HIPAA Compliance for Dental Offices in 2017

HIPAA Compliance for Dental Offices in 2017

The Health Insurance Portability and Accountability Act – HIPAA compliance for dental offices in 2017 is easier said than done. Even those dental offices with a relatively good understanding of HIPAA’s Privacy, Security, and Breach Notification Rules may still be caught off guard by any one of HIPAA’s gray areas.

Dental practices are at risk like never before to be hit with steep fines imposed by government agencies for failure to follow applicable dental practice regulations.

Dentists are at risk of being fined thousands of dollars or much more by agencies such as Occupational Safety and Health Administration (OSHA), Office of Civil Rights (OCR, which handles HIPAA), Drug Enforcement Agency (DEA), and the Environmental Protection Agency (EPA). Violations and fines have recently been increasing.

Several states have discovered that OSHA violations can be a source of revenue during this time of tight budgets. Something as simple as failing to have an updated pathogen exposure control plan can trigger a $2,500 fine, while HIPAA violations can cost an office up to $1.5 million. Criminal penalties for a breach in HIPAA protocols can result in 10 years in prison. Any of these violations can produce a years-long and life-disrupting investigation, a practice-killing fine, or a life-changing incarceration in prison.

There is no better time for dental practices to ensure that they are in compliance, regardless of whether they have been recently selected for an audit or not.

Steps dental offices can take to prevent regulatory fines

Federal regulations that apply to your dental practice

For those dentists with the patience and bandwidth for self-help, a comprehensive list of applicable dental regulations can be compiled from checking these websites:

Dentists can help protect their practices from HIPAA violations by purchasing and implementing the concepts in the American Dental Association’s Complete HIPAA Compliance for Dental Offices in 2017 Kit, available at ADACatalog.org. Other training courses can be found by accessing the Commission for Continuing Education Provider Recognition Course Listing.

Identify who’s in charge

HIPAA requires that someone on staff be designated as the privacy officer and/or security officer. Both the privacy officer and security officer must know or quickly learn the ins-and-outs of implementing HIPAA in the office.

The privacy officer is responsible for setting up and implementing compliance policies and procedures for the privacy of patient information. His or her duties go beyond creating, posting, and distributing the office’s Notice of Privacy Practices. This person also handles patient questions about HIPAA, requests for information, authorization, and health records.

The duties of the security officer focus on ePHI (Electronic Protected Health Information). He or she must be able to evaluate the practice’s digital security risks when it comes to such things as hacking, malware, and viruses, and see that measures are put in place to ensure that the practice’s electronic information is, and remains, safe.

Develop and document policies and procedures

In most practices, it will fall to the privacy officer and/or security officer to make sure the “policies and procedures” part of the compliance process is in place. The place to start is with the existing policies and procedures for the day-to-day functioning of the office. If none have ever been documented, they need to be.

The policies and procedures required by HIPAA add a new dimension to the practice’s basic policies and procedures. HIPAA requirements include things such as:

  Data backup and recovery plans
  Security procedures
  Business associate agreements
  Processes for managing risk
  Procedures for reporting a breach
  Procedures for providing ongoing HIPAA training for staff

Each health-care office needs to specifically define how it’s going to deal with these issues. Accomplishing this takes more than talk.  It requires documentation, so that everyone who works in the office knows or can easily access information on how the practice handles matters related to HIPAA. It also requires an ongoing effort to keep the staff trained in the updated policies and procedures that reflect the most recent versions of the law.

Perform a risk analysis

A risk analysis makes sure that the way a practice handles ePHI (Electronic Protected Health Information) poses no risks to the confidentiality, integrity, or availability of that information. It starts with questions like:

  • Where does this office store data and how is that data transferred?
  • What are the potential risks and vulnerabilities in the systems used?
  • What is the likelihood of data being compromised?
  • If data is compromised, what impact would that have on the office and its patients?

A risk analysis should be performed annually or whenever there has been a change in the technology the office uses in connection with patient health information, for instance, a new computer system, server, or router.

You can download our sample Data Breach Risk Scan here: Data Breach Risk Scan.

[ed_download_file id=”2039″ title=”yes” show_content=”no” style=”popup” tagline=”Please provide an email address where we should send the download link.” email_placeholder=”Your email here” submit=”Get download link”]


Give the Data Breach Risk Scan a try today and begin reducing your impact before the inevitable. The free trial is for 14 days and includes up to 5 devices. Windows, Linux and Mac OS X systems are supported.


Some of the powerful features include:

  • Data risk communicated as financial impact
  • At-risk data discovery
  • Deep vulnerability scanning
  • Risk trending reports
  • Discovery of inappropriate access and alerts
  • PCI, PAN & PII scans
  • and more

How important is it to do and document a risk analysis regularly? Recent HIPAA enforcement actions have cited a missing or outdated risk analysis as the basis for penalties and fines in excess of  $1 million!


Create a Mitigation Plan

The risk analysis identifies potential problems and vulnerabilities. A mitigation plan addresses, “What is our office going to do about all that?

Each risk should be evaluated as to the likelihood of it happening and the consequences to the practice if it does. A mitigation plan needs to include not only how the identified risks are going to be handled, but also the estimated dates when the problems will be fixed.

Again, HIPAA auditors will want to see documented proof that an office has a plan like this in place.

The Office of Civil Rights, according to a news release, presumes all cyber-related security incidents where protected health information was accessed, acquired, used or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.

The HIPAA Security Rule requires HIPAA-covered entities and business associates to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

The HIPAA Security Rule also requires HIPAA-covered entities and business associates to establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans.

A new checklist from the federal government offers resources to dentists in the event of a cyberattack.

checklist and infographic from the U.S. Department of Health & Human Services Office for Civil Rights are available online.

Email and Text messages: HIPAA Compliance for Dental Offices in 2017

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening.

HIPAA doesn’t completely prohibit using emails and texts to communicate with patients or other providers about patients. But HIPAA does require dentists to use security measures when doing so, such as encryption or secure messaging platforms. Alternatively, dentists need to obtain consent from patients to send protected information via unsecured email or text. Sending protected information over unsecured emails or texts without a patient’s consent can violate HIPAA.

All dental offices, even those that use encryption or secure messaging systems, should consider having all patients complete an email and text message consent and preference form that confirms their preferences about emails and texts. Doing so would allow dentists to communicate with their patients consistent with their desires. It would also give patients a chance to consent to the use of unencrypted emails or texts.

Consent forms would also help dentists with another significant hazard that comes with calling or texting a patient’s cell phone—the Telephone Consumer Protection Act (TCPA). TCPA is the federal law that protects consumers from unwanted telephone calls and faxes. TCPA prohibits making auto-dialed and pre-recorded calls and texts to cell phones (e.g., auto-generated appointment reminders) without the prior express consent of the called or texted party. Sanctions for violating the TCPA can be huge—$500 per violation (per call or text message).

For all of these reasons, having every patient review and sign a well-written consent and preference form, and then following the patient’s preferences, is a good idea that will keep your dental practice HIPAA compliant.


Texas IT Professionals Risk Intelligence rapidly uncovers three types of threats: sensitive data, vulnerabilities and access permissions. This data is weighted to automatically calculate a Security Number for each device. This patented approach is non-intrusive and has been proven on over 700,000 scans on servers, PCs/Macs and mobile devices.


Share this post: