According to the U.S. Health and Human Services Office for Civil Rights (OCR), dental practices are not required to have a business associate agreement with their dental laboratory before sharing protected health information.

The HIPAA Privacy Rule applies to covered entities (including dental practices) and their business associates.  As you know, for the past few years, dental practices have been the target of increased HIPAA audits by the OCR.  On March 22, 2017, the American Dental Association (ADA) announced[1] that OCR had clarified to the ADA that a dental laboratory is not a dentist’s business associate when the communication is for treatment purposes.  Specifically, in its correspondence to the ADA, the OCR said, “a covered entity such as a dentist is not required to have a business associate agreement with another health care provider such as a dental laboratory when disclosing [protected health information] for treatment of an individual.” 

It’s important to note, this clarification is not a blanket exemption from the requirement to have business associate agreements between dental practices and dental laboratories.  In certain instances, business associate agreements are still required, for example the OCR pointed out that if the laboratory provides “other (nontreatment) services or functions on behalf of the provider that fall within the definition of business associate and require access to protected health information.”

If you have questions regarding your dental practice’s HIPAA compliance or need assistance in training for your staff, feel free to contact any one of our Health Care Focus Team attorneys.


[1] http://www.ada.org/en/publications/ada-news/2017-archive/march/ocr-responds-to-question-about-dental-labs-business-associate-agreements


Source: Blue Ink Blog