HIPAA Resources

Does HIPAA Apply To Paper Dental Charts?

Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

"Our practice is in the process of eliminating all paper charts. We still have a wall of folders that we reference from time to time as we continue to get everything imported into our PMS. I’ve heard that HIPAA only applies to our electronic patient records. Is that true?"

Thank you for submitting this question! Protecting PHI is the law regardless of its format. But I  understand where the confusion may have come from. Let’s take a look at what HIPAA says about protecting PHI that is not stored electronically.

The HIPAA Law

If you have watched my HIPAA overview videos in Bite-Size HIPAA® then you know that HIPAA is broken up into three primary rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Privacy Rule addresses how you can use and disclose patient health information. You can think of this as the bones of HIPAA. The Security Rule puts some meat on the Privacy Rule bones by defining the specific technical and non-technical safeguards that must be put in place to secure health information. Finally, the Breach Notification Rule basically outlines how you need to provide notification if the Privacy Rule is broken.

These rules are found at Section 164.300, 164.400 and 164.500 of the HIPAA law respectively. Each has a statement of applicability at the beginning of the rule that describes who and what the rule applies to. If we look at 164.302, we find that the Security Rule does, in fact, only apply to electronic protected health information. So, does that mean you don’t need to do anything to protect PHI contained in paper charts? No.

If we check the applicability statements for the other two rules, we will find that they do apply to all protected health information. Remember, PHI includes any information that relates to either an individual’s health, their payment for health care, and contains information that could reasonably be used to identify them. For example, anything that contains a patient name, date of birth, health insurance number, address, zip code, phone number, email address, or photo is PHI if it's in your possession.

Even though the Security Rule does not directly apply to non-electronic PHI, the Privacy Rule contains a requirement in Section 164.530(c) that effectively makes the same kind of safeguards mandatory for all PHI. In this section, the law states that covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of all PHI. This is essentially the same requirement in the Security Rule, just not spelled out in as much detail. If the specific requirements in the Security Rule were deemed reasonable and appropriate for ePHI, we can bet that the same requirements would be deemed appropriate with paper PHI as well.

Summary

To summarize, while the HIPAA Security Rule does not explicitly apply to non-electronic PHI, the Privacy Rule certainly does and it contains essentially the same requirements as the Security Rule. Here are a few suggestions to ensure you are adequately protecting the privacy and security of your paper records:

  1. Conduct a risk assessment focusing on your physical records to identify potential vulnerabilities. How could somebody gain access to them?
  2. Implement physical safeguards such as locked storage areas and only allow access to people who need access.
  3. Train your staff on the proper handling, storage, and disposal of paper records.
  4. Consider establishing a tracking system for accessing and transferring paper PHI.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.

This article is available for members of our online HIPAA community for dentists.

Explore and learn FREE for 60 days!
No credit card required.

Join Now!
Todd Baker

Todd Baker, JD, CIPP

HIPAA & Privacy Attorney

Todd Baker is a uniquely qualified attorney with extensive experience regarding the intersection of HIPAA and technology. Todd earned his undergraduate degree in business at Boise State University and completed his law degree at the University of Virginia School of Law.

Content Tags

HIPAA education, compliance, and accountability created specifically for dental practices.

If you haven’t made HIPAA a priority yet, start today. Give us a little bit of your time and we’ll teach you about the HIPAA Law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.