2026 HIPPA Policy Updates

What are the security measures of HIPAA that apply to dental offices?

The HIPAA law contains a security provision requiring every person who maintains or transmits health information electronically to adopt reasonable and appropriate administrative, technical and physical safeguards to: 1) ensure the integrity and confidentiality of patient information; 2) protect against any reasonably anticipated threats or hazards to the security of the information; 3) protect against unauthorized uses or disclosures of the information; and 4) ensure compliance among employees and officers. There are 20 required safeguards a HIPAA-covered entity must implement and 22 others which they must evaluate for implementation. In general, compliance with the HIPAA Security Rule includes performing a risk analysis of your electronic information systems and associated policies and procedures, implementing reasonable and appropriate security measures (risk mitigation), and documenting and maintaining required documentation. For more information, see HIPAA Security Rule – A Summary on cda.org.

Do I need written privacy and security policies? Does staff need to acknowledge them?

Yes, a covered entity must develop and implement written information privacy andsecurity policies and procedures that are consistent with federal and state laws. Thecovered entity must train their workforce on those policies and procedures and obtain their acknowledgement of training. Policies should outline how the practice manages the collection of patient data and how it uses and discloses protected healthinformation, identify the designated privacy and security officials, detail how privacy complaints are handled and explain sanctions (including termination of employment) for staff who violate policy. The policies and procedures document should also describe the administrative, technical and physical safeguards the practice employs to protect patient ninformation in all forms — hard copy, electronic and verbal. It is advisable to have an incident response plan in place in the event of a data breach. This plan should identify the practice’s incident response team and the steps they will take to identify, investigate and respond to suspected or actual breaches of patient information. The plan will outline when and how to notify affected individuals that their information has been compromised as well as when and how to notify law enforcement, the Department of Health and Human Services (DHHS), state attorney general and the media. It is also a good idea to practice your office’s data breach response plan by conducting tabletop exercises or breach simulations.

Is staff training required? How frequently must it be provided?

Yes, all staff members, including unpaid individuals such as students and interns, must be trained on the practice’s privacy policies and procedures. It is required to train staff prior to their working with patient information and recommended to retrain annually thereafter. Basic privacy and security training should be provided to all. However, the designated privacy and security officers should have a higher level of training since they are responsible for understanding the dental office’s compliance obligations and implementing office policies and procedures. Training for all staff should occur when there is a significant change to the practice’s policies and procedures and when the law changes. Remedial training may be necessary at times. Cybersecurity training and reminders are necessary in the current environment. Staff acknowledgement of training can be done with a simple sign-in sheet. It is recommended to have staff sign a nondisclosure agreement to reinforce a dental office’s privacy procedures. Training resources include the following:

• Dental office’s written policies and procedures.
• CDA Practice Support resources at cda.org/Home/ResourceLibrary/Resources/category/privacy-and-hipaa.
• U.S. Department of Health and Human Services HIPAA for Professionals website at hhs.gov/hipaa/for-professionals/index.html.
• HealthIT.gov Privacy, Security and HIPAA page at healthit.gov/topic/privacysecurity-and-hipaa
• American Dental Association.
• Private vendors and consultants.

What are the rules for sending emails to my patients?

The expectation is that the electronic transmission of patient information is done securely, either with the use of encryption or other recognized security protocols. There are a few exceptions, however. One is when a patient wants to receive their information via unencrypted email. The covered entity has an obligation to advise that patient of the risks of unsecured email and to confirm the patient’s request after they have been so advised. Reasonable safeguards, such as double-checking the patient’s email address after typing it, should be applied. A second exception is the use of unencrypted emails and text messages to confirm appointments or to ask patients to contact the dental practice regarding an opening in the schedule as long as the communication does not include information about the patient’s condition or treatment.

Must mobile devices and removable media containing patient information be encrypted? What about stationary desktop PCs and storage devices?

Encryption is technically an “addressable” specification under the security rule, but it is a very good idea to encrypt all mobile devices or removable media that contain patient information, such as smartphones, laptops, tablets, flash drives, CDs, DVDs and backup tapes/drives. Not only is encryption the best way to protect the data contained on these devices, but if encrypted devices are lost or stolen, the information is still deemed secure and neither HIPAA nor California’s breach notification law requires notification of affected individuals. If an unencrypted device is lost or stolen, all potentially affected individuals must be notified. It is also a good idea to consider encrypting desktop PCs and any stationary storage device the practice has on-site. These items are often stolen when practices are burglarized.

Must operatories and waiting rooms be soundproofed to comply with HIPAA?

No. Guidance from the DHHS on how it interprets and enforces the regulations clarifies that reasonable efforts should be taken to protect the privacy of patient health information. Soundproofing operatories and waiting rooms is often unnecessary for individual dental offices. However, the documented training of staff should include prohibitions against loud conversations, calls to nonprivate intercom stations and using speakerphones. Advise front office staff to limit or, if reasonably possible, preclude
disclosure of protected health information during telephone conferences in public areas or make sensitive telephone calls in private areas of the office.

