Unfortunately, there is no simple answer to the question, “does HIPAA apply to dentists?”. The response will depend on a number of factors, from which State the dentist is practicing in to the exact role of the dentists.
The Department of Health and Human Services stipulates that dentists are only considered to be Covered Entities if they “transmit information in an electric form in connection with a transaction for which the Department of Health and Human Services has adopted a standard”. These transactions include eligibility checks, claims information, or treatment authorization.
Importantly, the definition only includes information that has been transmitted electronically. This means that any dentist that relies solely on physical or verbal communications (such as faxes or telephone calls) is not actually covered by HIPAA. This may be unlikely in this day and age, but it is important to know that the exception does exist. If electronic communication is used for ever one type of transaction, the dentist is considered a Covered Entity and HIPAA applies to all of their transactions.
Even if a dentist does not qualify as a Covered Entity, they may still be covered by HIPAA if they provide a service to another dental practice that is a CE. Under these circumstances, the dental practice is a Business Associate, and must enter into a Business Associate Agreement with the CE. This BAA will outline its duties under HIPAA. Dentists should also ensure that they enter into a BAA with any third parties that they contract to perform services that use PHI.
In some cases, dental records are not covered by HIPAA because they are protected under a more stringent piece of legislation. For example, a student’s medical record is considered part of their education record, and as such is protected by the Family Educational Rights and Privacy Act (FERPA). FERPA has more stringent privacy and security requirements than HIPAA, so it pre-empts HIPAA.
Dentists may alternatively qualify as a hybrid entity. This means that HIPAA will sometimes apply to them, and other times it will not. For example, if a dentist sometimes works in a school (and is therefore subject to FEPA) they may be a hybrid entity.
To ensure HIPAA compliance, all dentists that qualify as Covered Entities must appoint a HIPAA Privacy Officer and HIPAA Security Officer. These two roles may be combined into a single “HIPAA Compliance Officer” if the dental practice is small. These Officers oversee HIPAA compliance within the organization, and can act as a point of contact for employees and patients to direct HIPAA complaints and concerns. If a dentist practices by themselves, they must appoint themselves the HIPAA Compliance Officer.
Therefore, most of the time, the answer to “does HIPAA apply to dentists” the answer is a firm “yes”. Yet there are important exceptions – notably when a separate piece of legislation takes precedence over HIPAA, or if a dental practice does not use any electronic forms of communication.