Skip to main content


Resource Library

2023 Q2 Practice Health Check: Regulatory Compliance

March 29, 2023 426

Do you have written policy and procedures that explain how your dental practice complies with patient requests for records?

The U.S. Department of Health and Humans Services Office for Civil Rights currently is focusing its enforcement on patient access to records. Both HIPAA and state law recognize patient access to their records as an individual right and have established rules with which health care entities must comply. Access means viewing or obtaining a hard or electronic copy of the records. Access must be timely, and there are limits on what a health care entity may charge a patient for access. Utilize Patient Request to Access Records (Records Release) Form and Q&A to create the required policy and procedures. The resource includes a sample authorization form.

Have you performed a thorough and comprehensive risk analysis as required by the HIPAA Security Rule?

A thorough and comprehensive risk analysis consists of (1) assessment of covered entity’s compliance with Security Rule implementation specifications, (2) assessment of covered entity’s information technology and (3) risk assessment of threats and vulnerabilities to covered entity’s electronic protected health information. HHS considers the risk analysis essential to a covered entity’s responsibility to safeguard patient information, and the lack of one is often cited when HHS resolves potential HIPAA violations. Learn How to Do a HIPAA Risk Analysis by reviewing this PowerPoint presentation.

Do your written policies and procedures describe the uses and disclosures of protected health information that require patient authorization?

The HIPAA Privacy Rule determines which uses and disclosures of PHI are required, permissible without patient authorization or allowed upon patient authorization. The policies should be comprehensive, covering all possible uses and disclosures of PHI. Social media use by both the practice on official accounts and employees on their personal accounts should be addressed in the policies. Read more about the rules in Uses and Disclosures of Patient Health Information.

Comments are only visible to subscribers.