State and federal privacy laws, including the state Confidentiality of Medical Information Act (CMIA), HIPAA Privacy and Security rules, and data breach notification requirements. Also includes information on how to comply with payment card industry data security standards (PCI DSS).

Before recording, protect private patient information
Surveillance cameras in dental offices are becoming more and more common. The driving force behind them is typically security, as cameras can aid in loss control, deter theft and discourage other criminal activity. But cameras are not without their drawbacks. Prior to hitting the record button, practice owners should be aware of the laws and regulations surrounding their use. While laws vary from state to state, there are some basic guidelines.
Dental practice pays $10K to settle disclosures of patients' PHI on social media
A private dental practice in Dallas, Texas, has agreed to pay $10,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights to settle potential violations of the HIPAA privacy rule. The HHS reported that the OCR completed its investigation of a complaint by a patient who alleged that the practice disclosed on social media the patient’s last name and the details of the patient’s health condition.
Health entity fined for failure to provide timely patient records
A medical center in St. Petersburg, Florida, is the first to face enforcement action by the U.S. Department of Health and Human Services for failing to promptly provide a patient with medical records. The HHS Office for Civil Rights announced early this year that it would vigorously enforce its Right of Access Initiative that allows patients to receive copies of their medical records promptly and without being overcharged.
Security risk assessment tool updated for smaller practices
All HIPAA-covered entities and their business associates are required to conduct an initial comprehensive security risk assessment to identify “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Small- to medium-sized health care practices with one to 10 providers now have an upgraded tool that is specifically designed to assist them with completing this assessment.
Health care providers exempt from new state privacy law
Amid frequent news from companies reporting breaches of individuals’ personal information, Gov. Jerry Brown signed legislation to create the California Consumer Privacy Act. CCPA aims to give consumers greater control over their personal information by imposing certain obligations on entities covered by the law. CCPA takes effect Jan. 1, 2020. Although dental practices are exempt from this new law, it is important to understand that some of the law’s provisions are similar to those required by HIPAA and the California Confidentiality of Medical Information Act.
Are your patients who they say they are? Preventing medical identity theft
A dental professional can treat dozens of patients each day. Patients present, provide their information, get checked in and proceed with treatment. Do you ever stop to wonder whether your patients are who they say they are? In a case reported to The Dentist Insurance Company’s Risk Management Advice Line, a patient presented for a root canal treatment.
HIPAA violation affects 3K patients, nurse suspended
The recent license suspension of a former University of Rochester Medical Center nurse for violating the Health Information Portability and Accountability Act is a reminder to HIPAA-covered dental practice owners and associate dentists of their requirements under HIPAA’s Privacy Rule. A Rochester, New York, newspaper reported in June that the nurse gave to her new employer spreadsheets containing personally identifiable information of about 3,000 patients without the patients’ permission.
Phone scam targets California dental practice
In a scam reported as early as February that appears to be ongoing, criminals are posing as Pacific Gas and Electric Co. representatives who either demand immediate payment of utility bills they claim are past due or attempt to cross-sell products and services, such as solar power. Initially centered in the San Francisco Bay Area, the fraudulent calls have now reached most of the state.
Callers seek fraudulent access to sensitive practice information
Dental practices are reporting to Henry Schein Practice Solutions that they have received calls from an individual posing as a company employee who then asks for remote access to the office servers. Such calls are a type of phishing scam, whereby scammers pretend to be key personnel or set up look-alike websites and emails to fool individuals into providing sensitive information such as passwords, patient account numbers or Social Security numbers. With this information, scammers can then steal information and profit from its sale.
Updated Legal Reference Guide for California Dentists features all-CDA content
In their day-to-day practice, dentists and their teams must know and comply with federal, state and local laws — from the layered requirements of federal and state employment laws to the dentistry-specific California Dental Practice Act to local laws that enforce building codes. A first resource for dentists to help them navigate these laws is the Legal Reference Guide for California Dentists, updated and published in January by the CDA Practice Support experts.
Protecting your practice from cyber threats
What do Anthem, Yahoo, LinkedIn and JP Morgan Chase have in common? If you guessed that they were all victims of some of the world’s largest data breaches, you’d be correct. From insurance carriers to retailers, financial institutions to the U.S. military, all organizations that have an online presence are subject to cyber-related risks and the reputational damage and loss of consumer trust that follow.
