Congress passed the Health Insurance Portability and Accountability Act in 1996 to simplify, and thereby reduce the cost of the administration of health care. HIPAA does this by encouraging the use of electronic transactions between healthcare providers and payers, thereby reducing paperwork. The HIPAA Privacy Rule, which had a compliance date of April 14, 2003, established standards for the protection of patient health information. The Security Rule, with a compliance date of April 21, 2005, focuses specifically on standards to protect the confidentiality of electronic patient information.
State law (Civil Code §56.101, Health and Safety Code §123149) imposes on all healthcare providers requirements similar to the HIPAA Security Rule. Providers who do not conduct electronic transactions or undertake other activities that would designate them as HIPAA-covered entities are required by the state to automatically record and preserve any change or deletion of any electronic health information stored on their systems. Providers must preserve the confidentiality of the information.
The state requires that if electronic recordkeeping systems are only utilized in the dental office, the office must use an offsite backup storage system, an imaging mechanism that is able to copy signature documents, and a mechanism to ensure that once a record is input, it is unalterable. The dentist must develop and implement policies and procedures to include safeguards for confidentiality and unauthorized access to electronically stored records, authentication by electronic signature keys, and systems maintenance. The electronic health record system must automatically record and preserve any change or deletion of electronically stored health information and requires the record to include, among other things, the identity of the person who accessed and changed the information and the change that was made to the information.
Implementation of both the HIPAA Privacy Rule and Security Rule requirements is eased by the flexibility of the regulatory standard within the rules. The compliance standards for covered entities include reasonable measures to protect the confidentiality of patient information in all forms and to secure the availability and integrity of electronic patient information. What constitutes reasonable measures for a particular practice are largely determined by such things as the size of the practice, the physical layout of the office, how patient information is used and conveyed within the practice, and even such factors as cost. What might be a reasonable measure to protect patient information within a hospital setting is going to be different from a reasonable measure in a dental practice with one or two dentists. Measures that are reasonably necessary for a hospital to protect against the unauthorized release of patient information may be unreasonable for a small private practice to implement.
There are differences between the concepts of privacy and security, however. The Privacy Rule deals with what might be termed “leakage” of protected health information in all its forms. Examples of such leakage are unauthorized disclosures of patient information on social media, patient information disposed of although still readable and overheard conversations with patient information.
Whereas the Privacy Rule protects against leakage, the Security Rule focuses on managing the threats and vulnerabilities to a covered entity’s information systems which can disrupt the availability and compromise the integrity of, and allow unauthorized access to, electronic patient information. The rule requires specific safeguards, the consideration of other safeguards and a risk management plan.
The Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 established penalties for HIPAA violations, requires HIPAA business associates to comply with the Security Rule and some provisions of the Privacy Rule and included incentives for electronic record adoption. For information on business associates and business associate agreements, refer to the resource, HIPAA Business Associate Agreement, on cda.org.
HITECH was amended in 2021 to require the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to consider during data breach investigations whether a covered entity follows “recognized security practices” and has had them in place for a minimum of 12 months when determining resolutions to potential violations of the Security Rule. The amendment does not require a covered entity to adopt recognized security practices but if an entity has implemented them for the minimum period prior to an investigation, then civil money penalties and other remedies can be mitigated. Implementation of recognized security practices is not a safe harbor from investigations or fines.
Recognized security practices are defined in the HITECH amendment as standards, guidelines, best practices, methodologies, procedures and processes developed under:
NIST standards are known as the NIST Cybersecurity Framework. Government agencies and large organizations have long followed NIST technical standards. However, dental practices and their IT advisors may find the Health Industry Cybersecurity Practices developed by the 405(d) group to be more useful. The information in 405(d) technical volumes was developed with different-sized organizations in mind. Volume 1 focuses on small healthcare organizations and many of the recommended practices overlap with HIPAA Security Rule requirements.
See the resources list below for links to an OCR video and 405(d) Health Industry Cybersecurity Practices.
In complying with the HIPAA Security Rule, covered entities and business associates should begin by recognizing three basic elements:
Covered entities and business associates must comply with the Security Rule standards that are categorized as follows: administrative safeguards, physical safeguards, and technical safeguards. Essentially, administrative safeguards involve documented, formal practices to manage the selection and implementation of security measures; physical safeguards control physical access to information systems, especially at times when there is a loss of power or natural disaster; and technical safeguards involve processes that protect and monitor information access, and protect data that is transmitted over a network.
Many of the compliance standards include implementation specifications. The implementation specifications are either “required” or “addressable.” Required specifications must be implemented. Addressable specifications should be implemented if the business after it conducts its risk analysis, deems the specification reasonable, appropriate and applicable. Where there is no implementation specification for a standard, compliance with the standard itself is required.
Required administrative safeguards include:
Required physical safeguards include:
Addressable physical safeguards include:
Required technical safeguards are:
Addressable technical safeguards are:
Many of these safeguards have been added to current versions of practice management software. Dental offices should contact their practice management software vendors to inquire about the development and availability of upgraded versions that are compliant with the HIPAA Security Rule. Also, be aware that the security standards were written to be technology neutral, that is, the use of specific technologies is not mandated so that entities are not bound by systems or software that may become obsolete.
Through its enforcement actions and audits, OCR has identified the lack of or incomplete, risk analyses as a key factor in the failure of covered entities to adequately safeguard information. A risk analysis is a required administrative safeguard. It is intended to be an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity. “Risk” is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact. “Vulnerability” is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally or intentionally) and result in a security breach or violation of security policy. Covered entities must evaluate the risk levels and, for high-risk items, describe how the risk is mitigated or how it will be managed.
The ADA Practical Guide to HIPAA Compliance includes a dental practice-specific risk assessment tool. Also, HHS offers a free risk assessment tool online. Links to both are listed below.
It bears repeating that HIPAA allows covered entities flexibility in reasonably and appropriately implementing safeguards. The regulation states:
§ 164.306 Security standards: General rules.
(a) General requirements. . . .
(b) Flexibility of approach.
(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronically protected health information.
(c) Standards. . . .
The ADA Practical Guide to HIPAA Compliance
HHS: Security Rule Guidance Material
HHS: Security Risk Assessment Tool
HHS: Covered Entities and Business Associates
OCR: Recognized Security Practices (video)
Health Industry Cybersecurity Practices
NIST: Computer Security Incident Handling Guide
California Center for Data Insights and Innovation
HIPAA and California Health Information Privacy and Protection Laws Q&A
Data Breach Notification Requirements Checklist
Patient Records: Requirements and Best Practices
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.