The HIPAA Breach Notification Rule: What Dental Practices Must Do When Patient Information Is Compromised

Jordan Uditsky • August 7, 2024

Every dental practice is sitting on a fortune. The patient information they electronically collect, maintain, store, and use is a potential gold mine for hackers, cybercriminals, and other technological bad actors who can sell and leverage that data for their own gain or nefarious ends. For these reasons, dentists and all other healthcare providers, facilities, and the vendors they work with are ripe and continuous targets for cyberattacks and data breaches.

 

Such occurrences can quickly metastasize into a legal, financial, and reputational nightmare for dental practice owners. And dental practices and dental service organizations are waking up to these nightmares with increasing frequency. According to the Ponemon Institute, dental practices experienced a 45% increase in data breaches in the last two years, with the average cost of a healthcare data breach reaching $9.23 million.

 

As we discussed in this earlier post, the HIPAA Security Rule imposes detailed and technical compliance obligations on dental practices regarding the protection of patients’ electronic personal health information (ePHI). But when a breach does occur, practice owners must take quick, decisive actions on several fronts to triage the situation and remediate the damage. This includes making required disclosures and providing notice of the breach as set forth in the HIPAA Breach Notification Rule.

 

The Breach Notification Rule mandates that covered entities, including dental practices, notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and, in certain cases, the media of a breach of unsecured PHI.

 

What Constitutes a Breach?

 

For purposes of the Breach Notification Rule, a breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. This does not include unintentional access by a workforce member, inadvertent disclosure by a person authorized to access PHI, or when the unauthorized person to whom the disclosure is made would not reasonably have been able to retain the information.

 

PHI is considered unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction. Breaches of secured PHI (i.e., encrypted data) do not require notification as set forth below.

 

Risk Assessment and Notification Requirements After Breach Discovered

 

Once a practice becomes aware of a potential data breach, it must conduct a risk assessment to determine if there is a low probability that the PHI has been compromised. Factors to consider in such an assessment include the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

 

Within 60 days after the discovery of a breach, a dental practice must provide notice to any affected patients that includes:


  • A description of the breach
  • The types of information involved
  • The steps individuals should take to protect themselves
  • What the practice is doing to investigate and mitigate the breach, and
  • Contact information for further inquiries.

 

Notice to HHS

 

For breaches affecting more than 500 residents of a state or jurisdiction, practices must notify HHS as well as local media outlets of the breach. Specifically, the practice must notify HHS at the same time it provides notice to affected individuals. That notice must be given “without unreasonable delay” and in no case later than 60 calendar days after the discovery of a breach of security. For breaches involving fewer than 500 people, covered entities must notify HHS annually and no later than 60 calendar days following the end of the year.

 

What Dentists Need To Do To Comply With The Breach Notification Rule

 

While the Notification Rule’s obligations don’t kick in until after a breach, dental practices should take several steps before a breach happens to ensure compliance and minimize the damage and fallout:


  • Develop and Implement Policies and Procedures: Dentists should establish written policies and procedures for managing PHI and addressing potential breaches. These should include processes for identifying, investigating, and responding to breaches, conducting risk assessments, and notifying affected individuals and the appropriate authorities.
  • Regular Staff Training: All staff members should be trained on HIPAA regulations, including the Breach Notification Rule, and the office's specific policies and procedures for handling PHI. Regular training ensures that staff members are aware of their responsibilities and can recognize and report potential breaches.
  • Implement Security Measures: As noted, dentists should implement administrative, physical, and technical safeguards to protect PHI as set forth in the HIPAA Security Rule. This includes using encryption for electronic PHI, securing physical records, controlling access to information, and using secure communication channels.
  • Establish a Breach Response Team: Having a designated team responsible for managing breaches ensures a coordinated and effective response. This team should include individuals from different areas of the practice, such as IT, legal, and compliance.
  • Maintain an Incident Response Plan: An incident response plan outlines the steps to take when a breach is suspected or detected. It should include procedures for containment, investigation, risk assessment, notification, and mitigation.

 

Compliance with the Breach Notification Rule is just one of many actions dental practices must take in the unfortunate event of a data breach. In our next post, we will discuss several other aspects of data breach response and mediation, all of which are crucial to protecting practices and patients alike.

 

HIPAA Breach Notification Questions? Call Grogan, Hesse & Uditsky Today

 

At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and we welcome the opportunity to work with you.

 

If you have questions or concerns about your practice’s compliance with the HIPAA Breach Notification Rule, please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation.

 

Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.

