In this edition of Compliance Corner, Practice Mechanic Rick Garofolo gives an overview on HIPAA consent form requirements for all dental practices.

I am amazed at the number of times each week that I get asked what forms and items are needed for HIPAA.

So many offices simply don’t know. Even worse, they don’t have the HIPAA consent forms that they need.

Often, the forms they do have don’t meet the requirements, which changed back in 2013 for your Notice of Privacy Practices and other forms.

Is your Notice of Privacy Practices (NPP) available on your website?

It has to be. And , it needs to be the same one people sign in your office, not the stock NPP web companies give you.

Is the NPP posted in your office?

Again, it has to be. These are usually presented in the reception area.

Consent and HIPAA

So what’s really required?

First, let’s continue talking about your Notice of Privacy Practices.

The Privacy Rule was changed a bit in 2009 and 2013 (HITECH and Final Rules) to update some information for the NPP.

First of all, your NPP must include an effective date. This is the date in which those policies went into place.

The NPP is simple; it’s just a list of your rules regarding use of the patients’ PHI and PII (we covered those last month, so click here if you need to read about those).

According to the Privacy Rule, your NPP must also include patients’ rights under HIPAA. That list must be on your NPP in the format, and with the wording, dictated by HIPAA.

You should also include a way for patients to opt-in or opt-out of certain communications. I prefer to let them opt-out, then if they don’t check the little box to opt out, they have automatically opted in.

Get Your Checklist for the 5 Dental HIPAA Forms Your Office Needs

Stay on top of the most important dental HIPAA forms with our free checklist. Learn what each form must include — and use it to ensure your team and your patients can easily access these dental HIPAA forms. Grab your checklist below!

Keeping Your Site Compliant

Remember above where I said that your NPP has to be posted on your website?

Well, it does, and it has to be the same version that you have in your office. Again, you cannot use the standard cookie cutter version that your web design company puts under “Privacy” on your site.

Lately, there have been a lot of marketing companies (Clickfunnels, Kartra, et al.) creating landing page type things for dentists. They can certainly be a great tool, and I use them for some things myself, but a landing page counts as a website, according to the Office of Civil rights.

Therefore each landing page needs to contain a link to your NPP.

Again, it isn’t just your main website, but any site you maintain that provides information about your services or benefits. That is a landing page, so be sure you have links to them.

Lately, there have been some unscrupulous lawyers lately checking websites for NPPs. When they don’t find one, the lawyers send a letter or call and tell you that you need to have it on there and they will report you if you don’t pay them to “help fix the problem.”

If this sounds familiar, the same thing was happening a few years ago with the Americans with Disabilities Act for websites. That was successfully proven a scam, but the problem in the NPP issue is real and has to be dealt with!

Release of Information

Another HIPAA consent form you should have ready to go is the Authorization to Release Information.

I usually put this one at the bottom of my Acknowledgement of Receipt of Notice of Privacy Practices for patients to sign either at their first visit, first visit after turning 18, or first visit after a change to our NPP.

This tells the office who they can discuss the patients services and account with.

This HIPAA consent form should be completed by every patient over 18 (or a medically emancipated minor). It allows you to discuss care, treatment plans, and financials with parents, partners, spouses, children, or others as dictated by the patient.

Without this you should not specifically disclose any information to anyone but the patient — remember that general appointment reminders are excluded from this requirement.

One other thing to note: any authorization to release information must include either an expiration date or event. The authorization remains valid only until that date or event has passed, or can be revoked in writing by the patient.

If you do not have a valid expiration date or event, your release is not compliant and is therefore not usable or enforceable.

What we have talked about here is just the surface of the requirements, so I want to give you a quick, more complete list. If you need help, have questions, or want samples of these forms, just email me and I will be happy to help out however I can!

Required Forms

  • Notice of Privacy Practices – must be published on your websites and contain the following:
    • An effective date
    • The patients’ rights under HIPAA
    • A statement on how you charge for records if you do
      • You cannot charge if your NPP doesn’t tell the patient how they will be charged
    • Do not ask for permission to share information for treatment, payment or operations
  • Acknowledgement of Receipt of NPP
    • The patient agreeing that they received or could have received a copy of your NPP and that they know they can get it at any time
  • HIPAA restriction request
    • This allows a patient to ask you not to submit something to insurance, so long as they pay out of pocket at your normal cash price (no discounts allowed)
  • Authorization to release
    • This allows a patient to tell you who you can and cannot talk to about their care, treatment plans, and finances (parents, spouse, children, etc.)
  • Consent for photos
    • If you use them on websites, social media or marketing materials

Please remember that while a signature is required for any restriction request or release of information — other than allowable disclosures for treatment, payment or operations which you do not need patient consent for — the patient is not required to sign your Acknowledgment of Receipt of NPP.

They can refuse to sign and you can still treat them and still bill their insurance for their visit. You just have to make a good faith effort to get the signature or write “Refused to sign” on the Acknowledgement and move on with your day!


Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.

By Rick Garofolo
Working as a practice management and OSHA/HIPAA compliance consultant for dentists, Rick develops site specific plans and business systems for dental offices around the country, including state specific plans. As the President and CEO of The Practice Mechanic, Rick has contributed to the business of dentistry through proper accounting techniques, recall and follow up system creation, proper treatment plan presentation, and more than 20 other systems.