FOCUS ON: Data Breaches and HIPAA

Josh Brower, DDS
hippa, data breaches


Josh Brower, DDS, discusses legal questions that you need to know to ask regarding your data.

hippa, data breaches

Q: Can I be sued more than once for the same information getting out?

A: Yes, cyber regulation and healthcare regulation have merged in many ways for dental offices, making compliance more necessary, more expensive, and more complicated than ever before.

During treatment with patients, many types of sensitive data will be exchanged, but sensitive data is defined differently by both HIPAA and by different state laws. This may include names, social security numbers, and personal health information (PHI), among other things. The variation in state laws is immense for what is considered protected data. A dental office can be sued multiple times by different parties for the same data breach. If the breach occurs through your website, then even more penalties and suits can be added. Offices are required to protect all data, and not just electronic personal health information (ePHI).

Q: Doesn’t my IT guy protect me from these little fines?

A: No, the Office of Civil Rights (OCR) investigates HIPAA violation cases that result in settlements with the Department of Health and Human Services. Many data breach investigations start with complaints submitted by patients or healthcare employees. You are responsible for any breach unless you have a protective agreement with someone else. As of October 2023, minimum fines for HIPAA penalties in some cases can be as high as $68,928 for a single violation if it is willful and not corrected within 30 days and a maximum penalty of 1.5 million for one year.

Q: What is an example of a compliance violation? 

A: The OCR and the Attorney General for each state may each take action, and in some states, there is a private cause of action for data security breaches that also allow the owner of the breached information to take action. A California dentist was recently fined $23,000, agreed to adopt a corrective action plan to address non-compliance, and accepted monitoring for 2 years for posted responses to several reviews by patients on Yelp. The onsite investigation found that the practice did not have the required content in its Notice of Privacy Practices and had not implemented appropriate policies and procedures concerning protected health information, including the release of protected health information on social media platforms and in public places. This was the 21st financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations—more than in any other year since OCR was given the authority to enforce HIPAA compliance.

Q: What happens if my website isn’t ADA-compliant?

A: People with disabilities have filed lawsuits against businesses when the websites were not coded properly to work with the assistive technology they use. Legal obligation under Title III of the Americans with Disabilities Act (ADA) and Section 504/508 of the Rehabilitation Act of 1973 allows damages under Section 508 Non-Compliance Penalties to be up to $55,000 for the first violation and $110,000 for each subsequent violation. 

Q: What is the Supremacy Clause? 

A: It allows HIPAA (federal) laws regarding patient records to supersede any state provisions regarding patient records. However, state laws can exceed the minimum regulations. According to OCR director Melanie Fontes Rainer, “patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” In 2020, a Georgia orthodontic provider was fined $80,000 for $170 being too high a fee to copy records and excessive delay in providing a patient with his or her records. The same year, a Las Vegas provider was fined $25,000 for an 8-month delay from the initial request to final records being provided. State laws may also provide for additional damages (see the addendum below).

Q: What can you do to mitigate your risk?

A: Train your employees and continue to retrain your employees. Under Federal HIPAA regulations, healthcare providers are required to train their workforce who handle PHI regarding compliance with the HIPAA Privacy Rule and Security Rule. The Privacy Rule requires training for each new member of the workforce within a reasonable period of time after the person takes the role handling PHI and when his or her functions are affected by a material change in policies or procedures. The Security Rule calls for periodic training. 

Once you make your written plan, follow it. Annual training is recommended by your compliance officer. Know that the risk is real, and it is rising. In 2009, there were 14 reported data breaches, and in 2023, there were 328. My final advice is to know your state laws or hire someone who does. Have updated manuals and follow them, train annually, use encryption when needed, hire a website company that updates its cyber regulation monthly, and don’t respond to online reviews without expert advice. 


You can be in violation of a data breach without knowing it and still be liable. Each state defines its data privacy law differently. Here are some examples:

  1. Laws that define a breach

California: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person, business, or agency. Cal. Civ. Code §1798.82(g) (as applicable to non-governmental entities); Cal. Civ. Code §1798.29(f) (as applicable to governmental entities).

  1. The definition of personal information that triggers a breach

New York: Personal information is defined as any information concerning a natural person which can be used to identify the person. Private information is either: (i) personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired: (1) SSN; (2) driver’s license number or non-driver ID card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, password, or other information that would permit access to the individual’s financial account; (4) account number, credit or debit card number, if circumstances exist where the number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; (5) biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.N.Y. Gen. Bus. Law § 899-aa(1)(b), as amended by 2019 N.Y. Laws ch. 117 (as applicable to non-governmental entities); N.Y. State Tech. § 208(1)(a) (as applicable to governmental entities).

  1. The variation on whom must be notified

Texas: Any individual whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, provided that such individual is a resident of TX or another state that does not require a person to notify the individual of a breach of system security. Tex. Bus. & Com. Code § 521.053(b), Tex. Bus. & Com. Code § 521.053(b-1). Must also notify national consumer reporting agencies if notifying more than 10,000 persons at once. Tex. Bus. & Com. Code § 521.053(h). In addition, a domestic insurer or HMO should contact its assigned financial analyst at the Texas Department of Insurance if the insurer or HMO experiences or discovers an unauthorized acquisition, release, or use of personal information or sensitive company information. See Commissioner’s Bulletin # B-0022-16.

  1. The time you have to notify the data owner

Florida: As expeditiously as practicable and without unreasonable delay, but no later than 30 days after the determination of a breach. A covered entity may receive 15 additional days to provide notice to individuals, if good cause for delay is provided in writing to the Department of Legal Affairs within 30 days after determination of the breach or reason to believe a breach occurred. Fla. Stat. § 501.171(4)(a).

Third-party agent must notify covered entity of breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred; covered entity must then provide required notices. Fla. Stat. § 501.171(6)(a).

  1. Penalties for nondisclosure may be from the AG and/or from the data owners in some states

New Hampshire:  Any person injured by violation may bring an action for damages and/or an injunction. AG may also bring action. N.H. Rev. Stat. § 359-C:21.

For the insurance industry: Penalties may include suspension of license or a fine of up to $2,500 per violation. N.H. Rev. Stat. § 420-P:12.

Disclaimer: The information provided on this website and in the article is for informational purposes only and should not be construed as legal advice. You should not act or refrain from acting on the basis of any content included herein without seeking legal advice from a licensed attorney in your jurisdiction.


Dr. Brower graduated with honors in 1997 from the University of Minnesota. He has more than 20 years of private practice experience as an owner, is a teacher/lecturer, and is an AGD PACE CE provider. He will graduate from law school this year and focuses on all aspects of health law, practice management, and training.

He can be reached at or via the website