Quality Resource Guide

HIPAA and the Dental Office 1st Edition

www.metdental.com

Patients also need to be informed of the privacy

practices of the dental practice. A

Notice of

Privacy Practices

which summarizes the office’s

privacy policies should be provided to the patients

at or before their first appointment, and a signature

should be obtained to confirm its receipt. In

addition, practices should post this

Notice

in a

public place within their practice.

As most health records are now stored digitally,

the HIPAA Security Rule establishes standards to

protect an individual’s electronic PHI (e-PHI). The

first step in complying with the HIPAA Security

Rule is to conduct a risk analysis. A risk analysis

can reveal areas where the practice’s PHI may

be at risk. The following questions should be

addressed during a risk analysis: has the office

identified the e-PHI in the organization, what

are the external sources of e-PHI, and what are

the human, natural and environmental threats

to information systems that contain PHI. HHS

offers a tool on HIPAA Security Risk Assessment

(

https://www.healthit.gov/topic/privacy-security-

and-hipaa/security-risk-assessment-tool

) to assist

in compliance.

HIPAA Violations and

Consequences

A breach of PHI with policies and procedures

in place may still occur. A breach is defined as

“an impermissible use of disclosure under the

Privacy Rule that compromises the security or

privacy of the protected health information.”

a covered entity identifies a breach, it must

notify the affected individuals, the HHS Secretary

and in some instances, the media. Covered

entities must notify affected individuals within 60

days following the discovery of the breach. The

following information should be included in the

notification:

•

Brief description of the breach

•

Description of the types of information

involved in the breach

•

Steps the individual should take to protect

themselves from potential harm

•

Description of what the practice is doing to

investigate the breach, mitigate harm, and

prevent future breaches

•

Contact information for the practice

The breach must also be reported to the HHS

Secretary through the HHS Breach Portal. If the

breach affects more than 500 people, the HHS

Secretary should be notified no later than 60 days

following a breach. If fewer than 500 people are

affected, the practice can report the breach on

an annual basis. If the breach affects greater than

500 residents of a state, the practice would also

be required to provide notice to media outlets in

the state. This notice could be a press release

and would need to be provided within 60 days

following the discovery of the breach.

Breaches

of the HIPAA regulations can be costly. Civil and

criminal penalties can include fines up to $25,000

for repeated violations of a standard within a

calendar year and fines up to $250,000 and/or

imprisonment for knowing misuse of PHI.

As the implementation of the HIPAA laws and

rules progresses, rules continue to evolve. It is

essential that the privacy offer and the practice

stay up to date on changes. Currently (2021),

there are pending changes to the HIPAA Privacy

Rule which would: allow a patient to inspect their

PHI in person and allow them to takes notes

or photograph PHI, change the maximum time

to provide access to PHI from 30 days to 15

days, require posting of estimated fee schedules

on websites, drop the requirement for obtaining

written confirmation that a Notice of Privacy

Practices was received, define an “electronic

health record”.

These changes have not been

approved but demonstrate that the rules change

and should be monitored.

Conclusion

The HIPAA laws and rules are essential in

protecting patient privacy but can be complex for

a dental practice to implement all the required

standards. There are several resources provided

by the American Dental Association that may

be helpful in establishing dental office policies

and procedures to comply with HIPAA laws and

rules:

•

ADA Complete HIPAA Compliance Kit.

Available through the ADA Store.

https://

ebusiness.ada.org/productcatalog/product.

aspx?ID=596

•

ADA Practical Guide to HIPAA Compliance:

Privacy and Security Manual. Available

through the ADA Store.

https://ebusiness.

ada.org/productcatalog/2020/HIPAA/

J594BT

•

ADA Practical Guide to HIPAA Training.

Available through the ADA Store.

https://

ebusiness.ada.org/productcatalog/595/

HIPAA/The-ADA-Practical-Guide-to-HIPAA-

Training/J596BT

The HIPAA law and Privacy Rules were created

to set a national standard for protecting health

information. The dental team plays an integral

role in compliance with the HIPAA Privacy Rules

and protecting patients’ health information. The

HIPAA Privacy Rules are updated periodically;

the appointed Privacy Officer should review

these changes and make appropriate revisions

to the practice’s Privacy Policies. By following

practices that reduce the risk of a breach of PHI,

the dental office can protect the PHI of their

patients and comply with the HIPAA Privacy

Rules.