The HIPAA Breach Notification Rule: What Dental Practices Must Do When Patient Information Is Compromised

Jordan Uditsky • August 7, 2024

Every dental practice is sitting on a fortune. The patient information they electronically collect, maintain, store, and use is a potential gold mine for hackers, cybercriminals, and other technological bad actors who can sell and leverage that data for their own gain or nefarious ends. For these reasons, dentists and all other healthcare providers, facilities, and the vendors they work with are ripe and continuous targets for cyberattacks and data breaches.

 

Such occurrences can quickly metastasize into a legal, financial, and reputational nightmare for dental practice owners. And dental practices and dental service organizations are waking up to these nightmares with increasing frequency. According to the Ponemon Institute, dental practices experienced a 45% increase in data breaches in the last two years, with the average cost of a healthcare data breach reaching $9.23 million.

 

As we discussed in this earlier post, the HIPAA Security Rule imposes detailed and technical compliance obligations on dental practices regarding the protection of patients’ electronic personal health information (ePHI). But when a breach does occur, practice owners must take quick, decisive actions on several fronts to triage the situation and remediate the damage. This includes making required disclosures and providing notice of the breach as set forth in the HIPAA Breach Notification Rule.

 

The Breach Notification Rule mandates that covered entities, including dental practices, notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and, in certain cases, the media of a breach of unsecured PHI.

 

What Constitutes a Breach?

 

For purposes of the Breach Notification Rule, a breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. This does not include unintentional access by a workforce member, inadvertent disclosure by a person authorized to access PHI, or when the unauthorized person to whom the disclosure is made would not reasonably have been able to retain the information.

 

PHI is considered unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction. Breaches of secured PHI (i.e., encrypted data) do not require notification as set forth below.

 

Risk Assessment and Notification Requirements After Breach Discovered

 

Once a practice becomes aware of a potential data breach, it must conduct a risk assessment to determine if there is a low probability that the PHI has been compromised. Factors to consider in such an assessment include the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

 

Within 60 days after the discovery of a breach, a dental practice must provide notice to any affected patients that includes:


  • A description of the breach
  • The types of information involved
  • The steps individuals should take to protect themselves
  • What the practice is doing to investigate and mitigate the breach, and
  • Contact information for further inquiries.

 

Notice to HHS

 

For breaches affecting more than 500 residents of a state or jurisdiction, practices must notify HHS as well as local media outlets of the breach. Specifically, the practice must notify HHS at the same time it provides notice to affected individuals. That notice must be given “without unreasonable delay” and in no case later than 60 calendar days after the discovery of a breach of security. For breaches involving fewer than 500 people, covered entities must notify HHS annually and no later than 60 calendar days following the end of the year.

 

What Dentists Need To Do To Comply With The Breach Notification Rule

 

While the Notification Rule’s obligations don’t kick in until after a breach, dental practices should take several steps before a breach happens to ensure compliance and minimize the damage and fallout:


  • Develop and Implement Policies and Procedures: Dentists should establish written policies and procedures for managing PHI and addressing potential breaches. These should include processes for identifying, investigating, and responding to breaches, conducting risk assessments, and notifying affected individuals and the appropriate authorities.
  • Regular Staff Training: All staff members should be trained on HIPAA regulations, including the Breach Notification Rule, and the office's specific policies and procedures for handling PHI. Regular training ensures that staff members are aware of their responsibilities and can recognize and report potential breaches.
  • Implement Security Measures: As noted, dentists should implement administrative, physical, and technical safeguards to protect PHI as set forth in the HIPAA Security Rule. This includes using encryption for electronic PHI, securing physical records, controlling access to information, and using secure communication channels.
  • Establish a Breach Response Team: Having a designated team responsible for managing breaches ensures a coordinated and effective response. This team should include individuals from different areas of the practice, such as IT, legal, and compliance.
  • Maintain an Incident Response Plan: An incident response plan outlines the steps to take when a breach is suspected or detected. It should include procedures for containment, investigation, risk assessment, notification, and mitigation.

 

Compliance with the Breach Notification Rule is just one of many actions dental practices must take in the unfortunate event of a data breach. In our next post, we will discuss several other aspects of data breach response and mediation, all of which are crucial to protecting practices and patients alike.

