HIPPA Security Rule Compliance for Dental Practices: Protecting Your Patients' Data - And Yourself.

Dave Argentar • September 17, 2019

The care that dentists need to provide their patients doesn’t end when they get up from the chair. Dental offices, and the computers, networks, servers, and files maintained within (and outside of) their walls contain patient information that must be kept secure and protected from data breaches and unauthorized disclosure. If your practice doesn’t have the systems, protocols, and policies in place to comply with HIPAA’s multitude of patient privacy and security requirements, even inadvertent and seemingly “harmless” violations can lead to significant financial and legal headaches.


HIPAA security compliance simply cannot be an afterthought for dental practices, nor is it a matter of “set it and forget it.” It requires constant vigilance, proactive planning, and regular audits and updates. This is particularly true when it comes to ensuring the security of electronic health records. Dentists need to commit people, time, and resources to the protection of patient information and should regularly consult with attorneys who can assist them in making their HIPAA compliance efforts robust and effective.


HIPAA Application to Dental Practices


After HIPAA became law in 1996, the U.S. Department of Health and Human Services (HHS) issued a set of national standards governing the use and disclosure of patients’ protected health information (PHI). Commonly known as the Privacy Rule , the Standards for Privacy of Individually Identifiable Health Information apply to “covered entities” as defined in HHS regulations.


The odds that your dental practice is a “covered entity” under HIPAA sit pretty close to 100%. If you send claims, eligibility inquiries and requests, pre-determinations, claim status inquiries, or treatment authorization requests to third parties through electronic means, you must comply with HIPAA.


HIPAA obligations don’t end at the Privacy Rule, which limits how and to whom PHI can be disclosed. Dental practices must also comply with the Security Rule ( Security Standards for the Protection of Electronic Protected Health Information ) as well as the Breach Notification Rule.


The HIPAA Security Rule


While the Privacy Rule addresses who may have access to PHI, the Security Rule sets the standards for ensuring that only those authorized individuals can access that information. One important distinction between the Privacy Rule and Security Rule is that while the former applies to PHI in whatever form – paper, oral, electronic - the Security Rule only covers electronic health records (ePHI). Since dental practices increasingly rely on electronic means to create, store, and transmit records, ensuring that your practice satisfies the Security Rule’s mandates is the centerpiece of any HIPAA compliance program.


The safeguards required under the Security Rule are divided into three categories:


· Administrative – As defined in the rules, these are policies and procedures designed “to manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”


Practices must sufficiently implement and monitor their “performance of security management process, assignment or delegation of security responsibility, training requirements, and evaluation and documentation of all decisions.”


The essence of administrative compliance is people: people who are in charge of security, people who are trained about security, and people who are responsible for administering, monitoring, and auditing security compliance.


· Physical Access Controls – This involves safeguards established to control physical access to data and information and the systems which store them. This includes such essential elements as:


o Facility Access Controls – policies and procedures that limit physical access to all areas and devices where ePHI is stored, such as locked doors, restricted areas, surveillance systems, security guards, etc.

o Workstation Access and Security – policies and procedures that specify the proper functions to be performed on workstations, how employees should perform those functions, and physical workstation security.

o Device and Media Controls – thumb drives, laptops, phones, tablets, and other devices represent a significant vulnerability for unauthorized access to or distribution of ePHI. Dental practices need to establish policies and procedures that govern how hardware and electronic media containing ePHI can enter or exit dental offices. These controls must include disposal, media reuse, accountability, and data backup and storage.


· Technical controls – this involves “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Firewalls, encryption, data security measures, and other systems put in place to prevent data breaches, cyberattacks, and unauthorized access to ePHI fall into this category.

Your Practice Could Be Held Responsible for Any HIPAA Violations by a “Business Associate”


Many if not most practices contract at least some of their billing, claims management, and other back-office responsibilities to third-party vendors. If a practice fails to obtain “satisfactory assurances” from a “business associate” that it is HIPAA-compliant before retaining their services, and a PHI breach subsequently occurs, the practice entity may be considered liable for any damages that result


That is why every dental practice that shares PHI with outside contractors enter into a written HIPAA-Compliant Business Associate Agreement with such vendors. These agreements should specify:


·the types of PHI that the practice will provide to the business associate;

·the permissible uses and disclosures of PHI by the business associate;

·the measures that the business associate must implement to protect PHI;

·the actions that the business associate will take in the event of a data breach.


HIPAA Compliance Questions? Call Grogan, Hesse & Uditsky Today


At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you.


If you have questions or concerns about your practice’s compliance with HIPAA, please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation.


Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.

