The Lowdown on Written HIPAA Policies and Procedures

The Lowdown on Written HIPAA Policies and Procedures

To be HIPAA compliant Covered Entities (Dental Offices and DSOs) and Business Associates are required to have written policies and procedures, know them, follow them, and enforce them! Sadly this is something ALMOST every dental office fails to comply with. You may have a HIPAA manual, but has it been tailored to your practice setting. Have you and your employees read them, understood them, follow them, abide by them? 


When it comes to HIPAA there are some terms you should know.

For this post, the term of the day is ‘Workforce’.


Your workforce is your employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. Consider this, if you pay someone as a W-2 employee they are workforce. If you pay someone as an Independent Contractor, such as an associate dentist, you have no control of their actions/inactions. HIPAA states you are responsible for ensuring you train your workforce on federal and state privacy and security regulations. Covered Entities are also responsible to ensure their workforce is trained on and complies with written policies and procedures.


Here is a sample list of written policies Covered Entities need to have:

  • Notice of Privacy Practices
  • “Minimum Necessary”
  • Designated record set
  • Access to PHI
  • Amendment requests
  • Accounting of disclosures
  • Business associate (BA) relationships
  • Verification of the Identity and Authority of the Person Requesting Disclosure of PHI Policy
  • Use/ Disclosure requiring authorization
  • Revocation of authorization
  • Routine & Recurring Disclosures
  • Use and disclosures concerning decedents
  • Safeguarding PHI
  • Use and Disclosure of PHI for TPO
  • Alternative means of communication request
  • Personal Representatives
  • Facsimile transmission
  • Restricted use request
  • Management of Patient Complaints
  • Social Media
  • Anti-retaliation
  • Breach mitigation/ response




There is a common mistaken belief that a dental practice’s Notice of Privacy Practices (NPP) is their written policies and procedures (P&P). Actually, the NPP is a patient facing notice to patients that outlines when an authorization is required to disclose PHI to a third-party and identifies patient HIPAA rights. The NPP a summary of the P&P, which are employee-facing documents that further outline how your workforce complies with HIPAA regulations. As with all written P&P your HIPAA P&P should be reviewed at least annually to: 1). make sure they are up-to-date; 2). make sure your staff know and follow them.


Making sure you and your staff know HIPAA P&P means you (and they) actually have to read (or somehow learn) what your P&Ps allow and do not allow in regards to HIPAA. I know from OCR investigations I have been involved with, that OCR is not playing around about this. During an investigation they will (not may) quiz your staff on your P&P. If you or your staff cannot reasonably articulate what is allowed (or not) by your P&P you are screwed (to put it nicely).


Did I mention that Civil Monetary Penalties to settle HIPAA violations have grown? In 2008 OCR settlements averaged $100,000. Today, settlements are averaging over $2 million dollars. That's not a scare tactic, it's reality. Let that sink in before you decide whether or not it is worth investing some time and effort into beefing up your practice's HIPAA compliance program. 


Make today your greatest ever!


- Tink

Dental Compliance Specialists

Dental Compliance Specialists helps make dental offices safer for patients, dentists and their employees. We help our clients develop and maintain their compliance programs including OSHA/Infection Control, HIPAA, DEA regulations and prescribing practices, Radiation Safety, OIG/Medicaid Compliance, Record Auditing, and more by providing actionable systems, easy-to-use tools, robust training, and accountability. Most of our clients have never been in trouble and want to keep it that way. Sometimes, though, dentists call when they are in trouble. In either case, we are there to make a meaningful difference. If you need help call us at 817-755-0035.

Previous Article Next Article