Is the patient sign-in sheet at the front counter still allowed? What about appointment reminder postcards?

The sign-in sheet and the reminder postcard fall into the category of “incidental uses and disclosures” under HIPAA. They are permitted as long as reasonable safeguards are applied and only the minimum necessary information is used. The HIPAA privacy rule was not intended to impede customary and essential practices. The sign-in sheet and postcard may be used as long as the purpose of the appointment is not identified. Other examples of incidental uses and disclosures occur in treatment areas with open bays. Dentists and staff in this environment should take care that they are not easily overheard when discussing a patient’s condition and treatment. Computer screens displaying patient information should be turned away from unauthorized viewers to the
extent possible.

Should computers and fax machines in the office be situated such that patients cannot gain access or view the computer screen and faxes? What other physical safeguards are necessary?

Yes. It is important that only office staff can gain physical and viewing access to fax machines and computers. Many precautions are common sense; for example, computer screensavers and auto logoff should be turned on to prevent unauthorized individuals from accessing patient information when a staff member leaves a computer terminal. When staff returns to the terminal, they should be required to enter a password or passcode to reactivate the screen. Remind staff not to keep their password or passcode near their computer terminal. Passwords should be appropriately complex. Computer servers and any on-site backup media should be physically secured to prevent theft. Portable devices that store patient information should be secured when not in use.

How should patient records that are not stored electronically be handled?

Dental records on paper and in files are usually found in a number of locations around an office during practice hours, including the receptionist’s desk, the operatories, the dentist’s desk and the counter where patients check out. HIPAA does not prohibit patient records “floating” around the office, but it is important that no unauthorized individual have access to patient information anywhere in the office. Again, this is common sense. For many offices, this requires an assessment of how and where patient information moves throughout the office and may necessitate a change in how they are handled and stored. Do not forget to consider where incoming and outgoing mail is placed as well as deliveries from dental laboratories. The cover of a chart/patient record may not bear markings or codes that reveal medical information about a patient. HIPPA prohibits, for example, stickers stating “Pre Med required” or “Allergy: No Penn VK.” It is acceptable to have a caution sticker on the cover that reminds “See Hx before Tx.”

I use third-party vendors for certain administrative and technical services — do I need to validate their HIPAA compliance?

Third parties that use or access patient information in providing a service for the benefit of a covered entity, such as claims processing or information systems management, are known as “business associates” under HIPAA. Other types of business associates include clearinghouses, practice management software vendors, revenue managers, malpractice insurers and attorneys. It is the responsibility of the covered entity to ensure that business associate agreements are in place with such third parties. A business associate must provide its covered entities, by written agreement, satisfactory assurances that it will safeguard protected health information according to the Security Rule standards and that it will inform its covered entities of any breaches of protected health information it discovers. The business associate agreement should also contain an acknowledgement that the business associate is potentially subject to the same civil and criminal judgments and penalties as covered entities. The DHHS Office of Civil Rights in 2016 clarified that a business associate may not prevent a covered entity’s access to the covered entity’s patient information of which the business associate has control, unless provided for within a contract, and that a business associate agreement is required even when a covered entity has encrypted the patient information provided to a cloud storage provider. Dental laboratories, other dentists to whom you refer or from whom you receive referrals and the practice workforce, including employees, students and interns, are not business associates. Independent contractors may be considered as part of the practice’s workforce as long as they receive the same training. Researchers are not business associates; however, patient authorization to use a limited data set is required. Banks, consumer credit companies or organizations, the U.S. Postal Service and couriers are not business associates. Billing charges on credit or ATM cards may not state the specific patient treatment, only that “dental services” were provided.

Although dental practices do not commonly use health information exchange organizations, regional health information organizations, or e-prescribing gateways, business associate agreements must be in place with these entities if they are used.

What is the California Consumer Privacy Act? Do I need to comply?

The California Consumer Privacy Act (CCPA) provides California residents expanded rights regarding the collection, use and disclosure of their personal information. It affords the right to know exactly what elements of personal information a business has in its possession, the right to request that a business delete that information and the right to instruct a business not to sell that information. Health care providers who are covered entities under HIPAA are exempt from CCPA’s requirements as it relates to their collection, use and disclosure of PHI. Businesses that have an annual gross revenue of less than $25 million are also exempt, as are businesses that receive or disclose the personal information of less than 100,000 California residents, households or devices on an annual basis. In November 2020, California voters approved the California Privacy Rights Act (CPRA). Effective Jan. 1, 2023, the ballot initiative creates more rights for consumers and adds obligations on businesses that collect individuals’ personal information. It also created the California Privacy Protection Agency, which is tasked with enforcing the law. As with CCPA, health care providers who are subject to HIPAA and CMIA are exempted from CPRA requirements.