Speak to an Attorney

Related Posts

Business Succession Planning for Dental Practice Owners - Part III:

By Jordan Uditsky April 15, 2026
How Defining Your Goals Will Shape Your Dental Practice’s Business Succession Plan

Business Succession Planning For Dental Practice Owners – Part II

By Jordan Uditsky April 2, 2026
How Buy-Sell Agreements Determine the Success of Your Transition
A doctor is sitting at a desk talking to a patient.

It’s Not Me; It’s You: Terminating a Relationship With a Difficult Dental Patient

By Jordan Uditsky March 9, 2026
Most relationships, whether personal or professional, start with a certain level of mutual trust and respect, compatibility, and shared goals and priorities. But those characteristics don’t always last, and a once-promising partnership can devolve into disputes, distrust, or outright hostility. The dentist-patient relationship is not immune to such deterioration. There may come a day when the differences between a dentist and their patient make continued treatment undesirable or impractical. A patient, of course, is free to call it quits with their dentist at any time, or the patient and dentist can mutually agree to part ways. But when a dentist wants to stop treating a problematic or disruptive patient and terminate the relationship, things can be a bit stickier. It is crucial that a dentist handles the break-up carefully and in accordance with the law and ethical standards so as to avoid claims of patient abandonment that could threaten their professional license or expose them to liability. Are you interested in speaking with one of our attorneys? Click here to contact us now. Dentists Have a Right To Unilaterally Dismiss a Patient For Reasonable Cause As a preliminary matter, dentists may choose to responsibly end their relationship with a patient for any reasonable, legally permissible cause. As the American Dental Association (ADA) guidelines put it: The dentist has the right to dismiss a patient in situations where it is impossible to resolve differences or if the dentist cannot abide the patient’s behavior within the practice, as long as the dismissal is not for a legally impermissible discriminatory reason. Accordingly, a dentist may not end a patient relationship because of the patient’s race, religion, gender, color, age, national origin, disability, or other characteristics protected by federal and state anti-discrimination laws. Notably, political opinions are not a protected characteristic under the law. Common reasons a dentist may justifiably terminate a patient include: Hostility or abusive behavior toward the dentist, staff, or other patients Harassment or sexual abuse of dentist, staff, or other patients Repeatedly missing appointments Refusal to undergo recommended testing or treatment Lack of trust or confidence in the dentist’s abilities or recommendations Consistent failure to follow office policies Showing up to appointments under the influence of alcohol or drugs Refusing to adhere to infection-control precautions and policies, such as masking Nonpayment Patient Dismissal vs. Patient Abandonment A dentist who chooses to dismiss a patient can’t simply show them the door, send them a break-up text, or refuse to answer their calls. Dentists must end the relationship such that they avoid any claim that they have abandoned their patient. According to the ADA’s Principles of Ethics and Code of Professional Conduct Section 2.F.: Once a dentist has undertaken a course of treatment, the dentist should not discontinue that treatment without giving the patient adequate notice and the opportunity to obtain the services of another dentist. Care should be taken that the patient’s oral health is not jeopardized in the process. Patient abandonment is a serious ethical violation. For example, the Illinois Dental Practice Act lists “abandonment of a patient” as one of the many reasons the Illinois Department of Financial and Professional Regulation may revoke, suspend, refuse to issue or renew, reprimand, or take other disciplinary or non-disciplinary action against a dentist. A dentist also exposes themself to a malpractice claim if injuries result from their termination of the patient at the wrong time during the course of treatment or without proper notice. Best Practices For Terminating a Patient Relationship As noted, adequate notice, providing the patient an opportunity to find alternative care, and facilitating continuity of ongoing care are the keys to responsibly ending the dentist-patient relationship and avoiding a claim of abandonment. We suggest that dentists take the following steps to minimize the likelihood of any disputes or claims arising from the termination of the relationship: provide written notice to the patient, preferably by certified mail; provide the patient with the reasons for terminating the relationship; offer to continue treatment and access to services for a reasonable period (such as 30 days) to allow the patient to secure another dentist’s services; state that you will provide emergency services for a designated period; help the patient locate another dentist; and offer to transfer the patient’s records to a new dentist and/or advise the patient of their right to obtain a copy of their records for a fee. Additionally, a dentist experiencing issues with a patient should contemporaneously document all communications, incidents, statements, or behavior suggesting a breakdown in the relationship. Of course, while a dentist can control how they handle the end of a patient relationship, they can’t control how the patient will react to being “dumped.” Even when the dentist acts professionally and cordially, as they should, there is no guarantee that the patient will do the same. If a patient responds with hostility or anger, tread carefully and do not respond in kind. Contact Us With Any Questions or Concerns If you have any questions or concerns about ending a patient relationship, please give us a call. At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More

Business Succession Planning for Dental Practice Owners - Part III:

By Jordan Uditsky April 15, 2026
How Defining Your Goals Will Shape Your Dental Practice’s Business Succession Plan

Business Succession Planning For Dental Practice Owners – Part II

By Jordan Uditsky April 2, 2026
How Buy-Sell Agreements Determine the Success of Your Transition
A doctor is sitting at a desk talking to a patient.

