It's a common assumption that the Health Insurance Portability and Accountability Act (HIPAA) of 1996 only applies to hospitals and major healthcare practices, but this isn't the case. HIPAA applies to all “covered entities,” which the Department for Health and Human Services (HHS) defines as being either a health insurer, healthcare clearinghouse, or healthcare provider who electronically transmits any health information pertaining to the HHS' adopted standards. So if you are a dentist who stores and transmits healthcare data, you are required by law to adopt the standards outlined in HIPAA.
When you compare a typical dental office to a hospital or even a family physician, there's an obvious difference in size. Dental offices are almost always smaller, with fewer workers managing them. This can make certain elements of HIPAA compliance easier, while making others more difficult as well.
With fewer workers, there's a lower risk of an employee intentionally or accidentally disclosing Protected Health Information (PHI). Lost or stolen devices are one of the most common reasons cited for PHI breach, but this risk is lowered in dental practices.
Of course, there are some areas of HIPAA that are more difficult for smaller covered entities such as dental practices, one of which is the technical side of things. HIPAA's Security Rule required covered entities to implement technical, physical and administrative safeguards to prevent the unauthorized access of Electronic Protected Health Information (EPHI). Dental practices often lack a dedicated IT team to accomplish this goal, so they are forced to do it themselves.
If you own or operate a dental practice, you must take the appropriate steps to ensure your EPHI is safe and secure. As previously stated, this includes a combination of physical, technical and administrative safeguards. Physical safeguards consist of physical, tangible measures, some of which may include the use of privacy screens, locked doors and locked windows. Administrative safeguards consist of administrative policies and procedures aimed to protect EPHI from unauthorized access or use.
Arguably, the most important step in creating a HIPAA compliant dental practice is to implement technical safeguards. Unlike physical safeguards, technical safeguards are intangible, meaning you can not physically touch them. Commonly used technical safeguards may consist of data encryption, firewalls, two-way user authentication, virus scanners, and remote data wipe capabilities.