There is no straightforward answer to does HIPAA apply to dentists because there are times when dentists may not qualify as HIPAA Covered Entities, times when services provided by dentists are not covered by HIPAA regulations, and times when dentists may not have to follow HIPAA privacy or security standards.
While healthcare providers are often assumed to be HIPAA Covered Entities, that´s not always the case. HIPAA defines Covered Entities as health plans, health care clearing houses and healthcare providers who transmit health information in electronic form in connection with a transaction for which the Department of Health & Human Services has adopted standards (see 45 CFR § 160.103).
Most dentists meet this definition because they use electronic communications to check patient eligibility, coordinate benefits, and make claims for payment (or use a billing service to perform these activities on their behalf). However, there are some dentists who may still use non-electronic channels of communication to perform “covered transactions”. In such cases, the answer to does HIPAA apply to dentists would be “no” – except in certain circumstances.
These circumstances include when a dentist who does not qualify as a HIPAA Covered Entity (Dentist A) provides a service for on behalf of a dentist who does qualify as a HIPAA Covered Entity (Dentist B). In this case, Dentist A is a Business Associate of Dentist B and has to comply with any HIPAA privacy and security standards included in the Business Associate Agreement until such time as Dentist A no longer provides a service for or on behalf of Dentist B.
Does HIPAA Apply to Dentists in Schools?
One example of how complicated it is to answer the question does HIPAA apply to dentists relates to school dentists. This is because, when dentists provide services to students, the health information created, used, or disclosed by the dentist is covered by the Family Educational Rights and Privacy Act (FERPA) which regards students´ medical records as part of their educational records.
Therefore, if a dentist only practices in schools, colleges, and/or universities – and they only treat students – HIPAA does not apply. However, if the dentist also provides services for school staff or members of the public (i.e., in a medical school), the dentist becomes a “hybrid entity” with the students´ medical records protected by FERPA kept separate from the records protected by HIPAA.
Additionally, if a student is referred to a non-school dentist through a school-based dental health program, the referral is included in the student´s educational record, but any health information created, maintained, or disclosed as a result of treatment in the dental office is subject to HIPAA. As mentioned previously, the question does HIPAA apply to dentists can be complicated to answer!
When Might Dentists Not Have to Follow HIPAA Standards?
There are many examples of when dentists may not have to follow HIPAA standards. These include:
Under the Privacy Rule, dentists are required to disclose health information to patients or their personal representatives when they request access to it. However, in the case of minor patients, dentists do not have to follow this standard if they believe the minor “is subject to domestic violence, abuse, or neglect by the [parent] or doing so would otherwise endanger the individual”.
With regards to the Security Rule HIPAA standards, there is a clause in the General Rules (45 CFR §164.306(b)) which permits Covered Entities to adopt a “flexible approach” to which security measures are implemented to comply with the Administrative, Physical, and Technical Safeguards. This clause enables dentists (when justified) to not follow some Security Rule HIPAA standards.
There are also exceptions to the Breach Notification standards that exempt dentists from notifying individuals affected by a data breach (and HHS´ Office for Civil Rights) if there is a low probability that health information has been compromised. HHS´ Office for Civil Rights explains the criteria for this exemption in the definition section of this Breach Notification Rule Summary.
Conclusion: There is No Straightforward Answer
As is evidenced by the above, there is no straightforward answer to does HIPAA apply to dentists; and, if you are a dentist concerned about your HIPAA status, or a Privacy Officer wanting to know more about HIPAA exemptions, it is recommended you speak with a compliance expert.