All California dental practices must comply with patient information privacy and security laws. The federal Health Insurance Portability and Accountability Act (HIPAA) requires “covered entities” to comply with standards for maintaining the confidentiality, integrity and availability of protected health information. “Covered entities” include health care providers, health plans and health care clearinghouses that transmit patient health information electronically for specific transactions.
Unlike HIPAA, California privacy laws apply to all health care providers irrespective of whether a provider transmits patient information electronically. Compliance with the more restrictive element of overlapping laws is required. Many of HIPAA’s privacy requirements mirror existing patient privacy rights in California. For an overview of state and federal privacy rules, review HIPAA and California Health Information Privacy and Protection Laws Q&A.
A detailed compliance guide is available from the American Dental Association. The ADA Practical Guide to HIPAA Compliance can help a dentist develop or update office policies and procedures. We strongly recommend using the ADA guide with this checklist. The guide has sample forms and policies and provides thorough discussions and considerations on how HIPAA compliance affects a dental practice. Refer to the ADA guide for almost every item listed on this checklist.
Compliance with state and federal privacy laws requires specific recurring actions, plenty of documentation and continual staff training. It is an ongoing process of assessment, implementation and training. This checklist is intended to provide an at-a-glance view of the compliance elements.
HIPAA documentation can be maintained electronically or on paper. All HIPAA-related documents, including policies, training records, employee sanction records, patient authorization for records release forms, risk analysis, risk management plans and much more must be maintained for at least six years. HIPAA is enforced by the U.S. Department of Health & Human Services Office for Civil Rights.
Obtain a type 1 (individual) NPI number and, upon becoming a practice owner, a type 2 (organization) NPI number. A dentist may have as many type 2 NPI numbers as the number of practices he or she owns but will only ever have one type 1 NPI number. Even if a dentist is not a HIPAA-covered entity, he or she should obtain a type 1 NPI number. A prescriber must provide a type 1 NPI number in order for a pharmacy to fill a patient’s prescription. On claim forms, the type 1 number is used to identify the treating provider and the type 2 number is used to identify the billing entity. Register and find more information on the NPPES website.
Designate one person to be both the privacy and security officer for the practice or assign two individuals the different responsibilities. The privacy officer is responsible for implementing privacy policies and procedures and for training staff on them. The privacy officer also may receive and process patient and third- party requests for patient information and for amending information. The privacy officer receives complaints regarding privacy and information requests on the practice’s Notice of Privacy Practices. The privacy officer ensures required documentation is completed and retained for specified periods. The security officer shares some responsibilities with the privacy officer with regard to administrative policies and procedures. The security officer’s chief responsibility is for the security of patient information that is stored, used and transmitted electronically and may work with outside vendors on the risk analysis, risk management plan and consideration and implementation of administrative, technical and physical security safeguards.
Determine, either by individual or by job position, the appropriate level of access to patient information necessary to perform job responsibilities. The “minimum necessary” rule applies to employee access to patient information.
Train employees and others who work in the dental office (e.g., student interns, independent contractors) on the dental practice’s privacy policies and procedures. Obtain acknowledgement of training. Training documentation should include name of trainer, date of training, training subject(s), training resources and participant names. Annual training is not required but training or retraining should occur when policies and procedures change, when it is clear that policies and procedures are not being followed and after any instance of unauthorized use or disclosure of patient information. Designated security and privacy officers may need a higher level of training.
When an employee, independent contractor, intern or third party no longer works at the practice, be sure to change or delete access codes or keys to the information system and to the office.
If using a claims clearinghouse, determine if it is part of a larger organization. If it is, obtain assurances that the clearinghouse has policies and procedures to prevent the larger organization from accessing information without authorization.
Identify entities that use or have access to patient information to perform work on behalf of the dental practice, for example, a practice-management software company or a record-disposal company. A HIPAA business-associate agreement must be signed with each entity.
Develop and implement written procedures and policies for staff to follow. The policies and procedures address how the dental practice will prevent the unauthorized and unintentional release of protected health information in all forms of communication – oral, written and electronic. Understand what health information is permissible to disclose without patient authorization and under what circumstances.
Describe procedures (safeguards) for limiting the unauthorized or inadvertent use or disclosure of patient information. If disclosure or use of patient information is necessary, keep it to the minimum information necessary to perform the task. Examples of safeguards are verifying contact information; keeping voices low when it is possible for others to hear a conversation involving patient information; keeping mail away from unauthorized individuals; using a cover sheet for faxes; and adopting policies on the appropriate use of social media and cameras.
