Aligned with the Standards of the HHS, AMA, and ADA

To formally demonstrate compliance if audited or subjected to a federal breach investigation, an organization cannot simply claim to be compliant—you must prove it through tangible documentation.

According to guidelines supported by the AMA HIPAA privacy and security resources, an organization must:

• Maintain Written Policies: Have up-to-date, customized policies and procedures that form a comprehensive HIPAA risk management plan.
• Conduct Security Reviews: Provide documented proof of regular HIPAA risk assessments.
• Train the Workforce: Provide mandatory, annual HIPAA security awareness training for the entire workforce.
• Designate Oversight: Regardless of your organization's size, you must appoint a designated HIPAA security and privacy official to manage the compliance program.

Many organizations and small businesses believe that HIPAA regulatory compliance is a costly luxury. This misconception is one of the main reasons some organizations fail to implement a comprehensive program to guard against regulatory noncompliance.

In reality, implementing proactive HIPAA compliance measures is highly cost-effective, especially when compared to the strict civil monetary penalties and permanent reputational damage caused by a data breach.

Our team customizes compliance packages to meet your specific operational size and budget constraints. To determine your exact pricing, we utilize an initial questionnaire to evaluate what compliance metrics are currently in place. This ensures you only pay for the specific frameworks your organization actually needs.

Regardless of the size of the practice, dental offices are legally required to follow all HIPAA Security and Privacy Rule requirements. As outlined in the ADA HIPAA 20 Questions guide, dentists must actively manage patient privacy, physical office security, and electronic data transmissions.

To maintain a baseline that satisfies federal regulators, a dental practice must:

• Conduct Risk Assessments: Formally identify potential vulnerabilities and risks to protected health information (PHI) maintained by the organization.
• Implement Custom Policies: Develop and implement HIPAA policies and procedures as part of an active risk management plan.
• Train Staff Annually: Conduct annual HIPAA Security Awareness and Privacy Training for all members of the workforce, including dentists.
• Secure BAAs: Ensure signed Business Associate Agreements are active for all vendors that have any access to patient health information and records.

Yes. Government regulators do not exempt solo practitioners, small clinics, or startups from compliance simply because they lack an enterprise IT budget. Federal law requires the same level of data protection whether you are a major hospital system or a local neighborhood clinic.

While organizations like the AMA and ADA provide toolkits to help small practices understand these rules, executing them internally can be overwhelming without specialized staff. At Colington Consulting, we step in to act as your external compliance partner—handling the risk assessments, drafting your custom policies, and running your staff training so you can focus entirely on patient care.

The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) typically initiate HIPAA investigations due to three specific triggers:

1. Self-Reported Data Breaches: Any breach affecting 500 or more individuals must be reported immediately, automatically triggering a federal investigation. Smaller breaches are logged annually but can still prompt a review.
2. Patient or Employee Complaints: Written complaints filed by patients, disgruntled employees, or competitors regarding privacy mishandling.
3. Random Audits: The OCR conducts periodic, random compliance audits across both covered entities and business associates to ensure industry standards are being maintained.

Yes, Colington Consulting is a premier HIPAA compliance firm proudly based in Burke, Fairfax County, Virginia. While we serve clients nationwide, we specialize in providing hands-on, localized compliance strategies, on-site risk reviews, and tailored consulting for healthcare providers, dental practices, and business associates throughout Virginia and the greater Washington D.C. metropolitan area. 

A Covered Entity is any provider of medical, dental, or other healthcare services or supplies that transmits any protected health information in electronic form. This includes pharmacies, health plans, and healthcare clearinghouses that perform electronic health care billing functions.

Note: If your organization files any insurance claims electronically, including requests for reimbursement from CMS for Medicare and Medicaid services, you are automatically considered a covered entity.

A Business Associate is a person or business that creates, receives, maintains, stores, or transmits PHI while performing a function or activity for a covered entity.

Under federal law, a Business Associate Agreement (BAA) is a mandatory contract between a covered entity and a designated business associate. The agreement requires that any protected health information maintained by the business associate must be protected in accordance with HIPAA regulations. A BAA must explicitly define how a business associate will report and respond to a data breach, including breaches caused by their subcontractors.

Common examples of business associates include:

• IT services and cloud storage providers.
• Some Health Developers 
• Medical billing and coding companies.
• Website hosting companies that maintain patient health questionnaires or intake forms.
• Legal, accounting, consulting, management, or financial services with access to patient data.
• Some AI health related platforms or vendors.

The HITECH Act (2009) and the final HIPAA Omnibus Rule drastically strengthened the government's ability to enforce privacy laws, expanded consumer rights, and increased penalties.

• Direct Liability: Business associates and third-party vendors are now held directly legally and financially liable for data breaches, just like covered entities.
• Stricter Penalties: A tiered penalty structure was introduced, significantly increasing the financial cost of noncompliance and willful neglect.
• Patient Rights: Patients gained the right to receive a copy of their medical records in an electronic form. Furthermore, when individuals pay by cash for healthcare services, they can instruct their provider not to share information about their treatment with their health plan.
• Marketing Restrictions: The rule sets strict limits on how information is used and disclosed for marketing and fundraising purposes, completely prohibiting the sale of an individual's health information without explicit permission.

Protected Health Information (PHI) is individually identifiable health information that is transmitted or maintained in any medium—including paper records, oral communications, or digital files. Electronic Protected Health Information (ePHI) refers specifically to PHI that is produced, saved, transferred, or received in an electronic form.

There are 18 specific types of identifiers that classify data as PHI, including:

• Patient names and geographical data.
• Social Security numbers and medical record numbers.
• Email addresses, phone numbers, and IP addresses.
• Full-face photographic images or biometric identifiers.

A data breach is the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy or Security Rules, which compromises the security or privacy of the information.

A breach can be a release of unsecured PHI to an unauthorized entity or an insecure environment, whether intentional or unintentional. This includes cyberattacks (like ransomware), lost or stolen unencrypted laptops, or improper instances of unauthorized access or disclosure by internal personnel.