Are You Aware of HIPAA’s Regulations Regarding Business Associates?

We hope that this article prevents many of you from becoming a statistic regarding HIPAA breaches and violations. Even though the Rules and Regulations have been enforceable for over three years now, many dentists and their teams are not familiar with the rules and regulations regarding Business Associates.


What is a Business Associate? According to the Department of Health and Human Services,   “A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf, or provides services to a Covered Entity (CE).”

Here are some examples of Business Associates that Dental practices work with on a regular basis (this is not a complete list):

  • Dental insurance companies
  • Dental laboratories
  • CPA or accounting firm
  • Attorney
  • Consultants
  • IT Management Company
  • Dental Supply Vendor (Benco, Henry Schein, Patterson, etc.)
  • Independent Practice Management Software Trainers
  • Cleaning companies and maintenance crews
Why is this important?  By law, HIPAA’s Privacy Rule only applies to the Covered Entity (which is you, the dentist/dental practice).  However, HIPAA’s HITECH Act and the American Recovery and Reinvestment Act of 2009 made Business Associates accountable to the government for compliance with the Privacy, Security and HITECH Rules and extended civil and criminal penalties to Business Associates.  Your practice is liable for failure to comply with Business Associate Agreements.


What does this mean for you and your practice?  In order to be in compliance with all aspects of HIPAA, one of the main components is limiting PHI based on the minimum necessary to achieve a job.  Only those who need to know in order to do their job should have access to the information.


“Outsiders” such as “free-lance” consultants or people you hire to work on a project within your practice and will have access to patients PHI MUST have a Business Associate Agreement with your practice.  If there is a signed Business Associate Agreement and there is a breach then that person/company would be responsible for breach notification and any civil fines or criminal penalties.  If there is no Business Associate Agreement in place and there is a breach, it all falls on the practice and the owner doctor.


The most important thing is that we do everything we can to protect patient’s confidential information as there are NO acceptable reasons for violating an individual’s right to privacy.  


If you are unsure of whether someone should have access to protected health information, refer to your practice’s Privacy Policy.  If there is someone working on a project and there is the potential of them working with or coming in contact with PHI, have them sign a Business Associate Agreement.


For questions regarding HIPAA and the HITECH Act, please do not hesitate to contact us.