Drilling down on compliance: How the HIPAA privacy, security, and breach notification rules apply to dentists

With both individual complaints and compliance reviews by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), leading to an increase in enforcement actions, it is now more important than ever that covered entities and business associates comply with the Health Information Portability and Accountability Act (HIPAA), Privacy, Security, and Breach Notification Rules (collectively the HIPAA Rules).  A covered entity is defined as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard.  According to HHS, health care providers include: doctors, clinics, psychologists, chiropractors, nursing homes, pharmacies, and dentists.  This tool helps determine whether or not you are a covered entity.

Assuming that as a dentist, you are a HIPAA-covered entity, it is vital that you have policies and procedures in place addressing the HIPAA Rules. This starts with a notice of privacy practices (NPP), pursuant to 45 CFR § 164.520. A NPP should be shared with patients during their first visit and posted on your website. The NPP, amongst other things, should include: how you as a provider use and disclose protected health information (PHI); your duty to protect PHI; information about how individuals can file a complaint with your office or HHS Office for Civil Rights; and patient’s rights to request access, an accounting, an amendment, and so on.

Addressing patient’s rights in the NPP alone is not enough. As a dentist you must have a designated privacy officer that is responsible for overseeing your policies and procedures related to the HIPAA Privacy and Breach Notification Rules.  A security officer should also be designated to oversee policies and procedures related to the HIPAA Security Rule. These policies, the why, and procedures, the how, should be the backbone of your clinic. Policies and procedures addressing the Privacy Rule will guide why and how you interact with your patients when they request access to their medical records or request an accounting of disclosures of their PHI. They will also address how you handle interactions with the personal representatives of patients and necessary safeguards that your practice should put in place to protect patient’s PHI.

Policies and procedures related to the Breach Notification Rule are in place to ensure that notification to regulators, individuals, and the media if applicable, are provided in a transparent manner.

The only thing worse than not following policies and procedures is not having policies and procedures in place.  If you have questions or want to discuss your current posture, please contact Spencer Pollock at spollock@mcdonaldhopkins.com or Will Lawton at wlawton@mcdonaldhopkins.com.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.