HIPAA compliance training for dental offices is the same as for any organization that qualifies as a HIPAA covered entity inasmuch as all members of the workforce must be trained on policies and procedures with respect to Protected Health Information that are applicable to their roles. Workforce members must also participate in a security awareness training program.
If a dental office conducts – or subcontracts – electronic healthcare transactions for which the Department of Health and Human Services (HHS) has adopted standards in Part 162 of the HIPAA Administrative Simplification Regulations, the dental office qualifies as a HIPAA covered entity and the same HIPAA training requirements apply as for any other covered healthcare organization.
This means dental offices must develop policies and procedures with respect to Protected Health Information (PHI) “taking into account the size and type of activities that relate to PHI undertaken by a covered entity” and provide HIPAA compliance training to members of the workforce whose functions involve uses and disclosures of PHI in any format (verbal, written, electronic, etc.).
In addition, all members of the workforce must be provided with security awareness training that complies with General Requirements of the HIPAA Security Rule (§164.306(a)). Consequently, security awareness training must be designed to protect against any reasonably anticipated threats to the security of PHI and any reasonably anticipated disclosures not permitted by the HIPAA Privacy Rule.
The Challenge of HIPAA Compliance Training for Dental Offices
The challenge of HIPAA compliance training for dental offices is that members of the workforce often have multiple roles. In a small dental office, a receptionist may also be a dental assistant and an insurance claims manager. To perform these roles compliantly, HIPAA compliance training for dental offices would have to include all the circumstances in which uses and disclosures of PHI are subject to different requirements. For example:
- Although consent to disclose PHI to a parent is usually implied when a child is accompanied by a parent to the dentist, there are many circumstances in which a parent might not qualify as a personal representative of the child.
- If a patient agrees to a substance abuse screening and the results are shared with a healthcare professional, it may be necessary to obtain an attestation from the healthcare professional that the results will not be further disclosed.
- If the dental office wants to send the patient communications by email, it may be necessary to obtain an affirmative opt-in (depending on state law), consent, or an authorization if a communication contains marketing information.
When providing HIPAA compliance training for dental offices, it is also important to remember there is an increased likelihood of incidental disclosures, and that many patients only attend a dental office when they are in extreme discomfort. Workforce members need to be aware of how to react in these circumstances if accused by a patient of an impermissible disclosure of PHI, or if a patient refuses to read and acknowledge receipt of a Notice of Privacy Practices.
The Volume of Required Training Can Also be a Challenge
In addition to the challenges mentioned above, there are also circumstances in which disclosures of PHI are subject to the minimum necessary standard, in which patients request that PHI is withheld – or withheld from specific people/entities – and in which disclosures of PHI are exempted from HIPAA (i.e., to payment processors). In some circumstances, challenges to HIPAA compliance can happen simultaneously – increasing the risk of a HIPAA violation.
For this reason, HIPAA compliance training for dental offices has to be comprehensive, but this can put a significant burden on both trainees and trainers – notwithstanding that security awareness training has to be an ongoing program and not a one-off event, and that HIPAA compliance training is not the only regulatory training that dental workforces are required to do (i.e., OSHA bloodborne pathogen training, CMS’ emergency preparedness training, etc.).
How to Reduce the Burden of HIPAA Compliance Training
One of the most effective ways to reduce the burden of HIPAA compliance training for dental offices is to provide each new member of the workforce with a HIPAA basics training course prior to providing “policy and procedure” training or security awareness training. HIPAA basics training course provide an excellent foundation to compliance training by covering subjects such as what is PHI, the minimum necessary standard, and computer safety rules.
There are a number of online sources offering HIPAA basics training courses. To help determine which is the best course to complement in-house training, organizations are advised to evaluate courses accredited by a recognized training assessor that offer free training modules to review. It may also be worth considering whether the courses provide certificates on completion (for documentation purposes) and/or award Continuing Education Units (CEUs).
Individuals who need to improve their HIPAA knowledge to better understand in-house training can also subscribe to an online HIPAA basics training course. A better understanding of in-house training can help dental workforces better comply with dental office policies and procedures and connect HIPAA compliance with security awareness training. The same advice applies inasmuch as the training should be accredited by a recognized training assessor (i.e., AHIMA) and the course suppliers allow you the opportunity to try before you subscribe.