The HIPAA Breach Notification Rule: What Dental Practices Must Do When Patient Information Is Compromised

Jordan Uditsky • August 7, 2024

Every dental practice is sitting on a fortune. The patient information they electronically collect, maintain, store, and use is a potential gold mine for hackers, cybercriminals, and other technological bad actors who can sell and leverage that data for their own gain or nefarious ends. For these reasons, dentists and all other healthcare providers, facilities, and the vendors they work with are ripe and continuous targets for cyberattacks and data breaches.

 

Such occurrences can quickly metastasize into a legal, financial, and reputational nightmare for dental practice owners. And dental practices and dental service organizations are waking up to these nightmares with increasing frequency. According to the Ponemon Institute, dental practices experienced a 45% increase in data breaches in the last two years, with the average cost of a healthcare data breach reaching $9.23 million.

 

As we discussed in this earlier post, the HIPAA Security Rule imposes detailed and technical compliance obligations on dental practices regarding the protection of patients’ electronic personal health information (ePHI). But when a breach does occur, practice owners must take quick, decisive actions on several fronts to triage the situation and remediate the damage. This includes making required disclosures and providing notice of the breach as set forth in the HIPAA Breach Notification Rule.

 

The Breach Notification Rule mandates that covered entities, including dental practices, notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and, in certain cases, the media of a breach of unsecured PHI.

 

What Constitutes a Breach?

 

For purposes of the Breach Notification Rule, a breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. This does not include unintentional access by a workforce member, inadvertent disclosure by a person authorized to access PHI, or when the unauthorized person to whom the disclosure is made would not reasonably have been able to retain the information.

 

PHI is considered unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction. Breaches of secured PHI (i.e., encrypted data) do not require notification as set forth below.

 

Risk Assessment and Notification Requirements After Breach Discovered

 

Once a practice becomes aware of a potential data breach, it must conduct a risk assessment to determine if there is a low probability that the PHI has been compromised. Factors to consider in such an assessment include the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

 

Within 60 days after the discovery of a breach, a dental practice must provide notice to any affected patients that includes:


  • A description of the breach
  • The types of information involved
  • The steps individuals should take to protect themselves
  • What the practice is doing to investigate and mitigate the breach, and
  • Contact information for further inquiries.

 

Notice to HHS

 

For breaches affecting more than 500 residents of a state or jurisdiction, practices must notify HHS as well as local media outlets of the breach. Specifically, the practice must notify HHS at the same time it provides notice to affected individuals. That notice must be given “without unreasonable delay” and in no case later than 60 calendar days after the discovery of a breach of security. For breaches involving fewer than 500 people, covered entities must notify HHS annually and no later than 60 calendar days following the end of the year.

 

What Dentists Need To Do To Comply With The Breach Notification Rule

 

While the Notification Rule’s obligations don’t kick in until after a breach, dental practices should take several steps before a breach happens to ensure compliance and minimize the damage and fallout:


  • Develop and Implement Policies and Procedures: Dentists should establish written policies and procedures for managing PHI and addressing potential breaches. These should include processes for identifying, investigating, and responding to breaches, conducting risk assessments, and notifying affected individuals and the appropriate authorities.
  • Regular Staff Training: All staff members should be trained on HIPAA regulations, including the Breach Notification Rule, and the office's specific policies and procedures for handling PHI. Regular training ensures that staff members are aware of their responsibilities and can recognize and report potential breaches.
  • Implement Security Measures: As noted, dentists should implement administrative, physical, and technical safeguards to protect PHI as set forth in the HIPAA Security Rule. This includes using encryption for electronic PHI, securing physical records, controlling access to information, and using secure communication channels.
  • Establish a Breach Response Team: Having a designated team responsible for managing breaches ensures a coordinated and effective response. This team should include individuals from different areas of the practice, such as IT, legal, and compliance.
  • Maintain an Incident Response Plan: An incident response plan outlines the steps to take when a breach is suspected or detected. It should include procedures for containment, investigation, risk assessment, notification, and mitigation.

 

Compliance with the Breach Notification Rule is just one of many actions dental practices must take in the unfortunate event of a data breach. In our next post, we will discuss several other aspects of data breach response and mediation, all of which are crucial to protecting practices and patients alike.

 

HIPAA Breach Notification Questions? Call Grogan, Hesse & Uditsky Today

 

At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and we welcome the opportunity to work with you.

 

If you have questions or concerns about your practice’s compliance with the HIPAA Breach Notification Rule, please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation.

 

Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.