Dentist seeks guidance when patient's cognitive health becomes a factor
Throughout the business week, CDA Practice Support experts answer questions submitted by members via the “Ask an Expert” feature. Staff then answer and archive the question online for the benefit of other members. But occasionally, a question or the recurrence of questions along the same theme prompts the need for a deeper probe. In one such question, a dentist expressed concern about a patient’s cognitive health — and with whom she was allowed to discuss it.
Medical consultation versus clearance: A critical distinction for dentists
CDA Practice Support and The Dentists Insurance Company are receiving an increasing number of calls from members on the subject of obtaining medical clearance for patients who have certain chronic conditions such as diabetes or are undergoing certain therapies. TDIC warns dentists that the medical clearance process is misleading because it implies that the patient is “cleared” for treatment.
Posting 'Notice of Privacy Practices' easier with new format
A new format for the HIPAA Notice of Privacy Practices is now available for download on the CDA Practice Support website. The new "layered" notice allows a dental practice to post only one page, instead of all pages, of the notice on the wall of the practice's reception area while making the entire notice available elsewhere in the reception area.
Get answers from Practice Support experts at CDA Presents
Addressing patients’ clinical needs is what every dentist is taught in dental school. What a dentist is not taught is how to run a small business with employees and how to navigate patients’ benefit plans. CDA Practice Support experts will be on-site at CDA Presents Anaheim, at the Member Benefits Center, to answer members’ questions about dental benefits, employment and regulatory issues. Additionally, each expert will present a free one-hour lecture at The Spot Educational Theater. Topics include the dental benefits grievance process, HIPAA compliance essentials and lesser known employment laws.
Protected health information at risk, FBI warns
The FBI in a private industry notification warned health care providers that cybercriminals are actively targeting File Transfer Protocol (FTP) servers "operating in ‘anonymous’ mode and associated with medical and dental facilities to access protected health information (PHI) and personally identifiable information in order to intimidate, harass and blackmail business owners."
Top trending CDA Practice Support resources
Here are the top-five trending CDA Practice Support resources in the categories of practice management, employment practices, dental benefit plans and regulatory compliance. Featured are the “Exempt Employee Sample Offer Letter,” “Effective External Marketing Strategies Checklist” and more.
All 2016 HIPAA breaches must be reported to HHS
HIPAA-covered entities that experienced a breach of protected health information in 2016 are required to notify the secretary of the U.S. Department of Health and Human Services, regardless of the size of the breach. An entity’s reporting obligations will depend on whether the breach incident affected fewer than 500 individuals or 500 or more individuals.
OCR's new FAQ addresses business associates' use of PHI
A new FAQ from the U.S. Department of Health and Human Services’ Office of Civil Rights clarifies that a business associate cannot prevent a HIPAA-covered entity’s access to protected health information maintained by the business associate (for or on behalf of the covered entity) unless provided for within a contract.
'Meaningful use' funds must be claimed by Dec. 31
Under the provisions of the American Recovery and Reinvestment Act, participating Denti-Cal providers may receive up to $63,750 in incentive payments for implementing an electronic health record system and eventually achieving “meaningful use.” The program will close to new registrants on Dec. 31, and any dentist who has not started in the incentive program will lose the opportunity to claim those dollars.
HIPAA-required risk analysis can prevent malware attacks
CDA has fielded calls recently from dental practices wishing to learn more about the risk analysis required of all entities covered by the Health Insurance Portability and Accountability Act. Coincidentally, in response to the rapid rise of ransomware attacks, the U.S. Department of Health and Human Services’ Office of Civil Rights in July issued new guidance for health care providers.
Ransomware attacks may be reportable, OCR guidance clarifies
The U.S. Department of Health and Human Services’ Office for Civil Rights released new guidance to help health care providers better understand the malicious software and the steps required to help prevent, detect and respond to attacks.
Top trending CDA Practice Support resources
Below are the top five trending CDA Practice Support resources in the categories of practice management, employment practices, dental benefit plans and regulatory compliance.
Protect your practice from cyberattacks
Organizations of all types and sizes are vulnerable to cyberattacks. The fraudsters that perpetrate these crimes do not discriminate, and they are becoming increasingly organized and sophisticated.
