When it comes to dental billing, compliance with HIPAA (the Health Insurance Portability and Accountability Act) isn’t optional; it’s essential. Every day, your team handles sensitive patient information, especially when it comes to billing and insurance. That’s why it’s so important to understand how HIPAA applies to your practice, your processes, and even your outside partners.
In this FAQ, we break down some of the most common questions dental teams have about HIPAA, from what counts as protected health information (PHI) under HIPAA to what to look for in a HIPAA-compliant billing partner. Whether you’re a dentist, office manager, or a member of the front desk team, you’ll find practical answers here to help keep your patients’ data secure and keep your practice on the right track.
1. What is HIPAA, and how does it apply to dental practices?
HIPAA is the Health Insurance Portability and Accountability Act. It’s a federal law that sets national standards for the protection of sensitive patient health information. These standards apply to dental practices because they work with protected health information (PHI) every day.
2. What types of patient information are protected under HIPAA?
HIPAA is designed to safeguard PHI created, received, stored, or shared by a dental practice or its partners. This means any information about a person’s (i) medical condition, (ii) medical treatment, and/or (iii) payment for medical services which is tied to something that can identify the person. The government has outlined at least 18 patient identifiers (like name, date of birth, or chart numbers), and if any one of those identifiers are linked to the health information described above, it counts as PHI and needs to be kept safe.
3. What is considered a HIPAA violation in a dental practice?
The most common HIPAA slip-ups in dental practices usually involve someone accessing, using, or sharing protected patient information (PHI) when they shouldn’t. This can include things like sharing patient details with friends or family who aren’t authorized, tossing out patient records without properly disposing of them, leaving sensitive information where other patients can see it, not providing patients access to their own records, not doing enough to prevent data breaches, or not letting patients know when a breach has happened.
4. Can I outsource dental billing and still stay HIPAA compliant?
Yes, you can outsource your dental billing and stay HIPAA compliant if you choose a trusted partner who makes HIPAA compliance a priority.
5. What safeguards should a dental billing company have in place for HIPAA compliance?
Like a dental office, a remote dental billing company is required to implement strong safeguards to ensure HIPAA compliance. These safeguards fall into three key categories: administrative, technical, and physical.
Administrative safeguards include:
- Implementing policies and procedures that enforce HIPAA-compliant privacy and security policies
- Providing ongoing HIPAA training for all employees, with a focus on the proper handling of PHI in both a physical and electronic environment
- Enforcing proper access controls to limit access to PHI to those individuals who need it to do their job, and to the minimum amount of PHI necessary for that individual to accomplish their work
- Limiting the amount of PHI shared with outside parties, including specialists, dental laboratories, etc. to the minimum amount of PHI necessary to effectively communicate regarding a patient’s care
- Conducting regular risk assessments to identify and mitigate potential vulnerabilities
- Developing and maintaining a comprehensive incident response plan
Technical safeguards involve:
- Using encryption and other access security measures
- Implementing access controls such as unique user IDs, strong passwords, and two-factor authentication
- Maintaining and using audit systems to log and monitor PHI access
- Ensuring data backup systems are in place
Physical safeguards include:
- Securing devices and workstations through measures like screen lock policies, automatic log-offs, and secure login procedures
- Restricting physical access to servers or other devices that store PHI
6. What steps should I take if my dental practice experiences a HIPAA incident?
If you discover that there has or could have been a HIPAA incident within your dental practice, such as unauthorized access, use, or disclosure of protected health information (PHI), there are several things you should do.
Work quickly to understand, contain, and mitigate the situation. Determine what happened, when it happened, what information was exposed, and what parties were involved. Be sure to keep detailed records of the incident, even if it seems minor.
You should also determine whether the incident is a reportable breach. To do so, you’ll perform a risk assessment to assess the scope and impact of the incident and determine the probability that any PHI has been compromised.
The factors to consider in your assessment include:
- The nature and extent of the PHI involved, including the types of identifiers involved and the likelihood of re-identification;
- The unauthorized party who accessed the PHI or to whom the disclosure was made;
- Whether any PHI was actually acquired or viewed, and the extent to which you were able to mitigate the risk to the PHI.
Evaluation of these factors will help you to determine whether the incident qualifies as a reportable breach.
No breach notification will be required under HIPAA if a thorough evaluation of these four factors demonstrates a low probability of compromise of any PHI. However, you should also determine whether any reporting or notifications are required under your state HIPAA or other privacy laws. And, based upon the nature of any patient information that may have been exposed, whether notifying the patients involved is simply the right thing to do.
