HIPAA FAQs for Dental Offices
The following questions are answered below:
- When is a dentist or a dental office considered to be a covered entity?
- Must I use the standard transactions and code sets?
- What must I do to comply with the privacy rule?
- What must I do to comply with the security rule?
When is a dentist or a dental office considered to be a covered entity?
The definition of a covered entity includes any health care provider who transmits any health information in electronic form in connection
with one of the named transactions. Thus, if a dentist or dental office sends claims, encounters, pre-determinations, eligibility requests,
claim status inquiries or treatment authorization requests electronically, then that dentist or dental office is a covered entity
and is subject to HIPAA.
Must I use the standard transactions and code sets?
If a dental office transmits any of the above transactions directly to a payer, then they must use the appropriate standard
transaction format. A dental office may contract with one or more clearinghouses, which could accept transactions in non-standard
format for the purpose of converting them into the standard format on their behalf.
What must I do to comply with the privacy rule?
Dental offices must designate a Privacy Official, who will ensure that the office is implementing the privacy policies required by HIPAA.
The Privacy Official will ensure that patients have the right to access their files and to obtain copies of their health information when
requested. Patients also must have the ability to amend or correct their individual health information. If the patient does amend their file,
then the dental office must send copies of the amendment(s) to any prior recipients of health information for the patient.
Dental offices will need to create a document that describes their information practices and will have to post the document in a
prominent place where potential patients may see it. The office must notify existing patients of their information practices no later
than their first appointment after the privacy rule is mandated for use. The privacy notice should describe uses and disclosures of
patient health information that the practice is permitted or required to make without a patient's consent or authorization.
Dental offices will need to obtain consent from patients for three different purposes. First is the patient's consent that addresses
the use and disclosure of protected health information for treatment, payment and health care operations. The second form of consent
addresses the use and disclosure of protected health information with which the patient may agree or disagree. The third form of
consent addresses all other uses of protected health information.
Dental offices must keep a log of uses and disclosures of health information for each patient. Normal uses, defined as disclosure
for treatment, payment and/or health care operations, require a generic log entry. All other disclosures require special written
authorization and must be kept on file for seven years.
Dental offices frequently use the services of business associates. Examples of business associates would include: accounting firms
and consulting firms. The dental office is required to take steps, including executing contracts with each business associate,
that ensure that the associate is also protecting the privacy of individually identifiable health information.
The dental office is responsible for monitoring the activities of their business associates to assure HIPAA compliance. If the office
becomes aware of compliance violations by one of their business associates, and makes no attempt to correct the problem, then
the dental office may become liable for failure to comply with HIPAA. Specific responsibilities and duties of each business associate
must be documented in a specific contract, called a business associate contract, between the dental office and its business associate.
Each employee of the dental office who has access to protected health information must receive training in the policies and procedures
for the use, disclosure and safeguarding of the information. Training sessions must be documented and kept on file.
The dental office must implement procedures that allow individuals to file complaints concerning potential privacy violations. The
office must document all complaints, whether written or oral, and the disposition of those complaints, if any.
What must I do to comply with the security rule?
Dental offices must comply fully with each of the four parts of the security rule: administrative procedures, physical safeguards,
technical security services and technical security mechanisms. The office must name a Security Official who will be responsible
for ensuring that all policies and procedures are fully documented and implemented.