The HIPAA Breach Notification Rule: What Dental Practices Must Do When Patient Information Is Compromised
Jordan Uditsky • August 7, 2024
Every dental practice is sitting on a fortune. The patient information they electronically collect, maintain, store, and use is a potential gold mine for hackers, cybercriminals, and other technological bad actors who can sell and leverage that data for their own gain or nefarious ends. For these reasons, dentists and all other healthcare providers, facilities, and the vendors they work with are ripe and continuous targets for cyberattacks and data breaches.
Such occurrences can quickly metastasize into a legal, financial, and reputational nightmare for dental practice owners. And dental practices and dental service organizations are waking up to these nightmares with increasing frequency. According to the Ponemon Institute, dental practices experienced a 45% increase in data breaches in the last two years, with the average cost of a healthcare data breach reaching $9.23 million.
As we discussed in this earlier post, the HIPAA Security Rule imposes detailed and technical compliance obligations on dental practices regarding the protection of patients’ electronic personal health information (ePHI). But when a breach does occur, practice owners must take quick, decisive actions on several fronts to triage the situation and remediate the damage. This includes making required disclosures and providing notice of the breach as set forth in the HIPAA Breach Notification Rule.
The Breach Notification Rule mandates that covered entities, including dental practices, notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and, in certain cases, the media of a breach of unsecured PHI.
What Constitutes a Breach?
For purposes of the Breach Notification Rule, a breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. This does not include unintentional access by a workforce member, inadvertent disclosure by a person authorized to access PHI, or when the unauthorized person to whom the disclosure is made would not reasonably have been able to retain the information.
PHI is considered unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction. Breaches of secured PHI (i.e., encrypted data) do not require notification as set forth below.
Risk Assessment and Notification Requirements After Breach Discovered
Once a practice becomes aware of a potential data breach, it must conduct a risk assessment to determine if there is a low probability that the PHI has been compromised. Factors to consider in such an assessment include the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
Within 60 days after the discovery of a breach, a dental practice must provide notice to any affected patients that includes:
- A description of the breach
- The types of information involved
- The steps individuals should take to protect themselves
- What the practice is doing to investigate and mitigate the breach, and
- Contact information for further inquiries.
Notice to HHS
For breaches affecting more than 500 residents of a state or jurisdiction, practices must notify HHS as well as local media outlets of the breach. Specifically, the practice must notify HHS at the same time it provides notice to affected individuals. That notice must be given “without unreasonable delay” and in no case later than 60 calendar days after the discovery of a breach of security. For breaches involving fewer than 500 people, covered entities must notify HHS annually and no later than 60 calendar days following the end of the year.
What Dentists Need To Do To Comply With The Breach Notification Rule
While the Notification Rule’s obligations don’t kick in until after a breach, dental practices should take several steps before a breach happens to ensure compliance and minimize the damage and fallout:
- Develop and Implement Policies and Procedures: Dentists should establish written policies and procedures for managing PHI and addressing potential breaches. These should include processes for identifying, investigating, and responding to breaches, conducting risk assessments, and notifying affected individuals and the appropriate authorities.
- Regular Staff Training: All staff members should be trained on HIPAA regulations, including the Breach Notification Rule, and the office's specific policies and procedures for handling PHI. Regular training ensures that staff members are aware of their responsibilities and can recognize and report potential breaches.
- Implement Security Measures: As noted, dentists should implement administrative, physical, and technical safeguards to protect PHI as set forth in the HIPAA Security Rule. This includes using encryption for electronic PHI, securing physical records, controlling access to information, and using secure communication channels.
- Establish a Breach Response Team: Having a designated team responsible for managing breaches ensures a coordinated and effective response. This team should include individuals from different areas of the practice, such as IT, legal, and compliance.
- Maintain an Incident Response Plan: An incident response plan outlines the steps to take when a breach is suspected or detected. It should include procedures for containment, investigation, risk assessment, notification, and mitigation.
Compliance with the Breach Notification Rule is just one of many actions dental practices must take in the unfortunate event of a data breach. In our next post, we will discuss several other aspects of data breach response and mediation, all of which are crucial to protecting practices and patients alike.
HIPAA Breach Notification Questions? Call Grogan, Hesse & Uditsky Today
At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and we welcome the opportunity to work with you.
If you have questions or concerns about your practice’s compliance with the HIPAA Breach Notification Rule, please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation.
Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Speak to an Attorney
Related Posts
For employers and employees alike, in workplaces from restaurants to factories to dental practices, the specter of a visit from ICE, CBP, or other federal immigration forces looms large. Trepidation and fear are common feelings in this perilous climate, exacerbated by uncertainty as to one’s rights and how to respond when militarized agents arrive at a workplace. For dental practice owners, protecting their employees, patients, and business is a top priority, as is doing so in a legal, peaceful, and effective manner that doesn’t make a difficult situation worse. That is why it is so critical that you understand your rights and obligations in the face of such intrusions. While you should absolutely and immediately contact counsel if immigration agents show up at your practice, here is some practical guidance to help keep you and your employees safe. Different Responses to Different Types of ICE Actions Historically, ICE has conducted three types of workplace actions: I-9 audits (Notice of Inspection or “NOI”), which are administrative reviews of employment eligibility verification forms; worksite enforcement operations, which may include arrests; and searches pursuant to a warrant. Unfortunately, these customary practices have recently expanded to include warrantless, legally unauthorized, and sometimes violent entry into workplaces. The type of action the agency takes determines your obligations and your rights. An I-9 audit begins with a formal notice, typically giving you three business days to produce your I-9 forms and supporting documentation. A worksite enforcement operation or raid, however, often comes without warning. Understanding which situation you're facing is the critical first step. When ICE Arrives Without Notice – Keep Calm, Call Your Lawyer, and Ask For Authority If ICE agents appear at your workplace without prior notice, remain calm and follow these essential steps: · Keep calm , and don’t make any quick or impulsive decisions. Politely ask the agents to wait while you contact your attorney. You are not required to let agents enter non-public areas of your workplace without proper legal authority. While agents can enter your reception area or other common spaces as any member of the public could, they cannot access private areas such as treatment rooms, back offices, lunchrooms, or labs without your consent, a valid warrant, or an emergency. · Ask to see credentials and any warrants or legal documents. Scrutinize these thoroughly and understand this crucial distinction: an administrative warrant (Form I-200 or I-205) is not the same as a judicial warrant signed by a judge. Administrative warrants alone do not give ICE the authority to enter your private property or detain individuals. A judicial warrant, however, must be honored, though you should still speak with your lawyer who can help verify that it's properly signed, dated, and identifies the correct location and individuals. · Designate a single point of contact , ideally yourself as practice owner or an office manager, to communicate with the agents. Instruct other employees not to answer questions or provide information without guidance. This prevents confusion and minimizes the chances of miscommunication or escalation. Understanding Your Rights Employers have constitutional rights that apply during ICE encounters. The Fourth Amendment protects against unreasonable searches and seizures. As noted, without a judicial warrant or your consent, ICE generally cannot enter private areas of your practice, search filing cabinets or computer systems, or detain employees based solely on their immigration status. You have the right to refuse consent to a search. Exercise that right. If agents don't have a warrant, you can politely but firmly state: "I do not consent to a search of the premises. If you have a warrant signed by a judge, I would like to see it and have my attorney review it." If they have a warrant, verify it carefully to check that the address is correct, the signature is from a federal judge (not an ICE officer), and it's dated recently. Despite the recent rhetoric and actions of ICE agents and officials, you have an absolute right to observe, record, video, and document what's happening and what the agents are doing, so long as you do not interfere with or impede their operations. If ICE does enter your practice, you or your designated representative has the right to, and should, accompany agents to witness their actions. Protecting Your Employees Your employees also have rights, regardless of their immigration status. They have the right to remain silent and do not have to answer questions about their immigration status, where they were born, or how they entered the country. They have the right to refuse to show documents beyond what's necessary to demonstrate identity, unless they're under arrest. They should not lie or present false documents, as this can create additional legal problems. Before an ICE visit occurs, consider holding a "know your rights" training for employees. Inform them that if ICE arrives, they should remain calm, not run, and not present false documents. Provide them with a card that includes information about their rights and the contact information for your practice's attorney. You should never lie to federal agents or provide false information. However, you are not required to volunteer information or answer questions beyond what's legally necessary. If asked about specific employees, you can politely decline to answer and refer agents to your attorney. Once ICE agents leave, immediately document everything that occurred and save any videos or recordings so you can send them to your attorney. Preparing Before ICE Arrives The best time to prepare for an ICE visit is before it happens. Consider the following proactive steps: · Develop a written policy for your practice that designates who will handle ICE encounters, what steps to take, and how to contact your attorney. · Conduct an internal I-9 audit to identify and correct any paperwork errors or gaps. · Train office managers and supervisors on the protocol. Everyone should know not to consent to searches, not to answer questions without guidance, and to remain professional and calm. Post "know your rights" information for employees in common areas. If you have any questions or concerns regarding ICE or immigration enforcement activities at your practice, please contact Grogan, Hesse & Uditsky today. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Selling a dental practice is a lengthy and involved process that involves due diligence, negotiation, drafting, financing, and other elements, culminating in the seller handing over the keys to the business to the buyer. But the parties’ signatures on the final purchase agreement and ancillary documents hardly mean that the now-former owner can ride off into the sunset without a care in the world. That is because the purchaser will want and require the seller to be responsible for any undisclosed or undiscovered problems with the practice they just bought. For this reason, every dental practice purchase agreement will inevitably contain indemnification provisions that address what happens if problems emerge after closing. These clauses determine who bears the risk for post-closing discoveries and how much exposure each party faces. While the purchaser wants the assurances and protections that come from the contract’s indemnification provisions, the seller doesn’t want to make an open-ended, potentially limitless promise that could eviscerate the financial upsides of the transaction and leave them forever on the hook for millions of dollars in possible liability. That is why deal savvy dental practice attorneys usually require that the purchase and sale agreement’s indemnification provisions include “caps” and “baskets” that establish the maximum exposure a seller will face as well as the minimum amount that must be at issue before any indemnification obligations are triggered. Given the significance that these maximums and minimums have for both parties, it is critical that buyers and sellers understand how caps and baskets work and the best ways to protect their respective interests in a dental practice sale. It All Starts With the Seller’s Representations and Warranties In any dental practice sale, the seller makes certain representations and warranties about the practice and its current condition. These disclosures might include assurances that all patient records are accurate, all equipment is in good working order, the practice has no pending lawsuits or liabilities, all taxes have been paid, and certain personnel matters are in order. If any such representations prove to be false, the indemnification provisions give the buyer the right to seek compensation from the seller for any losses incurred. Liability Caps Establish the Seller’s Maximum Indemnification Exposure A liability cap limits the total amount a seller must pay for breaches of representations and warranties. In dental practice transactions, caps can range from 10% on longer transactions to 100% of the purchase price on practices trending below $1,000,000, with 25% to 50% being most common for middle-market acquisitions. Where the parties ultimately land as to that percentage is a factor of each party’s risk tolerance and the practice's characteristics. A well-established practice with meticulous records, abundant goodwill, and comprehensive due diligence might justify a lower cap. Conversely, a practice with a limited or checkered financial history or significant operational complexity might warrant a higher cap to protect the buyer. Most liability caps exclude certain matters for which the seller remains on the hook for an unlimited amount. Such issues can include overt fraud or fundamental misrepresentations regarding the seller's authority to sell the practice or having clear title to assets. Tax obligations, environmental issues, and employee-related liabilities might also receive special treatment with separate, higher caps than provided for other matters. Baskets Are Like Deductibles While caps address maximum liability, baskets establish minimum thresholds before indemnification obligations arise. Think of a basket like a deductible in an insurance policy. Just as an insured is responsible for paying amounts up to the deductible before the insurer’s obligations kick in, a basket establishes the threshold below which the purchaser must bear any costs or liabilities for post-closing problems, even for matters covered by the contract’s indemnification provisions. Dental practice sales typically include one of two basket types: · A “true deductible” basket provides that the buyer absorbs all losses until reaching the threshold amount, after which they are entitled to recover all sums above it. For example, with a $25,000 true deductible basket, if the buyer’s losses total $30,000, the seller pays only $5,000. · A “tipping” basket , sometimes called a dollar-one basket, provides that once the buyer’s losses exceed the designated threshold, the seller pays from dollar one. Using the same example, the seller would pay the entire $30,000 once that threshold is crossed. Basket amounts in dental practice sales typically range from $5,000 to $25,000, depending on deal size. A $500,000 practice might have a $5,000 basket, while a $3 million practice might see a $25,000 threshold, for example. How Caps and Baskets Impact the Parties After Closing These provisions significantly impact post-closing dynamics. A seller who negotiates a low cap and high basket will minimize their exposure, while a buyer who secures a high cap and low basket gains significant protection and reassurance. Since negotiations over indemnification caps and baskets aren’t conducted in a vacuum, a party that secures an advantageous cap and basket arrangement can expect more challenging negotiations when discussing other aspects of the transaction, such as a higher purchase price or less favorable payment terms. Unanticipated liabilities can wreak havoc for dental practice buyers and sellers alike long after the ink has dried on their agreement. Dentists on either side of a practice sale should work closely with experienced legal counsel to negotiate terms that strike an appropriate balance between protection and practicality. Contact Grogan, Hesse & Uditsky Today If you are a practice owner anticipating a sale or transition, please contact Grogan, Hesse & Uditsky today. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