Speak to an Attorney

Related Posts

Why a Phase I Environmental Assessment Is Critical When Buying a Property for Your Dental Practice

By Jordan Uditsky March 4, 2026
What Lies Beneath

Business Succession Planning For Dental Practice Owners

By Jordan Uditsky February 25, 2026
Why TODAY Is The Time To Prepare Your Practice – and Yourself - For an Uncertain Tomorrow

Bogus ADA Claims Regarding Dental Practice Websites Are Rampant

By Jordan Uditsky February 4, 2026
Bogus ADA Claims Regarding Dental Practice Websites Are Rampant. Your Lawyer Can Help You Tell the Difference Between a Real Problem and a Real Shakedown. Over 25 years have passed since the Americans with Disabilities Act (ADA) quite literally reshaped the landscape for people with disabilities. From building entrances to parking lots to restrooms to elevators, from hiring and employment opportunities to restaurants, stores, and websites, disabled Americans have far greater access to the same facilities, services, and opportunities as everyone else. Harassment at Best, Extortion at Worst For all the good it has accomplished, however, the ADA has also been abused by opportunistic individuals and attorneys who have used the law in bad faith to shake down small businesses, including dental practices, for alleged violations that have not actually caused any harm or infringed upon any rights afforded by the act. These self-appointed ADA compliance "testers" have filed thousands of nuisance ADA suits that have cost American businesses millions of dollars. According to one analysis, ADA lawsuits have increased by 320% since 2013, with over 4,000 suits filed in 2024 alone. Many plaintiff's law firms file hundreds of cookie-cutter ADA lawsuits each year. One person can visit multiple businesses or websites in a single day solely to identify even the slightest accessibility transgressions in order to generate claims. While these suits can focus on any number of alleged ADA shortcomings, those relating to website accessibility (discussed in detail in this earlier post ) filed by a handful of law firms and serial plaintiffs have earned the scorn of small businesses and practices across the country. That's because these "testers" and the lawyers who represent them specifically target small businesses, as they typically have limited means to defend themselves, may not be able to discern between legitimate and bogus claims, and often see a quick payoff as the path of least resistance. Here’s how the shakedown typically goes down: A plaintiff or their attorney sends the practice a demand letter in which they claim that the practice’s website is inaccessible to people with disabilities (e.g., missing image alt text, inaccessible forms, incompatible with screen readers). They cite a violation of Title III of the ADA. They make a demand for a cash settlement, often ranging from $2,500 to $25,000, alongside a request for accessibility fixes. The business/practice cuts a check in exchange for a release of any ADA claims by that plaintiff related to the website. The business/practice may then receive more demand letters, often from the same firm, on behalf of other plaintiffs who make the same claim, and the extortion continues. Don’t Act Impulsively – Do This Instead All this is not to say that dental practice owners should consider all such claims and demands to be frivolous or ignore their ADA obligations relating to their website. To be sure, a meritorious ADA lawsuit can indeed expose a practice to significant financial and reputational damage. Before reflexively giving in to an ADA demand letter and settling a supposed claim, practice owners should take the following steps: · Don't Panic, But Don't Ignore It. As noted, a demand letter with legalese and ominous language doesn’t mean that you’ve done anything wrong or actually violated the law. While your immediate reaction may include fear, confusion, or anger, don’t act impulsively. By the same token, don’t assume it is a bogus threat; crumble up the letter and throw it in the recycling. Deadlines in these letters are real, and failing to respond appropriately to a viable claim could lead to litigation. · Contact Your Attorney Immediately. This is not a DIY situation. Before responding to the letter or contacting the sender, consult with an attorney experienced in ADA compliance and website accessibility issues. Your lawyer can evaluate the demand letter or complaint, the validity of the claim, and the law firm behind it before formulating an appropriate response. Testers send many cookie-cutter letters that may contain boilerplate allegations of deficiencies that do not actually exist. · Evaluate Your Actual Compliance. Work with your attorney and website accessibility experts to have your website assessed against the Web Content Accessibility Guidelines (WCAG) , which courts often reference in ADA website cases. Understanding your site's actual accessibility helps inform whether settlement, remediation, or another approach makes sense and whether you need to take additional steps to avoid future claims. Keep in mind that this isn't just about legal compliance—it's good business. An accessible website serves all patients better and demonstrates your commitment to inclusivity. If you have questions about your business's ADA obligations and how to protect it from accessibility complaints, please call Grogan, Hesse & Uditsky at (630) 833-5533 or contact us online to arrange for your free initial consultation. At Grogan Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices. This blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More

