Each HIPAA "covered entity" and "business associate" is required by law to develop and implement a HIPAA compliance program and can face severe penalties for noncompliance. If you are covered by HIPPA, failure to comply can result in penalties in the thousands or even millions of dollars, as well as reputational damage to your practice. Some HIPAA violations carry criminal penalties. HIPAA compliance helps protect your patients from the financial and reputational harm that can occur if their protected health information is improperly used or disclosed. HIPAA is complex, and if you are covered by HIPAA you need to understand the Security, Privacy, and Breach Notification Rules and develop, implement, and document a compliance program that is specific to your practice. If your practice is investigated for HIPAA noncompliance, you will be required to demonstrate compliance and provide copies of your HIPAA documentation. Your HIPAA program also needs to comply with applicable state law, because HIPAA does not preempt more stringent state laws or state laws that are not contrary to HIPAA. HIPAA also defers to state law on certain issues, such as the rights of minors and noncustodial divorced parents. Qualified legal counsel in your jurisdiction can help your dental practice develop and implement a program that is compliant with both HIPAA and state law. In this article, we will generally outline some of the basic requirements that apply to dental practices covered by HIPAA. Here is some information to help determine whether your dental practice is covered by HIPAA, and some examples of steps to take if it is.
A dental practice becomes a HIPAA covered entity by conducting a "HIPAA covered transaction" (such as submitting a claim form) electronically or having someone else, such as a clearinghouse, conduct such a transaction on their behalf. In addition to submitting a claim, examples of "covered transactions" include making an electronic request to a health plan for payment, and electronically transmitting encounter information for the purpose of reporting health care. The Covered Entity Guidance Tool from the Centers for Medicare and Medicaid Services can help practices determine whether they are HIPAA covered entities.
If you determine that your dental practice is not a HIPAA covered entity, you must comply with applicable state laws concerning privacy, security, and breach notification. A dental practice may also have a contractual obligation to comply with HIPAA if it has agreed to do so in an agreement, such as a managed care contract.
If an outside entity, or an individual who is not a workforce member of a covered dental practice, has access to PHI in order to perform an activity or function on behalf of the dental practice, that individual or entity is considered a HIPAA "business associate." Before disclosing PHI to a business associate, or allowing a business associate to access PHI, a covered entity must first enter into a "business associate agreement" ("BAA") that contains certain specified terms. Examples of business associates include consultants, accountants, auditors, billing firms, document storage firms, attorneys, and tech vendors that perform services involving PHI for a covered dental practice. Health information exchanges and electronic prescribing gateways are also considered business associates. A business associate's subcontractor that has access to PHI is also considered a business associate and must enter into a BAA with the business associate.
Protected Health Information (PHI)
HIPAA regulations apply to a category of information referred to as "protected health information" or PHI. The definition of PHI is complex, but in basic terms it means "individually identifiable" health information, whether it is in paper, electronic, or oral form.
PHI includes information (including demographic information) that relates to:
- an individual's past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual.
that identifies the individual (or for which there is a reasonable basis to believe can be used to identify the individual).
PHI does not include employment records that a covered entity maintains in its capacity as an employer, nor certain educational records.
The HIPAA Security Rule requires covered entities and business associates to adopt specific safeguards to PHI that is stored or transmitted in electronic form ("ePHI"). The HIPAA Security Rule requires performing a written "risk analysis" that covers the known risks to the security of ePHI, and to implement risk management to bring the identified risks to an acceptable level.
A covered entity must designate a "Security Official" (in a dental practice the Security Official could be the dentist or a staff member) who is responsible for developing and implementing policies and procedures to safeguard ePHI in compliance with the requirements of the HIPAA Security Rule. Examples of such policies and procedures include requiring workforce members to use passwords, making sure computer monitors are not visible to the public, and installing virus protection. Covered entities and business associates must periodically perform technical and nontechnical evaluations of their security policies and procedures, and revise them as necessary.