The care that dentists need to provide their patients doesn’t end when they get up from the chair. Dental offices, and the computers, networks, servers, and files maintained within (and outside of) their walls, contain patient files and information that must be kept protected from data breaches and unauthorized disclosure. Failure to handle these records properly can not only breach patient trust, but it can also create regulatory and licensing headaches for dentists and practice owners. That’s why ensuring that patient records are transferred securely and appropriately is of the utmost importance when a dental practice changes hands from one owner to the next. When selling a dental practice, one of the most critical yet often overlooked aspects of the transaction involves the proper handling of patient records. As an attorney who has advised numerous healthcare providers through practice transitions, I can tell you that mishandling patient records can expose both the selling and buying dentists to significant legal liability, regulatory penalties, and damage to professional reputation. Understanding your obligations under federal and state law is essential to protecting yourself and your patients during this transition. HIPAA Considerations Are the Highest Priority Patient dental records are governed by both federal regulations, primarily the Health Insurance Portability and Accountability Act (HIPAA), and state-specific laws that vary considerably across jurisdictions. Under HIPAA, patient records are protected health information (PHI), and any transfer of a patient’s protected health information (PHI) must comply with the law’s strict privacy and security requirements. Additionally, most states have dental practice acts and regulations that impose specific recordkeeping and transfer obligations on licensed dentists. The downsides of failing to thoroughly and carefully follow these requirements arguably represent the biggest potential legal threat to buyers and sellers alike in a practice sale. The selling dentist remains the legal custodian of patient records until the practice sale is complete and proper transfer protocols have been followed. This means that the practice owner cannot simply hand over file cabinets or hard drives to the buyer without taking appropriate legal steps. The seller’s fiduciary duty to their patients continues through the transition period and beyond. Notifying Patients Obviously, patients want and deserve to know that their dentist’s office is changing hands. While HIPAA does not explicitly require advance notice of a practice sale, it does require that patients be informed about who has access to their records. More importantly, many state laws explicitly require written notification to patients when a practice changes hands. The seller should inform patients of the new practice owner's identity, the date of the transition, their options regarding their records, and how they can obtain copies of their records if they choose to seek care elsewhere. Typically, this notification should be sent 30 to 60 days prior to the sale closing, allowing patients sufficient time to make informed decisions about their care. The Actual Transfer Itself The purchase agreement should clearly specify how the records will be transferred, who will bear the costs of transfer, and in what format the records will be transferred. For electronic health records (EHRs), the seller may need to coordinate with their EHR vendor to ensure the proper migration of data to the buyer's system or to maintain access if the buyer intends to use the same platform. For practices that still maintain paper records, the physical transfer must be handled securely to prevent unauthorized access or data breaches. Consider using a secure courier service and keeping a detailed inventory of all records transferred. Record Retention Obligations Generally, upon closing, the buyer assumes the responsibility for maintaining patient records going forward and must retain them for the period required by state law, which typically ranges from five to ten years from the last date of treatment. However, the seller may retain copies of records for their own protection, particularly if there's potential for future liability claims related to treatment provided before the sale. For patients who choose not to continue with the new owner and who do not request their records be sent to another provider, the buyer typically assumes responsibility for storing these inactive records for the required retention period. The purchase agreement should clearly allocate these ongoing obligations and any associated costs. Selling a dental practice is often the culmination of decades of hard work and the start of a new chapter in which the now-former practice owner can reap the benefits of those efforts. However, missteps in the handling of patient records could compromise those plans and leave the seller vulnerable to potential liability. By working closely with experienced counsel throughout the sales process, practice owners can wrap up their careers with clarity, confidence, and conclusiveness. If you are a practice owner anticipating a sale or transition, please contact Grogan, Hesse & Uditsky today. Contact Grogan, Hesse & Uditsky Today If you are a practice owner anticipating a sale or transition, please contact Grogan, Hesse & Uditsky today. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