Why a Phase I Environmental Assessment Is Critical When Buying a Property for Your Dental Practice

By Jordan Uditsky March 4, 2026
What Lies Beneath

Business Succession Planning For Dental Practice Owners

By Jordan Uditsky February 25, 2026
Why TODAY Is The Time To Prepare Your Practice – and Yourself - For an Uncertain Tomorrow

Bogus ADA Claims Regarding Dental Practice Websites Are Rampant

By Jordan Uditsky February 4, 2026
Bogus ADA Claims Regarding Dental Practice Websites Are Rampant. Your Lawyer Can Help You Tell the Difference Between a Real Problem and a Real Shakedown. Over 25 years have passed since the Americans with Disabilities Act (ADA) quite literally reshaped the landscape for people with disabilities. From building entrances to parking lots to restrooms to elevators, from hiring and employment opportunities to restaurants, stores, and websites, disabled Americans have far greater access to the same facilities, services, and opportunities as everyone else. Harassment at Best, Extortion at Worst For all the good it has accomplished, however, the ADA has also been abused by opportunistic individuals and attorneys who have used the law in bad faith to shake down small businesses, including dental practices, for alleged violations that have not actually caused any harm or infringed upon any rights afforded by the act. These self-appointed ADA compliance "testers" have filed thousands of nuisance ADA suits that have cost American businesses millions of dollars. According to one analysis, ADA lawsuits have increased by 320% since 2013, with over 4,000 suits filed in 2024 alone. Many plaintiff's law firms file hundreds of cookie-cutter ADA lawsuits each year. One person can visit multiple businesses or websites in a single day solely to identify even the slightest accessibility transgressions in order to generate claims. While these suits can focus on any number of alleged ADA shortcomings, those relating to website accessibility (discussed in detail in this earlier post ) filed by a handful of law firms and serial plaintiffs have earned the scorn of small businesses and practices across the country. That's because these "testers" and the lawyers who represent them specifically target small businesses, as they typically have limited means to defend themselves, may not be able to discern between legitimate and bogus claims, and often see a quick payoff as the path of least resistance. Here’s how the shakedown typically goes down: A plaintiff or their attorney sends the practice a demand letter in which they claim that the practice’s website is inaccessible to people with disabilities (e.g., missing image alt text, inaccessible forms, incompatible with screen readers). They cite a violation of Title III of the ADA. They make a demand for a cash settlement, often ranging from $2,500 to $25,000, alongside a request for accessibility fixes. The business/practice cuts a check in exchange for a release of any ADA claims by that plaintiff related to the website. The business/practice may then receive more demand letters, often from the same firm, on behalf of other plaintiffs who make the same claim, and the extortion continues. Don’t Act Impulsively – Do This Instead All this is not to say that dental practice owners should consider all such claims and demands to be frivolous or ignore their ADA obligations relating to their website. To be sure, a meritorious ADA lawsuit can indeed expose a practice to significant financial and reputational damage. Before reflexively giving in to an ADA demand letter and settling a supposed claim, practice owners should take the following steps: · Don't Panic, But Don't Ignore It. As noted, a demand letter with legalese and ominous language doesn’t mean that you’ve done anything wrong or actually violated the law. While your immediate reaction may include fear, confusion, or anger, don’t act impulsively. By the same token, don’t assume it is a bogus threat; crumble up the letter and throw it in the recycling. Deadlines in these letters are real, and failing to respond appropriately to a viable claim could lead to litigation. · Contact Your Attorney Immediately. This is not a DIY situation. Before responding to the letter or contacting the sender, consult with an attorney experienced in ADA compliance and website accessibility issues. Your lawyer can evaluate the demand letter or complaint, the validity of the claim, and the law firm behind it before formulating an appropriate response. Testers send many cookie-cutter letters that may contain boilerplate allegations of deficiencies that do not actually exist. · Evaluate Your Actual Compliance. Work with your attorney and website accessibility experts to have your website assessed against the Web Content Accessibility Guidelines (WCAG) , which courts often reference in ADA website cases. Understanding your site's actual accessibility helps inform whether settlement, remediation, or another approach makes sense and whether you need to take additional steps to avoid future claims. Keep in mind that this isn't just about legal compliance—it's good business. An accessible website serves all patients better and demonstrates your commitment to inclusivity. If you have questions about your business's ADA obligations and how to protect it from accessibility complaints, please call Grogan, Hesse & Uditsky at (630) 833-5533 or contact us online to arrange for your free initial consultation. At Grogan Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices. This blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More