It’s Not Me; It’s You: Terminating a Relationship With a Difficult Dental Patient

By Jordan Uditsky March 9, 2026
Most relationships, whether personal or professional, start with a certain level of mutual trust and respect, compatibility, and shared goals and priorities. But those characteristics don’t always last, and a once-promising partnership can devolve into disputes, distrust, or outright hostility. The dentist-patient relationship is not immune to such deterioration. There may come a day when the differences between a dentist and their patient make continued treatment undesirable or impractical. A patient, of course, is free to call it quits with their dentist at any time, or the patient and dentist can mutually agree to part ways. But when a dentist wants to stop treating a problematic or disruptive patient and terminate the relationship, things can be a bit stickier. It is crucial that a dentist handles the break-up carefully and in accordance with the law and ethical standards so as to avoid claims of patient abandonment that could threaten their professional license or expose them to liability. Are you interested in speaking with one of our attorneys? Click here to contact us now. Dentists Have a Right To Unilaterally Dismiss a Patient For Reasonable Cause As a preliminary matter, dentists may choose to responsibly end their relationship with a patient for any reasonable, legally permissible cause. As the American Dental Association (ADA) guidelines put it: The dentist has the right to dismiss a patient in situations where it is impossible to resolve differences or if the dentist cannot abide the patient’s behavior within the practice, as long as the dismissal is not for a legally impermissible discriminatory reason. Accordingly, a dentist may not end a patient relationship because of the patient’s race, religion, gender, color, age, national origin, disability, or other characteristics protected by federal and state anti-discrimination laws. Notably, political opinions are not a protected characteristic under the law. Common reasons a dentist may justifiably terminate a patient include: Hostility or abusive behavior toward the dentist, staff, or other patients Harassment or sexual abuse of dentist, staff, or other patients Repeatedly missing appointments Refusal to undergo recommended testing or treatment Lack of trust or confidence in the dentist’s abilities or recommendations Consistent failure to follow office policies Showing up to appointments under the influence of alcohol or drugs Refusing to adhere to infection-control precautions and policies, such as masking Nonpayment Patient Dismissal vs. Patient Abandonment A dentist who chooses to dismiss a patient can’t simply show them the door, send them a break-up text, or refuse to answer their calls. Dentists must end the relationship such that they avoid any claim that they have abandoned their patient. According to the ADA’s Principles of Ethics and Code of Professional Conduct Section 2.F.: Once a dentist has undertaken a course of treatment, the dentist should not discontinue that treatment without giving the patient adequate notice and the opportunity to obtain the services of another dentist. Care should be taken that the patient’s oral health is not jeopardized in the process. Patient abandonment is a serious ethical violation. For example, the Illinois Dental Practice Act lists “abandonment of a patient” as one of the many reasons the Illinois Department of Financial and Professional Regulation may revoke, suspend, refuse to issue or renew, reprimand, or take other disciplinary or non-disciplinary action against a dentist. A dentist also exposes themself to a malpractice claim if injuries result from their termination of the patient at the wrong time during the course of treatment or without proper notice. Best Practices For Terminating a Patient Relationship As noted, adequate notice, providing the patient an opportunity to find alternative care, and facilitating continuity of ongoing care are the keys to responsibly ending the dentist-patient relationship and avoiding a claim of abandonment. We suggest that dentists take the following steps to minimize the likelihood of any disputes or claims arising from the termination of the relationship: provide written notice to the patient, preferably by certified mail; provide the patient with the reasons for terminating the relationship; offer to continue treatment and access to services for a reasonable period (such as 30 days) to allow the patient to secure another dentist’s services; state that you will provide emergency services for a designated period; help the patient locate another dentist; and offer to transfer the patient’s records to a new dentist and/or advise the patient of their right to obtain a copy of their records for a fee. Additionally, a dentist experiencing issues with a patient should contemporaneously document all communications, incidents, statements, or behavior suggesting a breakdown in the relationship. Of course, while a dentist can control how they handle the end of a patient relationship, they can’t control how the patient will react to being “dumped.” Even when the dentist acts professionally and cordially, as they should, there is no guarantee that the patient will do the same. If a patient responds with hostility or anger, tread carefully and do not respond in kind. Contact Us With Any Questions or Concerns If you have any questions or concerns about ending a patient relationship, please give us a call. At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More