For employers and employees alike, in workplaces from restaurants to factories to dental practices, the specter of a visit from ICE, CBP, or other federal immigration forces looms large. Trepidation and fear are common feelings in this perilous climate, exacerbated by uncertainty as to one’s rights and how to respond when militarized agents arrive at a workplace. For dental practice owners, protecting their employees, patients, and business is a top priority, as is doing so in a legal, peaceful, and effective manner that doesn’t make a difficult situation worse. That is why it is so critical that you understand your rights and obligations in the face of such intrusions. While you should absolutely and immediately contact counsel if immigration agents show up at your practice, here is some practical guidance to help keep you and your employees safe. Different Responses to Different Types of ICE Actions Historically, ICE has conducted three types of workplace actions: I-9 audits (Notice of Inspection or “NOI”), which are administrative reviews of employment eligibility verification forms; worksite enforcement operations, which may include arrests; and searches pursuant to a warrant. Unfortunately, these customary practices have recently expanded to include warrantless, legally unauthorized, and sometimes violent entry into workplaces. The type of action the agency takes determines your obligations and your rights. An I-9 audit begins with a formal notice, typically giving you three business days to produce your I-9 forms and supporting documentation. A worksite enforcement operation or raid, however, often comes without warning. Understanding which situation you're facing is the critical first step. When ICE Arrives Without Notice – Keep Calm, Call Your Lawyer, and Ask For Authority If ICE agents appear at your workplace without prior notice, remain calm and follow these essential steps: · Keep calm , and don’t make any quick or impulsive decisions. Politely ask the agents to wait while you contact your attorney. You are not required to let agents enter non-public areas of your workplace without proper legal authority. While agents can enter your reception area or other common spaces as any member of the public could, they cannot access private areas such as treatment rooms, back offices, lunchrooms, or labs without your consent, a valid warrant, or an emergency. · Ask to see credentials and any warrants or legal documents. Scrutinize these thoroughly and understand this crucial distinction: an administrative warrant (Form I-200 or I-205) is not the same as a judicial warrant signed by a judge. Administrative warrants alone do not give ICE the authority to enter your private property or detain individuals. A judicial warrant, however, must be honored, though you should still speak with your lawyer who can help verify that it's properly signed, dated, and identifies the correct location and individuals. · Designate a single point of contact , ideally yourself as practice owner or an office manager, to communicate with the agents. Instruct other employees not to answer questions or provide information without guidance. This prevents confusion and minimizes the chances of miscommunication or escalation. Understanding Your Rights Employers have constitutional rights that apply during ICE encounters. The Fourth Amendment protects against unreasonable searches and seizures. As noted, without a judicial warrant or your consent, ICE generally cannot enter private areas of your practice, search filing cabinets or computer systems, or detain employees based solely on their immigration status. You have the right to refuse consent to a search. Exercise that right. If agents don't have a warrant, you can politely but firmly state: "I do not consent to a search of the premises. If you have a warrant signed by a judge, I would like to see it and have my attorney review it." If they have a warrant, verify it carefully to check that the address is correct, the signature is from a federal judge (not an ICE officer), and it's dated recently. Despite the recent rhetoric and actions of ICE agents and officials, you have an absolute right to observe, record, video, and document what's happening and what the agents are doing, so long as you do not interfere with or impede their operations. If ICE does enter your practice, you or your designated representative has the right to, and should, accompany agents to witness their actions. Protecting Your Employees Your employees also have rights, regardless of their immigration status. They have the right to remain silent and do not have to answer questions about their immigration status, where they were born, or how they entered the country. They have the right to refuse to show documents beyond what's necessary to demonstrate identity, unless they're under arrest. They should not lie or present false documents, as this can create additional legal problems. Before an ICE visit occurs, consider holding a "know your rights" training for employees. Inform them that if ICE arrives, they should remain calm, not run, and not present false documents. Provide them with a card that includes information about their rights and the contact information for your practice's attorney. You should never lie to federal agents or provide false information. However, you are not required to volunteer information or answer questions beyond what's legally necessary. If asked about specific employees, you can politely decline to answer and refer agents to your attorney. Once ICE agents leave, immediately document everything that occurred and save any videos or recordings so you can send them to your attorney. Preparing Before ICE Arrives The best time to prepare for an ICE visit is before it happens. Consider the following proactive steps: · Develop a written policy for your practice that designates who will handle ICE encounters, what steps to take, and how to contact your attorney. · Conduct an internal I-9 audit to identify and correct any paperwork errors or gaps. · Train office managers and supervisors on the protocol. Everyone should know not to consent to searches, not to answer questions without guidance, and to remain professional and calm. Post "know your rights" information for employees in common areas. If you have any questions or concerns regarding ICE or immigration enforcement activities at your practice, please contact Grogan, Hesse & Uditsky today. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Selling a dental practice is a lengthy and involved process that involves due diligence, negotiation, drafting, financing, and other elements, culminating in the seller handing over the keys to the business to the buyer. But the parties’ signatures on the final purchase agreement and ancillary documents hardly mean that the now-former owner can ride off into the sunset without a care in the world. That is because the purchaser will want and require the seller to be responsible for any undisclosed or undiscovered problems with the practice they just bought. For this reason, every dental practice purchase agreement will inevitably contain indemnification provisions that address what happens if problems emerge after closing. These clauses determine who bears the risk for post-closing discoveries and how much exposure each party faces. While the purchaser wants the assurances and protections that come from the contract’s indemnification provisions, the seller doesn’t want to make an open-ended, potentially limitless promise that could eviscerate the financial upsides of the transaction and leave them forever on the hook for millions of dollars in possible liability. That is why deal savvy dental practice attorneys usually require that the purchase and sale agreement’s indemnification provisions include “caps” and “baskets” that establish the maximum exposure a seller will face as well as the minimum amount that must be at issue before any indemnification obligations are triggered. Given the significance that these maximums and minimums have for both parties, it is critical that buyers and sellers understand how caps and baskets work and the best ways to protect their respective interests in a dental practice sale. It All Starts With the Seller’s Representations and Warranties In any dental practice sale, the seller makes certain representations and warranties about the practice and its current condition. These disclosures might include assurances that all patient records are accurate, all equipment is in good working order, the practice has no pending lawsuits or liabilities, all taxes have been paid, and certain personnel matters are in order. If any such representations prove to be false, the indemnification provisions give the buyer the right to seek compensation from the seller for any losses incurred. Liability Caps Establish the Seller’s Maximum Indemnification Exposure A liability cap limits the total amount a seller must pay for breaches of representations and warranties. In dental practice transactions, caps can range from 10% on longer transactions to 100% of the purchase price on practices trending below $1,000,000, with 25% to 50% being most common for middle-market acquisitions. Where the parties ultimately land as to that percentage is a factor of each party’s risk tolerance and the practice's characteristics. A well-established practice with meticulous records, abundant goodwill, and comprehensive due diligence might justify a lower cap. Conversely, a practice with a limited or checkered financial history or significant operational complexity might warrant a higher cap to protect the buyer. Most liability caps exclude certain matters for which the seller remains on the hook for an unlimited amount. Such issues can include overt fraud or fundamental misrepresentations regarding the seller's authority to sell the practice or having clear title to assets. Tax obligations, environmental issues, and employee-related liabilities might also receive special treatment with separate, higher caps than provided for other matters. Baskets Are Like Deductibles While caps address maximum liability, baskets establish minimum thresholds before indemnification obligations arise. Think of a basket like a deductible in an insurance policy. Just as an insured is responsible for paying amounts up to the deductible before the insurer’s obligations kick in, a basket establishes the threshold below which the purchaser must bear any costs or liabilities for post-closing problems, even for matters covered by the contract’s indemnification provisions. Dental practice sales typically include one of two basket types: · A “true deductible” basket provides that the buyer absorbs all losses until reaching the threshold amount, after which they are entitled to recover all sums above it. For example, with a $25,000 true deductible basket, if the buyer’s losses total $30,000, the seller pays only $5,000. · A “tipping” basket , sometimes called a dollar-one basket, provides that once the buyer’s losses exceed the designated threshold, the seller pays from dollar one. Using the same example, the seller would pay the entire $30,000 once that threshold is crossed. Basket amounts in dental practice sales typically range from $5,000 to $25,000, depending on deal size. A $500,000 practice might have a $5,000 basket, while a $3 million practice might see a $25,000 threshold, for example. How Caps and Baskets Impact the Parties After Closing These provisions significantly impact post-closing dynamics. A seller who negotiates a low cap and high basket will minimize their exposure, while a buyer who secures a high cap and low basket gains significant protection and reassurance. Since negotiations over indemnification caps and baskets aren’t conducted in a vacuum, a party that secures an advantageous cap and basket arrangement can expect more challenging negotiations when discussing other aspects of the transaction, such as a higher purchase price or less favorable payment terms. Unanticipated liabilities can wreak havoc for dental practice buyers and sellers alike long after the ink has dried on their agreement. Dentists on either side of a practice sale should work closely with experienced legal counsel to negotiate terms that strike an appropriate balance between protection and practicality. Contact Grogan, Hesse & Uditsky Today If you are a practice owner anticipating a sale or transition, please contact Grogan, Hesse & Uditsky today. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