 

HIPAA Breach Notification Questions? Call Grogan, Hesse & Uditsky Today

 

At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and we welcome the opportunity to work with you.

 

If you have questions or concerns about your practice’s compliance with the HIPAA Breach Notification Rule, please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation.

 

Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.

Speak to an Attorney

Related Posts

Algorithm v. Attorney: Dental Practice Owners Who Look to AI For Legal Advice Are Looking For Trouble

By Jordan Uditsky June 3, 2026
Algorithm v. Attorney: Dental Practice Owners Who Look to AI For Legal Advice Are Looking For Trouble

DSOs and the Corporate Practice of Dentistry: Aspen Dental Settlement in California Illustrates The Dangers to Practice Owners of DSO Overreach

By Jordan Uditsky May 20, 2026
DSOs and the Corporate Practice of Dentistry: Aspen Dental Settlement in California Illustrates The Dangers to Practice Owners of DSO Overreach

Credit Where Credit Is Due: Accounting for Unused Patient Credits When Buying or Selling a Dental Practice

By Robert Haney May 20, 2026
As all dental practice owners know, insurance companies frequently make adjustments to their reimbursement amounts, leading to the common circumstance that a patient who paid a certain amount at the time of treatment may be entitled to a credit from the practice. That credit, usually kept on the practice’s books so that the patient can apply it to future services, has two distinct qualities that have significant legal and financial implications when a practice is about to be purchased or sold. Failure to account for and address such outstanding patient credits early in a transaction can lead to unwanted surprises as well as potentially costly penalties. That is because a patient credit is not only a liability on the books of the practice, it is also the as-yet unclaimed personal property of the patient. That latter characteristic comes with legal obligations under state unclaimed property laws. If you are buying or selling a dental practice, here is what you need to know about handling patient credits during and after the transaction. Are you interested in speaking with one of our attorneys? Click here to contact us now. Accounting For Credits in the Purchase Price More often than not, unused patient credits remain just that – unused. If a practice purchaser knew for an absolute certainty that the patient would never return and ask for the credit to be applied to new services, it would not impact the underlying practice valuation or sale price. Of course, nothing is certain, and if a practice has thousands, tens of thousands, or hundreds of thousands of credits on the books, even a fraction of those credits, if redeemed, could have a significant impact on the practice’s profitability. That is why any patient credits should be disclosed, identified, and addressed as early in the transaction as possible so that neither the buyer nor seller find themselves in the uncomfortable position of renegotiating the purchase price or providing the buyer with a credit. Reporting and Accounting Obligations Under Unclaimed Property Laws Any business holding goods or funds that belong to a customer, client, or other company or individual cannot simply pocket that property or money because its owner may have forgotten about it or is unaware of its existence. If a business holding such property, which includes patient credits, loses contact with the owner for a certain period set by law (called the “dormancy period”), the company effectively becomes the trustee of that property, holding it for the benefit of the owner until they make a claim for its return. In Illinois, that claim may come after the owner searches the Illinois State Treasurer’s unclaimed property database . The information in that database comes from businesses that must provide the Treasurer’s Office with detailed and frequent reports about any unclaimed property they hold pursuant to the requirements of Illinois’ Revised Uniform Unclaimed Property Act (the “Act”). Most U.S. states have adopted this model act, so the following