Speak to an Attorney

Related Posts

Business Succession Planning for Dental Practice Owners - Part III:

By Jordan Uditsky April 15, 2026
How Defining Your Goals Will Shape Your Dental Practice’s Business Succession Plan

Business Succession Planning For Dental Practice Owners – Part II

By Jordan Uditsky April 2, 2026
How Buy-Sell Agreements Determine the Success of Your Transition
A doctor is sitting at a desk talking to a patient.

It’s Not Me; It’s You: Terminating a Relationship With a Difficult Dental Patient

By Jordan Uditsky March 9, 2026
Most relationships, whether personal or professional, start with a certain level of mutual trust and respect, compatibility, and shared goals and priorities. But those characteristics don’t always last, and a once-promising partnership can devolve into disputes, distrust, or outright hostility. The dentist-patient relationship is not immune to such deterioration. There may come a day when the differences between a dentist and their patient make continued treatment undesirable or impractical. A patient, of course, is free to call it quits with their dentist at any time, or the patient and dentist can mutually agree to part ways. But when a dentist wants to stop treating a problematic or disruptive patient and terminate the relationship, things can be a bit stickier. It is crucial that a dentist handles the break-up carefully and in accordance with the law and ethical standards so as to avoid claims of patient abandonment that could threaten their professional license or expose them to liability. Are you interested in speaking with one of our attorneys? Click here to contact us now. Dentists Have a Right To Unilaterally Dismiss a Patient For Reasonable Cause As a preliminary matter, dentists may choose to responsibly end their relationship with a patient for any reasonable, legally permissible cause. As the American Dental Association (ADA) guidelines put it: The dentist has the right to dismiss a patient in situations where it is impossible to resolve differences or if the dentist cannot abide the patient’s behavior within the practice, as long as the dismissal is not for a legally impermissible discriminatory reason. Accordingly, a dentist may not end a patient relationship because of the patient’s race, religion, gender, color, age, national origin, disability, or other characteristics protected by federal and state anti-discrimination laws. Notably, political opinions are not a protected characteristic under the law. Common reasons a dentist may justifiably terminate a patient include: Hostility or abusive behavior toward the dentist, staff, or other patients Harassment or sexual abuse of dentist, staff, or other patients Repeatedly missing appointments Refusal to undergo recommended testing or treatment Lack of trust or confidence in the dentist’s abilities or recommendations Consistent failure to follow office policies Showing up to appointments under the influence of alcohol or drugs Refusing to adhere to infection-control precautions and policies, such as masking Nonpayment Patient Dismissal vs. Patient Abandonment A dentist who chooses to dismiss a patient can’t simply show them the door, send them a break-up text, or refuse to answer their calls. Dentists must end the relationship such that they avoid any claim that they have abandoned their patient. According to the ADA’s Principles of Ethics and Code of Professional Conduct Section 2.F.: Once a dentist has undertaken a course of treatment, the dentist should not discontinue that treatment without giving the patient adequate notice and the opportunity to obtain the services of another dentist. Care should be taken that the patient’s oral health is not jeopardized in the process. Patient abandonment is a serious ethical violation. For example, the Illinois Dental Practice Act lists “abandonment of a patient” as one of the many reasons the Illinois Department of Financial and Professional Regulation may revoke, suspend, refuse to issue or renew, reprimand, or take other disciplinary or non-disciplinary action against a dentist. A dentist also exposes themself to a malpractice claim if injuries result from their termination of the patient at the wrong time during the course of treatment or without proper notice. Best Practices For Terminating a Patient Relationship As noted, adequate notice, providing the patient an opportunity to find alternative care, and facilitating continuity of ongoing care are the keys to responsibly ending the dentist-patient relationship and avoiding a claim of abandonment. We suggest that dentists take the following steps to minimize the likelihood of any disputes or claims arising from the termination of the relationship: provide written notice to the patient, preferably by certified mail; provide the patient with the reasons for terminating the relationship; offer to continue treatment and access to services for a reasonable period (such as 30 days) to allow the patient to secure another dentist’s services; state that you will provide emergency services for a designated period; help the patient locate another dentist; and offer to transfer the patient’s records to a new dentist and/or advise the patient of their right to obtain a copy of their records for a fee. Additionally, a dentist experiencing issues with a patient should contemporaneously document all communications, incidents, statements, or behavior suggesting a breakdown in the relationship. Of course, while a dentist can control how they handle the end of a patient relationship, they can’t control how the patient will react to being “dumped.” Even when the dentist acts professionally and cordially, as they should, there is no guarantee that the patient will do the same. If a patient responds with hostility or anger, tread carefully and do not respond in kind. Contact Us With Any Questions or Concerns If you have any questions or concerns about ending a patient relationship, please give us a call. At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More

Business Succession Planning for Dental Practice Owners - Part III:

By Jordan Uditsky April 15, 2026
How Defining Your Goals Will Shape Your Dental Practice’s Business Succession Plan

Business Succession Planning For Dental Practice Owners – Part II

By Jordan Uditsky April 2, 2026
How Buy-Sell Agreements Determine the Success of Your Transition
A doctor is sitting at a desk talking to a patient.

