Dental records are official documents containing patients' health history, diagnosis, treatment plans, and any communications directly related to their care.
Dentists have an obligation to protect this sensitive information from unauthorized access.
Dentists are considered covered entities under HIPAA if they engage in electronic transactions that relate to payment for healthcare services. These include:
When dentists qualify as covered entities, they must comply with HIPAA guidelines. This includes taking the appropriate steps to protect patients' PHI.
Since electronic health records (EHRs) contain PHI, dentists must set up robust security controls within these systems.
First, all employees should not be given the same level of access to patient records. Instead, create permissions that restrict access to those who need this information for their particular role.
Additional necessary safeguards are enforcing strong password policies, implementing multi-factor authentication, and encrypting all devices with PHI. Encryption renders patients' data unreadable to unauthorized parties.
Regularly update devices with the latest security patches and monitor user access logs. This makes it easier to recognize and quickly address potential breaches.
Dental practices can protect physical dental records by storing files in locked filing cabinets and requiring unique keycards to access them. In addition, establish clear procedures for the proper disposal of confidential documents.
It is common for dentists to work with third-party companies that access PHI to provide certain services. This may include billing companies, dental labs, email service providers, and appointment reminder software companies.
Dentists must do their due diligence before working with these vendors to ensure sufficient security measures are in place. Failing to do so ultimately puts patient data at risk.
When working with any third-party company that handles PHI, make sure that a business associate agreement (BAA) is signed. This document outlines the vendor's obligations in protecting patient information.
Related: What are administrative, physical and technical safeguards?
The HIPAA Privacy Rule gives individuals the right to access their dental records in "designated record sets." These include medical and billing information, insurance details, lab test results, and medical images like X-rays.
In addition, HIPAA permits patients to ask dental practices to send copies of their records to another designated individual.
This request needs to be in writing and signed by the individual. It also must clearly state the intended recipient's name and where to send the PHI.
For both types of requests, dentists must take action within 30 days. Reasonable safeguards must also be used to verify the identity of the requesting patient and ensure the secure transmission of information.