The care that dentists need to provide their patients doesn’t end when they get up from the chair. Dental offices, and the computers, networks, servers, and files maintained within (and outside of) their walls, contain patient files and information that must be kept protected from data breaches and unauthorized disclosure. Failure to handle these records properly can not only breach patient trust, but it can also create regulatory and licensing headaches for dentists and practice owners. That’s why ensuring that patient records are transferred securely and appropriately is of the utmost importance when a dental practice changes hands from one owner to the next. When selling a dental practice, one of the most critical yet often overlooked aspects of the transaction involves the proper handling of patient records. As an attorney who has advised numerous healthcare providers through practice transitions, I can tell you that mishandling patient records can expose both the selling and buying dentists to significant legal liability, regulatory penalties, and damage to professional reputation. Understanding your obligations under federal and state law is essential to protecting yourself and your patients during this transition. HIPAA Considerations Are the Highest Priority Patient dental records are governed by both federal regulations, primarily the Health Insurance Portability and Accountability Act (HIPAA), and state-specific laws that vary considerably across jurisdictions. Under HIPAA, patient records are protected health information (PHI), and any transfer of a patient’s protected health information (PHI) must comply with the law’s strict privacy and security requirements. Additionally, most states have dental practice acts and regulations that impose specific recordkeeping and transfer obligations on licensed dentists. The downsides of failing to thoroughly and carefully follow these requirements arguably represent the biggest potential legal threat to buyers and sellers alike in a practice sale. The selling dentist remains the legal custodian of patient records until the practice sale is complete and proper transfer protocols have been followed. This means that the practice owner cannot simply hand over file cabinets or hard drives to the buyer without taking appropriate legal steps. The seller’s fiduciary duty to their patients continues through the transition period and beyond. Notifying Patients Obviously, patients want and deserve to know that their dentist’s office is changing hands. While HIPAA does not explicitly require advance notice of a practice sale, it does require that patients be informed about who has access to their records. More importantly, many state laws explicitly require written notification to patients when a practice changes hands. The seller should inform patients of the new practice owner's identity, the date of the transition, their options regarding their records, and how they can obtain copies of their records if they choose to seek care elsewhere. Typically, this notification should be sent 30 to 60 days prior to the sale closing, allowing patients sufficient time to make informed decisions about their care. The Actual Transfer Itself The purchase agreement should clearly specify how the records will be transferred, who will bear the costs of transfer, and in what format the records will be transferred. For electronic health records (EHRs), the seller may need to coordinate with their EHR vendor to ensure the proper migration of data to the buyer's system or to maintain access if the buyer intends to use the same platform. For practices that still maintain paper records, the physical transfer must be handled securely to prevent unauthorized access or data breaches. Consider using a secure courier service and keeping a detailed inventory of all records transferred. Record Retention Obligations Generally, upon closing, the buyer assumes the responsibility for maintaining patient records going forward and must retain them for the period required by state law, which typically ranges from five to ten years from the last date of treatment. However, the seller may retain copies of records for their own protection, particularly if there's potential for future liability claims related to treatment provided before the sale. For patients who choose not to continue with the new owner and who do not request their records be sent to another provider, the buyer typically assumes responsibility for storing these inactive records for the required retention period. The purchase agreement should clearly allocate these ongoing obligations and any associated costs. Selling a dental practice is often the culmination of decades of hard work and the start of a new chapter in which the now-former practice owner can reap the benefits of those efforts. However, missteps in the handling of patient records could compromise those plans and leave the seller vulnerable to potential liability. By working closely with experienced counsel throughout the sales process, practice owners can wrap up their careers with clarity, confidence, and conclusiveness. If you are a practice owner anticipating a sale or transition, please contact Grogan, Hesse & Uditsky today. Contact Grogan, Hesse & Uditsky Today If you are a practice owner anticipating a sale or transition, please contact Grogan, Hesse & Uditsky today. We focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
