HIPAA Compliance means having written policies and enforcing them!

You should have employee medical records, no not dental records, medical records. OSHA medical records include information about work-related exposures, illnesses and injuries. The records also include hepatitis B vaccination records. These records are not protected under HIPAA and, as such, are not Protected Health Information.

Another term you should know is ‘Workforce’. Your workforce is your employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. Consider this, if you pay someone as a W-2 employee they are workforce. If you pay someone as an Independent Contractor, such as an associate dentist, you have no control of their actions/ inactions. HIPAA states you are responsible for ensuring you training your workforce on federal and state privacy and security regulations. Covered Entities are also responsible for ensure their workforce is trained on and complies with written policies and procedures.

Here is a sample list of written policies Covered Entities need to have:

  • Notice of Privacy Practices
  • “Minimum Necessary”
  • Designated record set
  • Access to PHI
  • Amendment requests
  • Accounting of disclosures
  • Business associate (BA) relationships
  • Verification of the Identity and Authority of the Person Requesting Disclosure of PHI Policy
  • Use/ Disclosure requiring authorization
  • Revocation of authorization
  • Routine & Recurring Disclosures
  • Use and disclosures concerning decedents
  • Safeguarding PHI
  • Use and Disclosure of PHI for TPO
  • Alternative means of communication request
  • Personal Representatives
  • Facsimile transmission
  • Restricted use request
  • Management of Patient Complaints
  • Social Media
  • Anti-retaliation
  • Breach mitigation/ response

There is a common mistaken belief that a dental practice’s Notice of Privacy Practices (NPP) is their written policies and procedures (P&P). Actually, the NPP is a patient facing notice to patients that outlines when an authorization is required to disclose PHI to a third-party and identifies patient HIPAA rights. The NPP a summary of the P&P, which are employee-facing documents that further outline how your workforce complies with HIPAA regulations. As with all written P&P your HIPAA P&P should be reviewed at least annually to: 1). make sure they are up-to-date; 2). make sure your staff know and follow them.

Making sure you and your staff know HIPAA P&P means you (and they) actually have to read (or somehow learn) what your P&Ps allow and do not allow in regards to HIPAA. I know from OCR investigations I have been involved with, that OCR is not playing around about this. During an investigation they will (not may) quiz your staff on your P&P. If you or your staff cannot reasonably articulate what is allowed (or not) by your P&P you are screwed (to put it politely).

Did I mention that Civil Monetary Penalties to settle HIPAA violations have grown? In 2008 OCR settlements average $100,000. Today, Spring 2017, settlements are averaging $1.2 million dollars (no, not doll hairs, dollars).


Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore! Call 817-755-0035 for help with compliance.

Get in Touch

Phone 817-755-0035