Describe the office procedure for managing a patient’s request for records and for responding to a patient’s request for an accounting of the practice’s disclosures of patient information. Note that California laws are applicable.
Describe office procedures for managing a patient’s request to limit the practice’s use and disclosure of patient information to others and to amend his or her record.
Describe the office procedure for managing a patient’s request to have practice communications sent through different means or to a different address or telephone number.
Describe the office procedure for managing a third party’s request for patient information. Include the “minimum necessary” requirement and note which uses or disclosures require patient authorization. Note that California laws are applicable.
Describe the office procedure for managing a patient’s complaint or inquiries regarding the practice’s privacy policies. Include the nonretaliation statement. Do not require the waiver of HIPAA rights.
Describe how the practice may use patient information for marketing purposes and when and how patient authorization is obtained. Document the office policy for selling patient information, which requires patient authorization.
Make employees aware that they will be disciplined for failing to comply with the practice’s privacy and security policies and procedures, and that discipline can include termination of employment.
Describe office procedures that ensure only authorized individuals have access to the practice workstations, servers and any other device that stores or transfers patient information electronically. Describe the functions to be performed on each workstation (including portable devices), the manner in which the functions are to be performed and the physical attributes of the area where specific workstations that can access electronic protected health information are located.
Describe the frequency and general content of security reminders and how cybersecurity training is provided to the workforce.
Describe procedures for ensuring that patient information, in electronic form and in charts, radiographs, models and other hard copies, is destroyed or rendered unreadable.
Describe how electronically stored patient information is duplicated, stored and retrieved when needed.
Describe procedures for tracking the movement of electronic hardware and media that hold patient information both within the office and outside the office.
Describe how electronic hardware and media that hold patient information are managed to ensure destruction of that information, or to render it unusable, prior to the disposal or re- use of the hardware and media.
Develop a written plan for situations that can affect the usability and security of patient information, such as a fire, equipment theft, equipment malfunction or a power outage. The plan should include procedures for accessing patient information in an emergency and procedures for accessing the physical location of the computers to restore accessibility to patient information. Refer to the DHHS document Security Standards: Administrative Safeguards for more information on what a contingency plan should include.
Describe office procedures following a breach of unsecured patient information or unauthorized attempt to access patient information. Specify who (privacy officer, security officer or practice owner) takes the lead to notify law enforcement, communicate with the media, draft patient communications, and more. Also, refer to the maintenance of a security incidents log. Note that California laws are applicable. Review Data Breach Notification Requirements.
State the policy to lessen the harm of any improper use or disclosure of patient information.
Develop this patient notice of your practice’s privacy policies and procedures. Post in the practice and on the practice website. Make available to anyone upon request. Obtain patient acknowledgment of receipt of notice.
Develop a form or customize the sample form Patient Request to Access Records (Records Release).
Enter into agreement with any entity that the dental practice allows to have access to patient information for nonclinical purposes. The agreement is to ensure privacy and security of the information. Ensure business associate agreements made before 2010 have been amended to include the business associate’s obligation to comply with the HIPAA Security Rule.
A patient must authorize the use or disclosure of his or her information for purposes that are not permitted by law, not considered treatment, payment or business operations (limited by California law), not for public benefit and not legally required.
A patient must authorize the practice to communicate with them via unencrypted email. This authorization should be in writing in a separate form, or in the language in an email authorizing unsecure communication.
Security Rule guidance material is available on the DHHS website.
Ensure that access to patient information is provided only to those individuals in your practice and business associates who need the information to perform their job functions. The system must be able to recognize individual users, which means unique user passwords are required.
Encryption is not specifically required. However, it is strongly recommended to do so because the breach or theft of unencrypted data subjects a dental practice to the cost of notifying patients and to potential fines and penalties.
Transmit information electronically in a secure manner, i.e., encryption or use of a secured server.
Maintain a record of any repair or modification related to the facility’s security system.
Periodically (at least weekly) review information system records, such as audit logs, for unauthorized or unusual activity. Periodically test information system security.
Take steps to protect data from being altered or damaged and implement processes to verify that data has not been altered or damaged.
Take steps to protect information systems from malicious software and viruses.
Record any unauthorized attempt, successful or not, to access patient information.
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.