discussion of Illinois’ version is representative of unclaimed property laws generally. When Does Property Become “Unclaimed”? As noted, property is considered unclaimed and abandoned if it has not had any activity within a designated “dormancy period” and the holder is unable to locate the property owner. Under Sec. 15-201 of the Act, the dormancy period is three years for most types of property, though others have longer or shorter periods. For example, there is a 15-year period for traveler's checks, a five-year period for money orders, and a one-year period for payroll checks. Patient credits would fall under the three-year period. Reporting and Notice Obligations For Holders of Unclaimed Property Any for-profit and not-for-profit business entities that conduct business in Illinois are required to electronically report unclaimed property to the Treasurer’s Office on an annual basis. Even businesses not holding any unclaimed property must file a negative report advising as such if they meet any of the following criteria: Annual sales of more than $1,000,000; Securities that are publicly traded; A net worth of more than $10,000,000; or More than 100 employees. The deadline for Illinois dental practices to file unclaimed property reports for unused patient credits is May 1 of each year. The report should reflect one year of account activity three years prior to the last calendar year. Example: If your report is due May 1, 2018, your report will cover activity from January 1, 2014, through December 31, 2014. The detailed requirements as to what must be included in the report are set forth in Section 760.410 of the Illinois Administrative Code . At the same time the report is filed, unclaimed property must be remitted to the Treasurer’s Office. Holders of unclaimed property also must make efforts to reach out to the owner before filing their report and remitting the property. Specifically, the holder of property presumed abandoned shall send a due diligence notice to the apparent owner by first-class U.S. Mail between 60 days and one year before reporting the property. The required contents of the due diligence notice are set forth in Section 760.460 of the Illinois Administrative Code . Consequences of Non-Compliance Holders of unclaimed property face significant penalties for failing to comply with the reporting, notice, and remittance requirements of the Act. Interest and penalties may be imposed on the failure to file, pay, or deliver property by the required due date. Specifically, the state can charge interest at 1% per month on the value of the unreported/unpaid property and impose a penalty of $200 per day up to a maximum of $5,000 until the date a report is filed or the unclaimed property is paid or delivered. For businesses that may have neglected their obligations under the Act, Illinois (and most other states that have adopted the uniform act) offers a Voluntary Disclosure Agreement (VDA) program for unclaimed property holders. In exchange for voluntary compliance through an executed VDA, the Treasurer's Office will agree to forgo the right to assess penalties and interest outlined in the Act. How To Address Unclaimed Property Obligations in a Practice Sale As part of transactional due diligence, a practice purchaser should ensure that the seller has satisfied all of its reporting obligations under applicable law. If it has not, the purchaser should require the seller to complete a Voluntary Disclosure Agreement prior to closing and also include a robust indemnification clause in the purchase agreement should the practice later face penalties for noncompliance. Because of the financial complexities and legal risks involved relating to unclaimed patient credits, practice buyers and sellers alike should consult with experienced counsel to help them navigate this significant and oft-neglected aspect of the practice’s finances and operations. If you are a dental professional considering a sale, acquisition, or merger, please contact us at ddslawyers.com at (630) 833-5533 or contact us online to arrange for your complimentary initial consultation. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More

