Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Toggle Search Area
Toggle Menu
e-mail Print Share

OCR responds to question about dental labs, business associate agreements

March 22, 2017

By Jennifer Garvin

Washington — Dental laboratories aren't required to sign business associate agreements before dental practices share protected health information for treatment of an individual, according to the U.S. Health and Human Services Office for Civil Rights, because a dental laboratory meets the Health Insurance Portability and Accountability Act's definition of a "health care provider."

In a March 7 email, OCR told the ADA that a dental laboratory is not a dentist's business associate when the communication is for treatment purposes. The Association had requested OCR's position on laboratories in regards to the HIPAA Privacy Rule.

In its response, OCR said, "a covered entity such as a dentist is not required to have a business associate agreement with another health care provider such as a dental laboratory when disclosing [protected health information] for treatment of an individual."

However, in some cases, business associate agreements would be required, for example if the laboratory provides "other (nontreatment) services or functions on behalf of the provider that fall within the definition of business associate and require access to protected health information," OCR noted.

By law, the HIPAA Privacy Rule applies only to covered entities — health plans, health care clearinghouses and certain health care providers — and their business associates, according to OCR.  

For more information about business associates, visit and search business associates. For a list of frequently asked questions about business associates, visit the OCR website and search business associates.