HIPAA audits to expand in 2017
In May, several thousand HIPAA-covered entities received emails from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) as the agency rolled out Phase 2 of its HIPAA Audit Program. One email asked covered entities to confirm contact information, then, if information was confirmed, covered entities received a questionnaire and were given 30 days to complete it.
Recent settlements highlight importance of HIPAA compliance
The federal Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued two fines and corrective action plans against covered entities for HIPAA violations. On April 20, 2016, OCR issued a press release stating that it had issued a fine of $750,000 against Raleigh Orthopaedic Clinic of North Carolina (Raleigh) for failing to have a business associate agreement in place with a service provider to which it disclosed protected health information (PHI).
Physical thefts threaten patient health information
More than half of the data breaches in health care settings are a result of devices being physically stolen from a practice, car, home or elsewhere. Data breaches can result in big costs for dentists who fall victim to such a breach should unencrypted patient health information be stolen.
HHS initiates HIPAA audits
Dental practices should not ignore any email from the HHS Office for Civil Rights (OCR) as the agency announced that it has started the next phase of audits of HIPAA covered entities and business associates. The emails have been sent to verify contact information.
Handle patient record requests the right way
When a patient requests copies of his or her dental records, there are steps every dental practice should take to ensure that the request is handled properly, even when someone other than the patient requests the records. CDA Practice Support’s resource Access to Patient Records FAQ contains important information for practices to know about patient record requests and adhering to privacy regulations as outlined in HIPAA.
Data breach notice requirements changing in January
California’s data breach notification law will undergo amendments effective Jan. 1, 2016. Specifically, new state legislation, SB 570, requires changes to the format of a breach notification notice. CDA has compiled a summary of the changes dentists should be aware of.
New resource helps dentists stay HIPAA-compliant
An average dental practice data breach can cost a dentist anywhere from $100,000 to more than $1 million. According to the Office of Civil Rights, an average of 4,707 individuals are affected by a breach in a dental practice. To help dentists stay compliant, CDA has released a new, members-only, HIPAA Compliance CD Bundle. The bundle helps dentists design and implement a comprehensive compliance program using a step-by-step approach.
Physical theft most common data breach in practices
The most common type of data breaches in health care settings, including dental practices, is physical breaches. This is unique when compared to other industries. Specifically, more than half of the data breaches in health care settings are a result of devices being physically stolen from a practice, car, home or elsewhere according to the California Department of Justice.
Get tips on cyber security for your practice
Providing the best care possible to patients is what is top of mind for dentists, but as patient records transition into the digital age they also have to think about protecting patient data. From crypto-ransomware, which attempts to extort money from dentists in exchange for their hacked patient records, to theft of computers and flash drives, dentists must take the proper steps to make sure they aren’t putting their patients and their practices at risk.
Do collection agency efforts violate HIPAA - it depends
CDA Practice Support recently received a call from a dentist about a disgruntled patient who was accusing the dentist of violating the patient’s HIPAA privacy rights because of a past-due bill. Specifically, the patient claimed that they received a letter from a collection agency and the fact that the collection agency had their information was a violation of the Health Insurance Portability and Accountability Act (HIPAA).
March 1 HIPAA deadline for dentists approaching
Dentists have until March 1 to report a HIPAA-compliance issue to the U.S. Department of Health and Human Services Office for Civil Rights (HHS). Specifically, HIPAA-covered practices must report any breach of its electronic patient information that may have affected fewer than 500 people by that date. Breaches that may have affected more than 500 people have more strict timelines as practices only get a 60-day window to report the incident.
Dentist has patient data held for ransom
One California dentist decided to share her story to warn other dentists of a relatively new hacking scheme. It is called “crypto-ransomware” and it attempts to extort money from victims by displaying an on-screen alert. These alerts often state that the computer has been locked or that all files have been encrypted, and demand that a ransom be paid to restore access.
Use encryption to avoid health care data breaches
The recently released 2014 California Data Breach Report, published by the Office of the Attorney General, reports that 70 percent of health care sector data breaches in 2012 and 2013 were the result of lost or stolen hardware or portable media containing unencrypted data. Dentists need to take the necessary steps to protect their patients' information.