Algorithm v. Attorney: Dental Practice Owners Who Look to AI For Legal Advice Are Looking For Trouble

By Jordan Uditsky June 3, 2026
Algorithm v. Attorney: Dental Practice Owners Who Look to AI For Legal Advice Are Looking For Trouble

DSOs and the Corporate Practice of Dentistry: Aspen Dental Settlement in California Illustrates The Dangers to Practice Owners of DSO Overreach

By Jordan Uditsky May 20, 2026
DSOs and the Corporate Practice of Dentistry: Aspen Dental Settlement in California Illustrates The Dangers to Practice Owners of DSO Overreach

Credit Where Credit Is Due: Accounting for Unused Patient Credits When Buying or Selling a Dental Practice

By Robert Haney May 20, 2026
As all dental practice owners know, insurance companies frequently make adjustments to their reimbursement amounts, leading to the common circumstance that a patient who paid a certain amount at the time of treatment may be entitled to a credit from the practice. That credit, usually kept on the practice’s books so that the patient can apply it to future services, has two distinct qualities that have significant legal and financial implications when a practice is about to be purchased or sold. Failure to account for and address such outstanding patient credits early in a transaction can lead to unwanted surprises as well as potentially costly penalties. That is because a patient credit is not only a liability on the books of the practice, it is also the as-yet unclaimed personal property of the patient. That latter characteristic comes with legal obligations under state unclaimed property laws. If you are buying or selling a dental practice, here is what you need to know about handling patient credits during and after the transaction. Are you interested in speaking with one of our attorneys? Click here to contact us now. Accounting For Credits in the Purchase Price More often than not, unused patient credits remain just that – unused. If a practice purchaser knew for an absolute certainty that the patient would never return and ask for the credit to be applied to new services, it would not impact the underlying practice valuation or sale price. Of course, nothing is certain, and if a practice has thousands, tens of thousands, or hundreds of thousands of credits on the books, even a fraction of those credits, if redeemed, could have a significant impact on the practice’s profitability. That is why any patient credits should be disclosed, identified, and addressed as early in the transaction as possible so that neither the buyer nor seller find themselves in the uncomfortable position of renegotiating the purchase price or providing the buyer with a credit. Reporting and Accounting Obligations Under Unclaimed Property Laws Any business holding goods or funds that belong to a customer, client, or other company or individual cannot simply pocket that property or money because its owner may have forgotten about it or is unaware of its existence. If a business holding such property, which includes patient credits, loses contact with the owner for a certain period set by law (called the “dormancy period”), the company effectively becomes the trustee of that property, holding it for the benefit of the owner until they make a claim for its return. In Illinois, that claim may come after the owner searches the Illinois State Treasurer’s unclaimed property database . The information in that database comes from businesses that must provide the Treasurer’s Office with detailed and frequent reports about any unclaimed property they hold pursuant to the requirements of Illinois’ Revised Uniform Unclaimed Property Act (the “Act”). Most U.S. states have adopted this model act, so the following discussion of Illinois’ version is representative of unclaimed property laws generally. When Does Property Become “Unclaimed”? As noted, property is considered unclaimed and abandoned if it has not had any activity within a designated “dormancy period” and the holder is unable to locate the property owner. Under Sec. 15-201 of the Act, the dormancy period is three years for most types of property, though others have longer or shorter periods. For example, there is a 15-year period for traveler's checks, a five-year period for money orders, and a one-year period for payroll checks. Patient credits would fall under the three-year period. Reporting and Notice Obligations For Holders of Unclaimed Property Any for-profit and not-for-profit business entities that conduct business in Illinois are required to electronically report unclaimed property to the Treasurer’s Office on an annual basis. Even businesses not holding any unclaimed property must file a negative report advising as such if they meet any of the following criteria: Annual sales of more than $1,000,000; Securities that are publicly traded; A net worth of more than $10,000,000; or More than 100 employees. The deadline for Illinois dental practices to file unclaimed property reports for unused patient credits is May 1 of each year. The report should reflect one year of account activity three years prior to the last calendar year. Example: If your report is due May 1, 2018, your report will cover activity from January 1, 2014, through December 31, 2014. The detailed requirements as to what must be included in the report are set forth in Section 760.410 of the Illinois Administrative Code . At the same time the report is filed, unclaimed property must be remitted to the Treasurer’s Office. Holders of unclaimed property also must make efforts to reach out to the owner before filing their report and remitting the property. Specifically, the holder of property presumed abandoned shall send a due diligence notice to the apparent owner by first-class U.S. Mail between 60 days and one year before reporting the property. The required contents of the due diligence notice are set forth in Section 760.460 of the Illinois Administrative Code . Consequences of Non-Compliance Holders of unclaimed property face significant penalties for failing to comply with the reporting, notice, and remittance requirements of the Act. Interest and penalties may be imposed on the failure to file, pay, or deliver property by the required due date. Specifically, the state can charge interest at 1% per month on the value of the unreported/unpaid property and impose a penalty of $200 per day up to a maximum of $5,000 until the date a report is filed or the unclaimed property is paid or delivered. For businesses that may have neglected their obligations under the Act, Illinois (and most other states that have adopted the uniform act) offers a Voluntary Disclosure Agreement (VDA) program for unclaimed property holders. In exchange for voluntary compliance through an executed VDA, the Treasurer's Office will agree to forgo the right to assess penalties and interest outlined in the Act. How To Address Unclaimed Property Obligations in a Practice Sale As part of transactional due diligence, a practice purchaser should ensure that the seller has satisfied all of its reporting obligations under applicable law. If it has not, the purchaser should require the seller to complete a Voluntary Disclosure Agreement prior to closing and also include a robust indemnification clause in the purchase agreement should the practice later face penalties for noncompliance. Because of the financial complexities and legal risks involved relating to unclaimed patient credits, practice buyers and sellers alike should consult with experienced counsel to help them navigate this significant and oft-neglected aspect of the practice’s finances and operations. If you are a dental professional considering a sale, acquisition, or merger, please contact us at ddslawyers.com at (630) 833-5533 or contact us online to arrange for your complimentary initial consultation. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More