Answers To 21 HIPAA Dental Questions You Were Afraid To Ask
Why HIPAA?
Previous to HIPAA some employees would lose benefits when changing jobs. In 1996 HIPAA was originally signed into law to help solve this problem. The goal was to protect workers from losing health insurance in between jobs, reduce health care fraud, and protect patient health information.
What Is HIPAA?
HIPAA stands for Health Insurance and Accountability Act. It’s a federal law to protect patient health information from being disclosed without the consent of the patient.
What Is PHI?
PHI stands for Protected Health Information and is any identifiable information about the health status or provision of care for a patient.
What Are The Top 5 Most Common HIPAA Dental Violations?
HIPAA violations reach into the tens of thousands and have maximums of 1.5 million per violation. Dentists should take action to mitigate all violations whether they are large or small. The most common dental HIPAA compliance violations are:
- A breach or being hacked
- Losing a device that has PHI on it – simple solution is to use this app
- Dishonest employees accessing files
- Releasing patient information after an authorization period expires
- Incorrect disposing or filing of PHI documents
What Constitutes A Breach Under HIPAA?
A breach of HIPAA is an impermissible disclosure of a patient’s PHI. In section 164.402 of the HIPAA Survival Guide it states, “The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”
What Is Not Considered A Breach Of HIPAA?
If a patient’s information is shared accidentally it is not considered a breach of HIPAA. An example would be a dentist sending a text message unintentionally. The text would not be considered a breach as long as the dentist is able to prove that the text was sent accidentally and that it does not happen often.
Are You Allowed To Take A Photo Of A Patient Without Consent?
Patient photos without consent is a direct violation of HIPAA. Even a patient in the background of a photo is a violation. If any identifiable photo is taken there must be consent. Dentists abiding by HIPAA regulations will use a dental HIPAA consent form to receive authorization to take and use patient photos.
Does HIPAA Apply To Organizations Outside The USA?
No. HIPAA is regulated by the federal government and only pertains to PHI data held by organizations within the USA.
Are US Citizens Living Outside The USA Covered By HIPAA?
If the person is part of a non-US healthcare company, then they are not covered by HIPAA. Conversely, if a person is living in the USA and is not a citizen, they are covered by HIPAA.
Can You Talk About A Patient Without Saying Their Name?
The short answer is No. Talking about a patient without purpose is never okay and clearly violates the privacy rule if the information shared can be identifiable.
Dentists must be extremely careful because any information that could be directly or indirectly identified is not allowed. But dentists often discuss and share X-rays, and lab tests, with colleagues, a clear violation if the patients are identified, yet oral health care is improved from that cooperation.
Sharing PHI with colleagues is an area where technological abilities have far outpaced regulation, and risk managers take an extremely conservative approach. Check out this article about how to reduce HIPAA disclosure risk.
What Patient Information Can Be Shared Without Violating HIPAA?
It is permitted to disclose PHI to other health providers if the information contained is about an individual’s treatment, case management, and coordination of health care.
What Is A Covered Entity?
In the HIPAA Privacy Rule a covered entity can be a health plan, a clearinghouse, or any person or organization that electronically transmits PHI in connection with patient care.
What Is A Business Associate?
A business associate according to HIPAA is any person or entity that performs certain functions that involves the use or disclosure of PHI on behalf of a covered entity.
What Is A Business Associate Agreement?
HIPAA requires covered entities to work with persons or organizations who assure protection of PHI. A Business Associate Agreement is a document provided by the business associate to the covered entity stating HIPAA compliance and assurance of correct handling of PHI.
Do Business Associate Subcontractors Need To Sign A BAA?
A business associate subcontractor is a person or organization that works on behalf of a business associate and comes in contact with PHI. All business associate subcontractors must provide the covered entity with a signed BAA.
What Is The Difference Between Hippa And HIPAA?
It’s most likely a typo.
How Long Do HIPAA Dental Related Files Need To Be Saved?
Under HIPAA rules and regulations covered entities must keep files for a minimum of 6 years from the date of creation or the last effective date whichever comes later.
How Should A Dental Practice Destroy Patient Records?
HIPAA states that there are only two ways to dispose of PHI, shredding or incinerating.
How Do Patients Report HIPAA Dental Violations?
It is not possible for a patient to sue for violations of PHI. Nor can a patient seek damages if harm has resulted from a HIPAA violation.
Patients file complaints electronically via the Office for Civil Rights (OCR) Complaint Portal.
How Long Do Patients Have To File A HIPAA Violation Complaint?
Patients have up to 180 from the discovery of the violation to take action. Extensions may be granted in some situations.
Who Sues Your Dental Practice When A Violation Occurs?
If a patient files a complaint with the Office for Civil Rights and the complaint is investigated and found to be substantial then the patient is allowed to hire an attorney to represent the case.
What Should A Dental Practice Do If They Receive A Violation?
- Dentists need to be prepared to deal with a HIPAA complaint. The complaint must be dealt with quickly and efficiently. Take these steps to ensure that you’re handling the complaint properly.
- Request that the complaint be made in writing
- Make sure that your offices Privacy Officer receives the complaint
- Your practice Privacy Officer should find out what PHI was involved
- The cause of the violation should be established and action to mitigate future risk implemented
- Update of policies and procedures regarding HIPAA regulations
- Retrain staff if necessary
- Determine if the breach is a reportable violation
If the violation is a reportable incident, do the following:
- Send in a report to the OCR describing the breach
- File the breach with the appropriate state attorney general
- Notify all individuals associated with the case by mail
About the Author: Adrian Lefler is a dental marketing expert and a founding member of My Social Practice. Adrian is passionate about helping dentists grow through dental digital marketing strategies. He can be reached at 877-316-7516.


