© American Dental Association 2002

This Checklist is intended to facilitate your compliance with the new federal Privacy Rule developed pursuant to the Health Insurance Portability Act of 1996 (HIPAA).

HIPAA Privacy rules are still evolving so no source, including the ADA or any vendor selling HIPAA Privacy compliance materials, knows the final compliance requirements for certain. Be cautious of compliance materials claiming otherwise.

Under the HIPAA Privacy Rule, dental offices that transmit any health information in electronic form, either directly or indirectly through a vendor or billing service, will need to appropriately safeguard and disclose protected health information (PHI) in compliance with minimum federal requirements; more stringent state laws may also apply. For example, dental offices may obtain the right to use or disclose PHI for purposes of “treatment, payment, and healthcare operations” by making a good faith effort to obtain a patient’s Acknowledgement of Receipt of the (office’s) Notice of Privacy Practices.

Failure to comply with the Privacy Rule can subject dentists to severe sanctions for violations, including both civil (fines) and criminal penalties.

This Checklist is offered as a starting point for HIPAA privacy compliance in the dental office, and identifies many of the key tasks a private dental practice must undertake to comply.

Detailed compliance information may be found in the law and regulation, and elsewhere in this Privacy Kit. This Checklist does not include other privacy compliance that might be required by more stringent state law requirements, or of federal requirements beyond privacy contained in HIPAA.

The HIPAA privacy compliance date is April 14, 2003. You should be ready before this date with privacy policies and forms, employee training, business associate agreements, and more. You should think in terms of implementing reasonable safeguards that reflect your particular circumstances.

The Checklist does not assure compliance with HIPAA or constitute professional advice; dentists must consult with their professional advisors for such advice.

© American Dental Association 2002

1. Develop a compliance timeline, using this Checklist as a starting point.

2. Learn what HIPAA requires and do a gap analysis to assess where your current practices may be lacking.

3. Develop privacy policies, procedures, and documentation practices.

4. Develop necessary forms to implement your policies and practices (e.g., Acknowledgement of Receipt of Notice of Privacy Practices).

5. Develop a Notice of Privacy Practices to post and give to patients, and a method to document your good faith attempt to secure patients’ acknowledgement of receipt of the Notice. 

6. Designate a Privacy Officer and a Contact Person to receive complaints.

7. Train employees in privacy. Document all training efforts.

8. Develop an employee discipline process for privacy violations.

9. Evaluate which of your relationships requires a Business Associate (BA) Agreement and enter into the required written contracts, using BA agreement language satisfying HIPAA’s specific requirements. (Compliance date is April 14, 2004 for amending existing written BA agreements,but those that are renewed or modified before then must be amended at the time of that renewal or modification.)

10. Your dental office should have appropriate administrative (e.g., policies, procedures, and staff training), technical (e.g., secure software and passwords), and physical (e.g., doors and locks) safeguards in place to make sure health information is private and secure.

11. Implement procedures to verify identity and authority to access, receive, or use what is protected health information (PHI) under HIPAA. Keep in mind that PHI includes oral communications (e.g., verbal communications among staff members, patients, and/or other providers).

12. Secure the right to use or disclose PHI. For purposes of treatment, payment, and healthcare operations (TPO), your good faith attempt to secure an Acknowledgement of receipt of your Notice of Privacy Practices will suffice. Otherwise, secure a written Authorization as required by HIPAA.

13. Plan to use PHI information by applying the minimum necessary standard, which will often require that you make reasonable efforts to use or disclose only the information that is needed to accomplish the intended purpose.

14. Know what patients’ federal rights are established by HIPAA, and develop processes to ensure you will honor those rights (e.g., the rights to access and copy protected healthcare information; the right to amend a patient record; the right to an accounting of disclosures, and the right to confidential communication, etc.).

15. Implement complaint systems.

16 Know the HIPAA marketing rules and follow them.

17. Limit the consequences if there is a breach of confidentiality by you and/or your Business Associate.

18. Develop and implement a HIPAA privacy self-audit program to make sure your compliance efforts are working.

19. Document, document, document!

© American Dental Association 2002