What are the HIPAA Rules for Dentists?


Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically.

If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business associate – who has access to individually identifiable health information – the HIPAA regulations for dental offices also apply and the dental office must implement certain standards to comply with HIPAA rules.

Dental office employees are expected to be instructed on procedures for the use, disclosure and safeguarding of the PHI to patients, colleagues, business associates and third-party service providers. If a violation occurs, ignorance of HIPAA rules due to inadequate instruction is not deemed a viable excuse.

HIPAA Rules for Dentists

The Privacy Rule (2003), Security Rule (2005) and Breach Notification Rule (2009) are all included in the HIPAA Rules for Dentists. Dentists and Dental Offices should also ensure they are familiar with any relevant changes to these Rules enacted in the HITECH Act (2009) and Final Omnibus Rule (2013).

The key areas of the HIPAA Privacy Rule for dentists are:

  • The personal identifiers considered to be Protected Health Information.
  • The permissible uses and disclosures of Protected Health Information.
  • Safeguards to implement to protect the privacy of patient health information.
  • An explanation of the Minimum Information Necessary rule.
  • Restrictions on the use of Protected Health Information for marketing.
  • Patient access to medical information and notice of privacy practices.

If a CE has any queries regarding any of these elements of the HIPAA Privacy Rule for Dentists, or details about signing Business Associate Agreements with any non-employee who has authorized access to patients´ records, they are recommended to seek legal advice so that they don’t accidentally incur a violation against the HIPAA Rules.

The HIPAA Security Rule and Dentists

The HIPAA Security Rule is can be broken down into three sets of “requirements” – technical requirements, physical requirements and administrative requirements-which must be adhered to by CEs.

The technical requirements cover how patient information should be communicated electronically (for example, SMS, Skype and email are all deemed to be unsecure methods of communication of PHI). The technical requirements also detail the processes and controls that must be implemented to protect PHI when it is at rest or in transit.

The physical HIPAA regulations for dental offices concern the security of computer systems and the environment in which the computer systems are situated. The regulations stipulate that dental offices must establish a faculty plan and a contingency plan in the event of an emergency. Furthermore, they must implement validation procedures to restrict physical access to PHI stored on the computer systems.

The administrative HIPAA rules for dentists require that system administrators are appointed to select and implement a compliant communications system in the dental office. Administrators are also responsible for developing “best practice” policies, training dental office employees on the use of the compliant communication system, and for monitoring activity on the system. Administrators are also responsible for ensuring HIPAA compliance by Business Associates.