HIPAA Compliance

HIPAA governs the use of personal health information, also commonly referred to as PHI. PHI directly identifies a unique individual. PHI includes, but is not limited to, first and last names, Social Security numbers, birth dates (except for the year of birth), email addresses, and home addresses. PHI may also be considered information that is unique to the health insurance claim, such as the claim number and the health plan beneficiary number.

Dentists who transmit certain PHI in electronic forms, either directly or indirectly, through a vendor or separate billing service, are considered covered entities. Electronic transactions could also include claim submissions, predeterminations, eligibility requests, and computer communications related to referrals. However, this does not include all electronic messages. Sending an email or a stand-alone fax with patient information does not necessarily mean the dentist is a covered entity.

Dentists who are covered entities are also responsible for teaching their staff about the proper disclosure of patients’ personal information. Any dentist found to be in violation of HIPAA regulations may be fined up to $100 for each instance of non-compliance with privacy requirements. The provider could also be subject to an annual cap of $25,000 if the violation is repeated. Dentists who sell personal information may see even heavier penalties, including prison time.

Email PHI Protection

Dental practices are required to secure patients’ electronic protected health information (PHI). However, the web-based email services that most dental practices currently use (e.g., Outlook, Gmail, Hotmail, Yahoo, etc.) are not secure. In addition, many dental practice management software vendors offer an email module, but few, if any, meet the required electronic security.

In order to be in compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules and regulations and to minimize your liability and avoid costly fines for data breaches for emailing unsecure PHI, it is highly recommended that you consider purchasing a product or service that encrypts emails and other documents for you. 

Do we need to encrypt X-rays we are emailing to a referral office or a new office at a patient’s request?
Yes, X-rays should be sent via an encrypted email or made available through a patient portal where viewing is secure.

Can I send a patient their X-rays by email that are not encrypted?
Yes, but only if the patient signs a release form that authorizes you to use unsecured or unencrypted email.

If a patient requests that a treatment plan be emailed, can we do so if the email is not encrypted?
Yes, but only if the patient authorizes you to do so. Without authorization, it should be encrypted or made available to the patient through a secure portal.

Where can I find additional information on HIPAA compliance?
Visit the US Department of Health and Human Services government website. 

To help members comply with the Final Rule, the ADA offers a HIPAA compliance kit and an online continuing education course.

The Practical Guide to HIPAA Compliance, Privacy, and Security manual was developed specifically for dentists and provides a step-by-step plan to prepare and implement a comprehensive compliance program. The kit reflects the changes prescribed in the 2013 Final Rule and includes sample policies and procedures, a sample Business Associate Agreement, and a sample Notice of Privacy Practices. Members can order the compliance kit at a reduced rate from the ADA Store.

Members can also call the ADA Department of Dental Informatics at 312.440.2500 (8:00 am to 5:00 pm CST) for assistance.

Purchase the Compliance Kit from the ADA Store.