HIPAA compliance for dental offices is not as straightforward as complying with the standards of the Privacy, Security, and Breach Notification Rules because there are instances when federal or state laws can pre-empt HIPAA, when exemptions can apply, or when dental offices do not qualify as HIPAA Covered Entities.
Judging by the volume of news stories covered by this website relating to data breaches and HIPAA violations, HIPAA compliance for dental offices and their business associates is proving to be a challenge:
April 2022 – American Dental Association Suffers Suspected Ransomware Attack
March 2022 – Three dental practices hit with sizeable fines for HIPAA violations
March 2022 – Malware Infection at Dental Clinic Operator Affects More Than 1 Million Texans
December 2019 – Ransomware Attack on IT Company Impacts More Than 100 Dental Practices
December 2019 – 100 Dental practices Infiltrated by Ransomware Attack on MSP
October 2019 – PHI Disclosures on Yelp Lead to $10,000 Fine for Dental Practice
Although some of these events are the result of negligence, many HIPAA violations and data breaches can be attributed to the fact that HIPAA compliance for dental offices is complicated. Additionally, not only may there be federal and state laws that pre-empt HIPAA, but exemptions can exist to when HIPAA applies, and some dental offices may not qualify as HIPAA Covered Entities.
How Federal and State Laws Affect HIPAA Compliance
Dental offices have to comply with multiple federal laws and the general rule of thumb is that, if there is a conflict between HIPAA and another federal law, HIPAA takes precedence. However, this isn´t always the case. For example, the Family Educational Rights and Privacy Act (FERPA) takes precedence over HIPAA in respect of students´ medical records, while SAMHSA´s Substance Abuse Confidentiality Regulations take precedence over the Privacy Rule´s permitted uses and disclosures.
With regards to state laws, HIPAA provides a “federal floor” of privacy protections that can be pre-empted by state law when the state law provides greater privacy protections or privacy rights. In many cases, a state may enact a privacy law relating to a specific area of privacy (i.e., genetic or biometric data), and only this specific area of privacy preempts HIPAA. However, some state privacy laws cross state boundaries and apply to citizens of the state nationwide.
When Exemptions Affect HIPAA Compliance for Dental Offices
One possible reason for so many dental office-related data breaches is that the Security Rule has a “flexibility of approach” clause (45 CFR §164.306(b)) which gives Covered Entities and Business Associates flexibility over what security measures are implemented to comply with the Administrative, Physical, and Technical safeguards. The degree of flexibility is based on four factors:
- The size, complexity, and capabilities of the dental office.
- The technical infrastructure, hardware, and software security capabilities.
- The cost of the security measures.
- The probability and criticality of potential risks to electronic PHI.
While not strictly speaking exemptions, the flexibility of approach clause is likely to impact small dental offices more than large OHCAs. Even determining what security measures are reasonable and appropriate can complicate HIPAA compliance for dental offices, and it is not inconceivable that some dental offices will exempt themselves from complying because of the “cost” factor.
Other exemptions exist to the Privacy Rule´s required uses and disclosures with regards to disclosing a child´s health information to their parents in certain circumstances, and exemptions also exist to the Breach Notification Rule when it can be demonstrated there is a low probability health information has been compromised due to an impermissible disclosure of unsecured PHI.
Is the Dental Office a Covered Entity Anyway?
In most cases, a dental office is a HIPAA Covered Entity the dental office´s workforce is required to comply with HIPAA Policies and procedures implemented by the business´s Privacy or Security Officer. Even if the dental office engages a third-party to conduct eligibility checks, obtain treatment authorizations, and remit claims, it still counts as a HIPAA Covered Entity.
However, there are some dental offices that do not “transmit information in an electric form in connection with a transaction for which the Department of Health and Human Services has adopted a standard” or engage a third-party to act on its behalf. In these circumstances, the dental office is not a HIPAA Covered Entity – although there may be times when the dental office still has to comply with elements of the Privacy, Security, and Breach Notification Rules.
This can happen when a dental office that does not qualify as a Covered Entity (Dental Office A) provides a service for or on behalf of a dentist that does qualify as a Covered Entity (Dental Office B). In this scenario, Dental Office A is a Business Associate of Dental Office B and has to sign a Business Associate Agreement stipulating their responsibilities with respect to maintaining the privacy of individually identifiable health information and ensuring its confidentiality, integrity, and availability.
HIPAA Compliance for Dental Offices: Conclusion
As mentioned previously, many HIPAA violations and data breaches can be attributed to the fact that HIPAA compliance for dental offices is complicated. If you are responsible for HIPAA compliance in a dental office, and you too are finding compliance challenging, it is recommended you speak with a compliance professional to obtain accurate and implementable advice.