule HIPAA training for new members of a dental office’s workforce is not so complicated because it is the dental office’s responsibility to implement the majority of Security Rule standards. However, depending on an individual’s role, it may be necessary to provide Security Rule HIPAA training for dental offices on emergency procedures, contingency plans, and measures implemented to ensure the security of servers and devices used to access electronic PHI.

For most new members of the workforce, Security Rule HIPAA training for dental offices will consist of explaining what software and systems are used to create, receive, store, and transmit electronic PHI, and why they are configured in the way that they are. Similar to the warning mentioned previously about using unsanctioned apps “to get the job done”, new members of the workforce must be told not to amend or circumnavigate software configurations.

It is also essential that Security Rule HIPAA training for dental offices is not perceived as a one-time event. The Security Rule standard related to workforce training requires all members of the workforce to participate in a security awareness training “program”. The inclusion of the word “program” indicates that security awareness training is ongoing. The content of the program should be determined by a security risk analysis or an identified compliance failure.

Employee Responsibility for Dental Office HIPAA Training

Although employers are responsible for complying with the “required” HIPAA training requirements for dental offices, there is a scenario in which employees should take responsibility for privacy awareness if additional training is not provided by their employer. This scenario exist because HIPAA requires covered entities to impose sanctions for HIPAA violations, even if the violated standard has not been covered in the employer’s HIPAA training.

Sanctions can be imposed for any violation of the HIPAA Privacy Rule or HIPAA Breach Notification Rule (§164.530(e)) or for any failure to comply with an employer’s Security Rule policies and procedures (§164.308(a)). For example, if a hygienist discloses PHI about a patient on social media, but impermissible disclosures of PHI has not been covered in the dental office HIPAA training, the employer is still required to sanction the hygienist.

To avoid inadvertent HIPAA violations attributable to a lack of HIPAA knowledge or the failure to understand HIPAA policies and procedures, workforce members can take external privacy awareness training. External privacy awareness courses are widely available, but it is important to subscribe to course that has been accredited by a recognized training assessor – i.e., the American Health Information Management Association (AHIMA).

HIPAA Training for Dental Offices: FAQs

What is the difference between an accidental disclosure and an incidental disclosure?

An accidental disclosure is one in which PHI is disclosed by itself, while an incidental disclosure is a secondary disclosure to a permissible disclosure. While in practice there is little difference between the two, an accidental disclosure which impermissibly discloses PHI is a violation of HIPAA, while an incidental disclosure is regarded as a “customary health related communication” that plays a role in ensuring patients receive prompt and effective health care.

Do staff in a dental office also have to undergo security and awareness training?

All members of a covered entity’s or business associate’s workforce have to undergo security and awareness training even if they have no access to systems or databases containing PHI. This is because any member of a workforce can fall victim to a phishing email that enables a cybercriminal to gain access to a dental office’s network and move laterally through the network to access PHI. Alternatively, the cybercriminal could use the access to deploy ransomware that could cripple the organization’s computer network.

How do disruptive patients impact the nature of patient communications?

Disruptive patients can be stressful to deal with and can create treatment delays which may cause waiting patients to become ill-tempered. During times when emotions may be running high, it can be difficult to remain compliant with standards relating to patient confidentiality – for example, loudly asking a patient by name to control their disruptive children. For this reason, it can be beneficial to simulate real-life scenarios during HIPAA training for dental offices.

If a dental office does not process HIPAA-covered transactions, is HIPAA training still necessary?

If a dental office does not process HIPAA-covered transactions (i.e., it bills customers directly), it does not qualify as a HIPAA covered entity and does not have to comply with the HIPAA training requirements for dental offices. However, if the dental office provides a service for or on behalf of a HIPAA covered entity that involves disclosures of PHI, the dental office becomes a business associate of the HIPAA covered entity.

As a business associate, the dental office must comply with the HIPAA Security Rule and the HIPAA Breach Notification Rule. Consequently it must comply with the Security Rule HIPAA training requirements. Depending on the nature of the services provided for or on behalf of the covered entity, it may also have to provide Privacy Rule HIPAA training for dental offices to members of the workforce with access to PHI.

What happens if a dental office fails to provide HIPAA training to staff?

If a dental office fails to provide “required” HIPAA training to staff, and the failure results in a privacy complaint being escalated to HHS’ Office for Civil Rights, the federal agency may conduct a compliance investigation into the dental office. If the complaint is upheld, the dental office will not only be sanctioned for the violation that prompted the complaint, but also for any other compliance failing – including the failure to comply with the HIPAA training requirements.

If a dental office fails to provide additional privacy awareness training for dental practices, and a complaint is escalated to HHS’ Office for Civil Rights, the consequences depend on whether the federal agency attributes a compliance issue to the failure of the dental office to conduct a risk assessment and address a lack of knowledge identified by the assessment, or to the failure of a workforce member to obtain an understanding of HIPAA.