It’s Not Me; It’s You: Terminating a Relationship With a Difficult Dental Patient

By Jordan Uditsky March 9, 2026
Most relationships, whether personal or professional, start with a certain level of mutual trust and respect, compatibility, and shared goals and priorities. But those characteristics don’t always last, and a once-promising partnership can devolve into disputes, distrust, or outright hostility. The dentist-patient relationship is not immune to such deterioration. There may come a day when the differences between a dentist and their patient make continued treatment undesirable or impractical. A patient, of course, is free to call it quits with their dentist at any time, or the patient and dentist can mutually agree to part ways. But when a dentist wants to stop treating a problematic or disruptive patient and terminate the relationship, things can be a bit stickier. It is crucial that a dentist handles the break-up carefully and in accordance with the law and ethical standards so as to avoid claims of patient abandonment that could threaten their professional license or expose them to liability. Are you interested in speaking with one of our attorneys? Click here to contact us now. Dentists Have a Right To Unilaterally Dismiss a Patient For Reasonable Cause As a preliminary matter, dentists may choose to responsibly end their relationship with a patient for any reasonable, legally permissible cause. As the American Dental Association (ADA) guidelines put it: The dentist has the right to dismiss a patient in situations where it is impossible to resolve differences or if the dentist cannot abide the patient’s behavior within the practice, as long as the dismissal is not for a legally impermissible discriminatory reason. Accordingly, a dentist may not end a patient relationship because of the patient’s race, religion, gender, color, age, national origin, disability, or other characteristics protected by federal and state anti-discrimination laws. Notably, political opinions are not a protected characteristic under the law. Common reasons a dentist may justifiably terminate a patient include: Hostility or abusive behavior toward the dentist, staff, or other patients Harassment or sexual abuse of dentist, staff, or other patients Repeatedly missing appointments Refusal to undergo recommended testing or treatment Lack of trust or confidence in the dentist’s abilities or recommendations Consistent failure to follow office policies Showing up to appointments under the influence of alcohol or drugs Refusing to adhere to infection-control precautions and policies, such as masking Nonpayment Patient Dismissal vs. Patient Abandonment A dentist who chooses to dismiss a patient can’t simply show them the door, send them a break-up text, or refuse to answer their calls. Dentists must end the relationship such that they avoid any claim that they have abandoned their patient. According to the ADA’s Principles of Ethics and Code of Professional Conduct Section 2.F.: Once a dentist has undertaken a course of treatment, the dentist should not discontinue that treatment without giving the patient adequate notice and the opportunity to obtain the services of another dentist. Care should be taken that the patient’s oral health is not jeopardized in the process. Patient abandonment is a serious ethical violation. For example, the Illinois Dental Practice Act lists “abandonment of a patient” as one of the many reasons the Illinois Department of Financial and Professional Regulation may revoke, suspend, refuse to issue or renew, reprimand, or take other disciplinary or non-disciplinary action against a dentist. A dentist also exposes themself to a malpractice claim if injuries result from their termination of the patient at the wrong time during the course of treatment or without proper notice. Best Practices For Terminating a Patient Relationship As noted, adequate notice, providing the patient an opportunity to find alternative care, and facilitating continuity of ongoing care are the keys to responsibly ending the dentist-patient relationship and avoiding a claim of abandonment. We suggest that dentists take the following steps to minimize the likelihood of any disputes or claims arising from the termination of the relationship: provide written notice to the patient, preferably by certified mail; provide the patient with the reasons for terminating the relationship; offer to continue treatment and access to services for a reasonable period (such as 30 days) to allow the patient to secure another dentist’s services; state that you will provide emergency services for a designated period; help the patient locate another dentist; and offer to transfer the patient’s records to a new dentist and/or advise the patient of their right to obtain a copy of their records for a fee. Additionally, a dentist experiencing issues with a patient should contemporaneously document all communications, incidents, statements, or behavior suggesting a breakdown in the relationship. Of course, while a dentist can control how they handle the end of a patient relationship, they can’t control how the patient will react to being “dumped.” Even when the dentist acts professionally and cordially, as they should, there is no guarantee that the patient will do the same. If a patient responds with hostility or anger, tread carefully and do not respond in kind. Contact Us With Any Questions or Concerns If you have any questions or concerns about ending a patient relationship, please give us a call. At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More