If the evaluation of these factors demonstrates that PHI may have been compromised, HIPAA requires you to notify affected patients in writing within 60 days of discovering the breach. You’ll also need to notify the U.S. Department of Health and Human Services (HHS). Failure to report the breach can bring serious consequences, including fines ranging from $100 to $50,000 per violation. It can also lead to more government oversight, loss of patient trust, and potential civil lawsuits.
Not properly documenting or reporting a HIPAA breach can cause more trouble for a dental practice than the breach itself.
Even after a minor breach, it’s a good idea for your practice to provide extra HIPAA training for staff and update policies and procedures to help prevent future problems.
Of course, with respect to a HIPAA incident and other matters addressed in this article, we encourage you to contact your legal counsel for guidance.
7. Can I email patients about their treatment?
You can email patients about their treatment, which includes PHI, as long as you take the right steps to stay HIPAA compliant.
You should limit the amount of PHI included in any email to the minimum amount necessary to communicate with the patient, leaving out any unnecessary details about their health history or unrelated treatment. And, avoid including PHI in the email subject line.
While the use of encrypted email is strongly recommended, unencrypted emails are allowed if you have obtained informed consent from the patient to email the information. The consent must include a warning of the risks of unauthorized access and/or other accidental disclosure of the information within the email due to the unsecure nature of the email itself. Contact your legal counsel for guidance.
8. What does HIPAA require in terms of employee training?
HIPAA requires all dental office staff members, regardless of their role or access to PHI, to receive security and awareness training. New team members should get trained soon after they join, and it’s a good idea to do regular refresher sessions (ideally every year) to keep everyone up to date on any changes to the regulations, policies, or procedures. Keeping up with training also helps make sure HIPAA stays top of mind for the whole team, every day.
9. How long must dental offices keep patient records under HIPAA?
HIPAA mandates a minimum of 6 years for the retention of some HIPAA-related documents (but not including PHI). However, individual state laws vary and may require longer retention periods.
10. What is a Business Associate Agreement (BAA) — and do I need one with my billing company?
A Business Associate Agreement, or BAA, is a contract between your dental practice and any outside company you hire, like a third-party dental billing company, that handles patient information (PHI). The BAA spells out how they’ll protect that sensitive info, what they’re allowed to do with it, and their responsibilities for reporting any data breach.
A BAA is required under HIPAA if you are hiring a third-party dental billing company. At eAssist, we include a BAA with all our service agreements — it’s one of the first things we do to help give your practice peace of mind.
11. What should I look for in a dental billing partner to ensure they comply with HIPAA?
When you’re looking to outsource your dental billing, make sure you look at the company’s qualifications, experience, and the technology they use to stay HIPAA compliant.
Here are some good questions to ask:
- How well do they understand HIPAA privacy and security rules?
- Do they provide ongoing HIPAA training for their team?
- What steps do they take to protect your patients’ PHI, like using data access controls, encryption, and secure file transfers?
- How do they keep their employees’ computer systems secure?
- Do they routinely use a BAA with their clients, since they’re handling PHI for you?
- What’s their experience with dental coding, and how do they make sure their team stays up to date on CDT changes?
- How familiar are they with dental insurance claims, coordination of benefits, and pre-authorizations?
At eAssist, we know that HIPAA compliance isn’t just a requirement — it’s the foundation for earning your patients’ trust and protecting your practice. Our dedicated legal and IT teams, dental billers, and other leaders are fully trained in HIPAA regulations, and we’ve built strong safeguards across every part of our dental billing process, from secure data handling to regular staff training and airtight business associate agreements (BAAs).
If you’re looking for a dental billing partner who takes compliance as seriously as you do, schedule a free consultation today and discover how we can help your practice stay protected, efficient, and focused on what matters most – patient care.
For general informational purposes only. Does not constitute legal advice. This non-exhaustive list of frequently asked questions and corresponding answers is intended to cover basic points of HIPAA compliance only. Additional HIPAA (and related state) requirements not listed here apply to you and your office, and eAssist does not guarantee HIPAA compliance by following the information provided. Further, changes in applicable law may occur and this post may become outdated. If you have questions regarding HIPAA and how it relates to your office, you should seek counsel from your lawyer or other qualified HIPAA professional. See also https://www.hhs.gov/hipaa/index.html for more information.
