Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Toggle Search Area
Toggle Menu
e-mail Print Share

HIPAA audits may come for dentists

March 24, 2016

By Kelly Soderlund

The federal government has begun auditing some health care providers, including dental practices, to ensure they are complying with patient privacy laws and health care information security laws.

The U.S. Department of Health and Human Services Office for Civil Rights announced March 21 it has begun its second phase of audits of covered entities and their business associates to assess their compliance with the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules, according to a news release. The Office for Civil Rights will review whether the policies and procedures adopted and employed by the groups meet selected standards and implementation specifications of the law.

"We want dentists to be aware that this is happening and to take HIPAA compliance seriously," said Dr. Andrew Brown, chair of the ADA Council on Dental Practice. "There are steep consequences for health care providers that don't comply with the law and we don't want to see any dentists having to pay tens of thousands of dollars in a penalty."

A dental practice would be considered a covered entity if they use electronic dental claims.

"The first phase of audits, which began in 2012 included at least one dental practice," said Paula Tironi, senior associate general counsel in the ADA Division of Legal Affairs. "If a dental practice receives a communication from the Office for Civil Rights that they're to be audited, they may only have a few days or weeks to send documentation demonstrating that they're complying with HIPAA, such as security risk assessment, policies and procedures, training records and business associate agreements."

The Office for Civil Rights will begin the audit process by emailing covered entities and their business associates to request they send their contact information and answer a pre-audit questionnaire in order to gather data about the entity's size, type and operations.
Those who don't respond to the government's request to verify its information may still be selected for an audit or subject to a compliance review, according to the news release. Communications from the Office for Civil Rights will be sent via email and may be incorrectly classified as spam so health care providers should check their junk or spam folders.

"It would be prudent to have documentation demonstrating HIPAA compliance ready and up to date should a dental practice be audited. If an audit determines a dental practice has not been complying with the law, the government may initiate a compliance review," Ms. Tironi said. "It can be a lot of work and may be difficult to gather all the required documentation if a practice is caught unprepared."
OCR will post updated audit protocols on its website closer to conducting the 2016 audits, the news release stated.

"The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities," according to the release.
To learn more about the second phase of audits, visit

The ADA has a number of resources to help dentists become HIPAA compliant. Dentists can help protect their practices from HIPAA violations by purchasing and implementing the concepts in the ADA Complete HIPAA Compliance Kit (J598). It's available at and is $300 for members and retails for $450.

Free HIPAA resources are available at and ADA members can access exclusive HIPAA tips on the ADA Center for Professional Success website at

For covered dental practices that are seeking a secure, encrypted email solution, ADA Business Resources endorses PBHS Inc. as a Health Insurance Portability and Accountability Act-secure email and collaboration system provider for Association members. PBHS Secure Mail can help member dentists, specialists, staff and patients easily communicate within a secure environment. ADA members can choose this HIPAA-compliant email solution that starts at $10 per month or purchase an upgraded package that uses the even higher standards of direct messaging. For more information, contact PBHS at 1-855-WEB-4ADA or visit

The ADA's Standards Committee on Dental Informatics developed a technical report published in January to walk dentists and their offices through the guidelines for the secure transmission of protected health information. Technical Report No. 1085, Implementation Guidelines for the Secure Transmission of Protected Health Information in Dentistry, is available at no cost for member dentists in the ADA Catalog.