Why HIPAA-Compliance matters to your Dental Practice


What is HIPAA?

HIPAA-compliance is vital for any healthcare professional, including dentists. Before the Health Insurance Portability and Accountability Act of 1996 (HIPAA), there was no standardized set of security requirements for dealing with patients’ protected health information. HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to protect the security and privacy of personal health information. To accomplish this, HHS published two rules, the HIPAA privacy rule and the HIPAA security rule.


The following are the definitions of the privacy rule and the security rule, according to hhs.gov:


HIPAA Privacy Rule


“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”


HIPAA Security Rule


“The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”


According to the security rule, there are three categories of safeguards for HIPAA-compliance: Administrative, Physical, and Technical.


Administrative Safeguards

The administrative safeguards include security management process, security personnel, information access management, workforce training and management, and evaluation. 


  • Security Access Management means your dental office needs to perform a risk analysis, identifying possible risks to your patients’ ePHI (Electronic Protected Health Information). Once you identify the possible risks, you are responsible for implementing security measures that mitigate the vulnerabilities to a reasonable level.
  • Security Personnel requires that your office designates a security official. This is someone who will be responsible to implement the security procedures you identify once you’ve accomplished the risk assessment. This individual may also help develop the procedures. 
  • Information Access Management basically means that the only people in your office who should have access to a patient’s ePHI are those whose role, or job, requires it. You should also have a policy around this access.
  • Workforce and Training Management requires that your dental office provide training on security policies and procedures, and have sanctions in place for those employees who violate them.
  • Evaluation is a regular assessment of the security rule and how well your office’s security policies and procedures adhere to the requirements that make you HIPAA-compliant.


Physical Safeguards

The second of three safeguards covers physical HIPAA-compliance, which includes facility access and control, and workstation and device security.


  • Facility Access and Control requires limiting access to your office in which protected health information is stored, and making sure only authorized personnel can gain entry.
  • Workstation and Device Security covers the security and policies surrounding the access to electronic media that may contain ePHI. These policies must include how the electronic media are used, re-used, disposed of, transferred, or removed, to appropriately protect the ePHI of your patients.


Technical Safeguards

The third and final safeguard category is technical. Technical HIPAA-compliance includes access control, audit controls, integrity controls, and transmission security. 


  • Access Control means that your office has to have policies to restrict access to ePHI to only authorized personnel.
  • Audit Controls requires your office to be able to record and examine the access or activity surrounding technical information systems which store or use ePHI, whether through hardware, software, or another mechanism.
  • Integrity Controls has to do with making sure ePHI is not wrongly tampered with, altered, or destroyed.
  • Transmission Security means your office has to have technical security measures in place to defend against unauthorized access to ePHI.


Addressable vs. Required Standards

Some of the safeguards are labeled “addressable”, while others are “required”. Required safeguards must be implemented, and include doing a risk assessment, and having certain plans in place for protecting ePHI. Addressable safeguards aren’t “optional”, but they are more flexible in their implementation. Your office can determine if those safeguards are appropriate and reasonable for your particular situation – some may not be. In those cases, the security rule allows for alternative appropriate measures to maintain HIPAA-compliance. A full list of the safeguards and their specification as Required or Addressable can be found at hipaajournal.com.


Other Requirements and Laws

Your dental office is expected and required to have procedures and policies in place to maintain HIPAA-compliance under the security rule. Furthermore, documentation of such policies must be kept on file for a period of six years after they are created or last updated. Much of the HIPAA security rule language is intentionally vague, to allow for reasonable flexibility among varied health care providers and their business associates who transmit ePHI. That said, the policies and procedures are for your own protection as well as the protection of your patients health information. If you know of an activity that violates HIPAA-compliance, you need to take reasonable steps to correct the violating activity. This extends to your relationships with your business associates.


The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, details that your dental office has a reasonable assurance, in writing, that any business associate with whom you share patients’ ePHI will likewise appropriately maintain HIPAA-compliance. Business associates can include companies your office works with to do claims processing, data analysis, billing, benefit management, and more. Check the detailed guide to business associates on hhs.gov.


If your state has particular laws that are contrary to HIPAA, they are superseded by the federal law. The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPAA-compliance.


What Steps Can You Take?

While you should already be taking strides to ensure your dental office is HIPAA-compliant, the fact is that some people reading this may realize they have some work to do. Perhaps you haven’t been protecting the transmission of your patients’ ePHI the way you should be. Are the emails you send and the forms on your website encrypted? If not, you can read more about maintaining HIPAA-compliance with a website package from Dental Website Builders. We offer secure forms and email to keep you safe and compliant.

None of our operators are available at the moment. Please, try again later.
Our operators are busy. Please try again later
Have a question? We're here to help!
This chat session has ended