What HIPAA Rules Must Dentists Follow?

The Health Insurance Portability and Accountability Act lays down a set of provisions which must be followed by doctors and nurses in hospitals and clinics, but what HIPAA Rules do dentists have to follow, if any?

A large number of dental practices are single facility operations, meaning that they are not part of a chain or a larger health care network. Even though they may be smaller, HIPAA rules must still be followed if the dental facility electronically transmits insurance claims or other inquiries such as eligibility requests, pre-determinations, claim status questions or treatment authorization to outside parties.

Should the dental clinic send correspondence of these types to health insurance payers or health insurance business associates, or if their own business associates have access to protected health information (PHI), then they are obliged to implement and follow HIPAA rules.

Should this be the case, procedures must be introduced to ensure that the staff at the dental clinic know how to correctly handle, treat, and protect PHI. This should cover both how information may or may not be communicated to colleagues and patients, but also to business associates and other third parties.

What HIPAA Rules do Dentists Need to Follow?

Dentists are obligated to respect three of HIPAA’s central Rules: the Privacy Rule (2003), the Security Rule (2005), and the Breach Notification Rule (2009). As these are subject to change and given that they may be affected by other legislation such as the HITECH Act (2009) or the Final Omnibus Rule (2013), dental offices and staff should stay up to date on changes to federal and local laws. The most important aspects for dentists to consider include:

  • Knowing which details are classified as Protected Health Information
  • Knowing how to appropriately use and share Protected Health Information
  • Ensuring adequate security measures to maintain the integrity of Protected Health Information
  • Following the “Minimum Necessary Rule”
  • Using Protected Health Information only as appropriate, in particular understanding the limitations in relation to use for marketing purposes
  • Following necessary statutes relating to how patients can view their personal information and ensuring adequate privacy policies are in place.

Any business associate that may have access to PHI will have to be covered by a HIPAA compliant business associate agreement before they access or receive access to the information.

HIPAA Security Rule Considerations

There are three “requirements” called for under the HIPAA Security Rule: technical requirements, physical requirements and administrative requirements.

Technical requirements deal mainly with electronic security issues such as storage and transfers; physical requirements include aspects of the physical security of the location such as the accessibility of computers or server rooms, off-site information backups, and some elements relating to the layout of the clinic itself. Administrative requirements deal mainly with introducing the organizational procedures and positions that are necessary to ensuring accountability and responsible use of systems, such as organizing training, overseeing policies, and auditing adherence and compliance.

In many areas, the three requirements will need to work in harmony to ensure PHI is protected. For example, mobile devices that allow access to PHI will need compliant use policies and technical safeguards, with physical aspects of use to be considered as well.