The HIPAA Privacy Rule addresses when a covered entity may disclose PHI without the patient’s written authorization, safeguards of PHI in all formats (electronic, hard copy and oral), and gives individuals certain rights concerning their PHI. To comply with the Privacy Rule, a dentist must designate a "Privacy Official" (this person can also be the "Security Official"), who is responsible for developing and implementing policies and procedures to comply with the requirements of the Privacy Rule.
Examples of these requirements include providing the Notice of Privacy Practices, responding to individuals' requests to access or amend their records or for an accounting of disclosures of their PHI, and having a process in place for receiving and documenting complaints about the way the practice handles patient information.
Breach Notification Rule
Under the HIPAA Breach Notification Rule, a covered entity that discovers a breach of unsecured PHI must send notice to the individual, to the Office for Civil Rights, and, in some cases, to the media. The Rule sets forth requirements for the content and timing of any required notice, as well as how and to whom it must be sent. More information is available from HHS on the HIPAA / HITECH Breach Notification Rule.
Training and Documentation
The Security, Privacy, and Breach Notification Rules all require covered entities to train workforce members, including management, to comply with their HIPAA policies and procedures, and to impose sanctions (up to and including termination) on workforce members who do not comply. HIPAA defines "workforce" broadly: it includes employees, volunteers, trainees, and other persons whose conduct is under the control of the covered entity, whether or not they are paid by the covered entity. HIPAA requires covered entities to document training and any sanctions.
Covered entities must retain documentation of HIPAA compliance for at least six years from the date created or the date when last in effect, whichever is later. HIPAA documentation includes, for example, written security risk analyses, policies and procedures, training logs, business associate agreements, requests to access or amend records, authorizations to use or disclose PHI, breach notification letters, and so forth. All the documentation must be made available upon request to the Office for Civil Rights.
HIPAA Enforcement and Penalties
A HIPAA violation can result in substantial penalties. A covered entity or business associate who unknowingly violates HIPAA can be subject to a civil monetary penalty of between $100 and $50,000 per violation. The penalties are higher for violations due to reasonable cause ($1,000 to $50,000 per violation), violations due to willful neglect that are corrected within 30 days ($10,000 to $50,000 per violation), and violations due to willful neglect that are not corrected within 30 days ($50,000 or more per violation). Each tier includes an annual cap for all violations of a specific HIPAA requirement or prohibition in a calendar year.
The following table includes the penalty tiers and caps:
|Culpability||Minimum Penalty per Violation1||Maximum Penalty per Violation2||Annual Limit|
|Willful Neglect – Corrected5||$10,000||$50,000||$250,000|
|Willful Neglect – Not Corrected6||$50,000||$50,000||$1,500,000|
Some HIPAA violations carry criminal penalties that range from a fine of up to $50,000 and imprisonment for up to one year for knowingly and willfully using a unique health identifier or improperly obtaining PHI relating to an individual or disclosing PHI to another person, to a fine of up to $250,000 and imprisonment for up to 10 years for offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
Information about HIPAA is available on the website for the Office for Civil Rights, the agency of the U.S. Department of Health and Human Services that is responsible for enforcing HIPAA.
Resources available from the American Dental Association
The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit is a useful tool designed to help dentists comply with the HIPAA Privacy, Security, and Breach Notification Rules. The Kit includes both the ADA Practical Guide to HIPAA Compliance Privacy and Security Manual and The ADA Practical Guide to HIPAA Training, a CD-ROM program with two levels of training. The ADA Complete HIPAA Compliance Kit can be ordered at the ADA catalog or by calling 800.947.4746.
The HIPAA / HITECH Breach Notification Rule discusses compliance with the Breach Notification Rule and includes sample documents.
1Per violation of an identical HIPAA requirement or prohibition.
2Per violation of an identical HIPAA requirement or prohibition.
3The covered entity or business associate did not know (and by exercising reasonable diligence, would not have known) that it violated the provision.
4The violation was due to reasonable cause, and not willful neglect.
5The violation was due to willful neglect that is corrected within 30 days.
6The violation was due to willful neglect that is not corrected within 30 days.