HIPAA and telehealth in dentistry

Technological advancements enable healthcare providers to communicate with patients through new methods. When using these advancements, such as telehealth services, dental practices and other providers must prioritize patient privacy and security, particularly when dealing with protected health information (PHI).

Telehealth and dental practices

Telehealth, including virtual consultations and remote monitoring, can be applied to dental practices to enhance patient communication. It allows dental professionals to provide remote consultations, advice, and monitoring, reducing the need for in-person visits.

How does HIPAA apply to telehealth? 

HIPAA applies to any covered entity or business associate that handles PHI, including healthcare providers, health plans, and telehealth service providers. Telehealth providers offering healthcare services and managing patients' health information electronically are covered entities under HIPAA. The following are some scenarios in which telehealth must comply with HIPAA:

1. Telehealth consultations: When healthcare providers offer virtual consultations or remote medical services through telehealth platforms, they must ensure that PHI is protected according to HIPAA regulations.
2. Electronic transmission of PHI: If telehealth services involve the electronic transmission of patient information, such as medical records, test results, or treatment plans, HIPAA compliance is required to safeguard the confidentiality and security of that information. Use HIPAA compliant email when sharing appointment reminders or links to consultations. 
3. Telehealth service providers: Telehealth service providers, including platforms or vendors that facilitate the delivery of telehealth services on behalf of covered entities, are considered business associates under HIPAA. They must comply with HIPAA regulations and enter into business associate agreements (BAAs) with covered entities to protect PHI.
4. Patient consent and authorization: Telehealth services should obtain patient consent and authorization for the use and disclosure of their PHI under HIPAA requirements. This includes informing patients about the purpose, limitations, and risks associated with telehealth services.

Related: How does HIPAA apply to telehealth?

HIPAA requirements that dentists should be aware of when providing telehealth services

Security Rule

HIPAA's security rule provides the requirements for the safeguards that a HIPAA compliant organization should have in place to protect patient data. These include

1. Administrative safeguards: Implementing administrative measures such as workforce training, access controls, and contingency planning to ensure the security of ePHI.
2. Physical safeguards: Dentists should have physical safeguards to protect the physical security of electronic systems that store or transmit ePHI. This includes controlling access to these areas and implementing measures to protect against unauthorized access or theft.
3. Technical safeguards: Implementing technical measures to protect ePHI, such as using strong encryption methods, access controls, and audit controls to monitor and track system activity.

Privacy rule

The main goal of HIPAA's Privacy rule is to ensure the privacy and confidentiality of individuals' health information while allowing appropriate access for healthcare providers and other necessary parties. As such, telehealth services, including dental-related services, must provide patients with a Notice of Privacy Practices (NPP) that outlines how their protected health information will be used, disclosed, and protected during telehealth services. Patients should also be informed about their rights regarding their protected health information, including the right to access and request amendments to their records.

A final consideration is that these services should ensure that only the minimum necessary amount of PHI is disclosed during telehealth encounters to fulfill the intended purpose.

Breach notification rule

The Breach Notification Rule emphasizes the necessity to promptly notify individuals whose PHI has been compromised, allowing them to take necessary steps to protect themselves from potential harm. Telehealth services must conduct a thorough assessment of any security incidents that may have led to the unauthorized acquisition, access, use, or disclosure of ePHI. If a breach of unsecured ePHI is determined, dentists must notify affected individuals, the Secretary of Health and Human Services, and, in some instances, the media.

HIPAA compliance while offering telehealth consultations

A few methods of ensuring HIPAA compliance while offering dental telehealth consultations include: 

1. Use secure communication platforms: Utilize secure and encrypted communication platforms that comply with HIPAA requirements. These platforms should provide encryption for transmitting ePHI, ensuring its confidentiality and integrity during telehealth sessions.
2. Implement access controls: Implement appropriate access controls to ensure that only authorized individuals can access ePHI during telehealth consultations. This includes strong user authentication mechanisms, such as unique usernames and passwords, to prevent unauthorized access.
3. Obtain patient consent and authorization: Obtain informed consent from patients before offering telehealth consultations. Clearly communicate the purpose, limitations, and risks associated with telehealth services, and document patients' consent to participate in the virtual consultations.
4. Business associate agreements (BAAs): If engaging with telehealth service providers, ensure that BAAs are in place. BAAs establish the responsibilities and obligations of the telehealth service provider in safeguarding ePHI and complying with HIPAA regulations.
5. Secure data storage and backup: Implement secure data storage practices for ePHI obtained during telehealth consultations. Ensure data is stored on encrypted servers or cloud platforms with appropriate access controls. Implement regular data backup procedures and test data restoration to prevent data loss.

Related: Guidelines for HIPAA compliant dental patient referrals