OCR responds to question about dental labs, business associate agreements
March 22, 2017
— Dental laboratories aren't required to sign business associate agreements before dental practices share protected health information for treatment of an individual, according to the U.S. Health and Human Services Office for Civil Rights, because a dental laboratory meets the Health Insurance Portability and Accountability Act's definition of a "health care provider."
In a March 7 email, OCR told the ADA that a dental laboratory is not a dentist's business associate when the communication is for treatment purposes. The Association had requested OCR's position on laboratories in regards to the HIPAA Privacy Rule
In its response, OCR said, "a covered entity such as a dentist is not required to have a business associate agreement with another health care provider such as a dental laboratory when disclosing [protected health information] for treatment of an individual."
However, in some cases, business associate agreements would be required, for example if the laboratory provides "other (nontreatment) services or functions on behalf of the provider that fall within the definition of business associate and require access to protected health information," OCR noted.
By law, the HIPAA Privacy Rule applies only to covered entities — health plans, health care clearinghouses and certain health care providers — and their business associates, according to OCR
For more information about business associates, visit www.hhs.gov/hipaa
and search business associates. For a list of frequently asked questions about business associates, visit the OCR website
and search business associates.