When is a dentist a business associate?

Differentiating between when a dentist is a covered entity and when they act as a business associate allows for an understanding of the responsibilities and obligations they have in order to protect patient data. 

The role of a dentist as a business associate

A business associate is an individual or organization that performs certain functions or activities involving protected health information (PHI) on behalf of a covered entity. While dentists are typically considered covered entities rather than business associates under HIPAA, there are situations where a dentist may act as a business associate. Here are a few examples:

1. Subcontracted services: If a dentist or dental practice contracts with another entity or individual to provide specific services that involve the use or disclosure of PHI, such as billing or IT support, the dentist may act as a business associate in that context.
2. Hybrid entities: In some cases, a dentist may be part of a larger organization that functions as a hybrid entity. Hybrid entities have both covered entity components and non-covered entity components. If the dentist operates within the non-covered entity component of the organization and handles PHI on behalf of the covered entity component, the dentist may be considered a business associate for those specific activities.
3. Dual roles: In certain circumstances, a dentist may have multiple roles where they act as both a covered entity and a business associate. For example, if a dentist provides dental services to employees of a healthcare organization while also serving as a contracted provider, the dentist would act as a covered entity for the dental services provided to employees and as a business associate for the contracted services.

Related: How dentists can use secure email

Obligations of business associates

When dentists act as business associates under HIPAA, they have specific obligations outlined in a business associate agreement (BAA) with the covered entity. These obligations include complying with HIPAA regulations such as the Privacy and Security Rules. Furthermore, implementing safeguards to protect the confidentiality, integrity, and availability of PHI is necessary. Dentists need to limit the use and disclosure of PHI to what is authorized by the BAA or required by law. They are required to ensure that subcontractors are compliant with HIPAA regulations. 

Specific HIPAA requirements for dentists as business associates

1. Administrative safeguards: Dentists must establish administrative safeguards to manage the selection, development, implementation, and maintenance of security measures. This includes designating a HIPAA Privacy and Security Officer, conducting risk assessments, and developing policies and procedures.
2. Physical safeguards: These safeguards are necessary to protect the physical security of PHI, such as securing dental offices, workstations, and electronic equipment containing PHI. 
3. Technical safeguards: Technical safeguards protect the electronic transmission and storage of PHI.
4. Privacy rule compliance: Dentists must comply with the HIPAA Privacy Rule, which governs the use and disclosure of PHI. 
5. Security rule compliance: Dentists must comply with the HIPAA Security Rule, which establishes standards for protecting electronic PHI.
6. Breach notification rule compliance: Dentists must comply with the HIPAA Breach Notification Rule, which requires the timely notification of individuals, the Secretary of Health and Human Services, and potentially the media in the event of a breach of unsecured PHI. Dentists must have policies and procedures in place to assess and respond to breaches.

Related: HIPAA Compliant Email: The Definitive Guide

Consequences of failing to meet HIPAA requirements

Failure to fulfill obligations as a business associate under HIPAA can result in significant consequences for dentists. Legal liability can arise, including lawsuits and legal actions, resulting in financial and reputational harm. Professional consequences, on the other hand, may include disciplinary actions, license suspension, and limitations on practice activities. Dentists should prioritize compliance with HIPAA regulations to avoid these consequences and maintain patient trust.

What other legislation applies to dentists acting as business associates?

HITECH act

The Health Information Technology for Economic and Clinical Health Act (HITECH) works with HIPAA to strengthen the privacy and security protections of electronic health information. It expands the enforcement provisions and penalties for HIPAA violations. It promotes the adoption of electronic health records and secure electronic exchange of health information.

Federal trade commission act (FTC Act)

The FTC Act empowers the Federal Trade Commission to take action against unfair or deceptive trade practices, including privacy and security violations. Dentists acting as business associates must comply with the FTC Act by maintaining accurate privacy policies, implementing appropriate security measures, and protecting consumer information.

What happens if the business associates' relationship ends?

American Dental Association (ADA) offers that upon the termination of a business associate agreement, the business associate should, if feasible, return or destroy the PHI and retain no copies. If this is not feasible, the business associate must continue to protect the PHI and not use or disclose it for any purpose except those that make return or destruction infeasible.

Related: Are dentist appointment reminders considered PHI?