Data breach law amendments coming in January
California's data breach notification law will undergo amendments effective Jan. 1, 2015. Some reports have indicated that AB 1710 will require companies to provide credit monitoring in the event of a data breach, which is not true. It does state, however, that when companies experience a data breach and decide to offer credit monitoring to affected individuals, they must offer the services at their own expense and for no less than one year. The breach notification must also contain all material information individuals need to take advantage of the offer.
It was a week before Christmas last year when the practice of Robert Meaglia, DDS, in Rocklin was broken into through the back door. The burglars took everything they could get their hands on, from toothbrushes to a Gameboy. But the most important thing they stole was the main unencrypted computer that had all of Meaglia’s patients’ information on it.
Report: HIPAA complaints on the rise
The Department of Health and Human Services recently released its "Annual Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance." In the report, the HHS detailed the number of complaints received for the calendar years 2011-12, the number of complaints resolved, the number of subpoenas or inquiries issued and more. The HITECH Act requires HHS to conduct the report, which found that during 2011 and 2012, the U.S. Office for Civil Rights (OCR) received 19,476 complaints, which was a significant increase over each respective year prior.
Phase 2 of HIPAA audits to launch this year
The U.S. Department of Health and Human Services recently announced that it would be conducting a second phase of HIPAA audits. The audit program is intended to be primarily for information gathering, but the HHS Office for Civil Rights will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues. Therefore, it is important that dental practices have a current HIPAA risk analysis in place; that their Notice of Privacy Practices is current and acknowledgement of receipt forms are maintained.
Department of Health launches HIPAA security assessment tool

The U.S. Department of Health and Human Services (HHS) has launched a new security risk assessment tool that helps dentists and other health care professionals be in compliance with the Health Insurance Portability and Accountability Act (HIPAA). It is important for dentists to conduct a security risk assessment as required by HIPAA to protect their patients' information and minimize liability risk. A recent review of HIPAA enforcement actions reveals that entities were penalized for not having a documented risk analysis or for having an incomplete analysis.

CDA member’s computer theft leads to HIPAA inquiries
A CDA member’s dental practice lost a computer server to thieves last year, and is now responding to U.S. Health and Human Services (HHS) inquiries on that practice’s HIPAA compliance. CDA has been assisting the practice in this process, and is offering members recommendations so they can avoid a similar situation.
Conducting a risk analysis key for HIPAA compliance
It is important for dentists to conduct a Security Rule risk analysis as required by the Health Insurance Portability and Accountability Act (HIPAA) to protect their patients’ information and minimize liability risk.  A recent review of HIPAA enforcement actions reveals that entities were penalized for not having a documented risk analysis or for having an incomplete analysis.
Clarifying HIPAA’s impact on using Windows XP in the dental office
There has been a lot of speculation around the use of Windows XP as it relates to HIPAA violations. Many IT consultants are saying if dentists’ information systems are operating on Windows XP after April 8, 2014, they are in violation of HIPAA. The HIPAA Security Rule does not specifically require the use of operating systems that are manufacturer-supported so continuing to use Windows XP after April 8 is not in itself a HIPAA violation.
Taking steps to protect patient information under HIPAA
Recent Health Information Technology for Economic and Clinical Health (HITECH) amendments to the Health Insurance Portability and Accountability Act (HIPAA) expanded patient rights with regard to their health information and added a breach notification rule for covered entities, such as dentists, to follow.
The combination of a HIPAA deadline and vendor communications about the deadline recently sent many CDA members to the Internet and telephone to find out what assistance they could get from the Practice Support Center. Callers had specific questions on the requirement to securely transmit protected health information to other dental practices.
The Sept. 23 compliance deadline for the omnibus rule/HITECH amendments to the Health Insurance Portability and Accountability Act (HIPAA) is just around the corner. There are a couple educational options for dentists related to this subject.
The U.S. Department of Health and Human Services (HHS) published the long-awaited final omnibus rule under HIPAA (Omnibus Rule) on Jan. 25, 2013. The rule implements the Health Information Technology for Economic and Clinical Health Act (HITECH) and requires that health care providers amend their Notice of Privacy Practices (NPP) and Business Associate Agreements to include new elements. The compliance date for the final rule is Sept. 23, 2013.
Enter Keywords
Filter by Date
From :  
To      :