Subscribe to receive email updates as new information becomes available.

How often do we read or hear of data breaches of patient information? It seems it’s happening quite a lot–such as the hundreds of US dentist offices hit by ransomware in August. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Kennedy–Kassebaum Act was enacted by the 104th United States Congress and signed by President Clinton in 1996. It was created to modernize the flow of healthcare information, stipulate how personally identifiable information (PII) should be maintained by the healthcare industry, provide guidelines for healthcare insurance industries to protect themselves from fraud and theft, and address limitations on healthcare insurance coverage. 

The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.[5] Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.

What is PHI? Under HIPAA, protected health information (PHI) is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses). However, along with HIPAA compliance, HIPAA violations can occur. As ruinous as a HIPAA penalty can be to your business’ reputation and your financial health, so too, is having your data unavailable or lost.

Actions to safeguard health information

The following steps should be implemented in your dental practice security strategy.

Identify PHI repositories

Providers should identify all repositories of PHI and detail how that PHI is accessed. For example, mobile devices, printers, or fax machines (printers and faxes can store images), along with digital x-rays, and documents. Examine security practices involving the methods of transporting these documents, i.e., sending faxes, email, connecting via the internet, USPS, etc.

Ensure that PHI is encrypted

Consider the risk of PHI being accessed inappropriately and the potential impact of unauthorized access.

Conduct regular audits

Utilize Least Privilege to govern access to PHI, with appropriate audits done periodically according to your assessment of risk likelihood and impact. Isolate your backup copies from access on your network. Regularly review audits and logs of access and activities on your systems.

Implement security basics

Ensure that controls are in place to protect your business against viruses, malware, insider threats, and other forms of cyber crime. Train your staff in security basics such as watching for phishing emails, not opening emails from unknown senders, or clicking on links/attachments they are not expecting. Most importantly, document everything, as none of the above will count with an auditor unless you’ve documented it.

Learn from trusted resources 

These are minimal actions to decrease the risk to your dental practice and patients’ information. Implementing these strategies will provide the essential groundwork to lessen your cybersecurity exposure and your vulnerability. It’s a good idea to use available trusted resources, professional associations, and existing vendors. Repeat the process whenever something regarding your PHI repositories or information technology (IT) infrastructure changes. Only by properly prioritizing and governing cybersecurity can you avoid or minimize your risk. 

Have you considered SaaS?

Another alternative for dental practices to minimize risk is to adopt a SaaS product such as QSIDental Web® (QDW) EDR/EPM. In this case, the job of managing, protecting, and accessing data is shared with a HITRUST certified company, NextGen Healthcare. QDW has HITRUST CSF certification and operations are audited as part of SOC 2 Type II standards. 

To learn more about QSIDental Web, contact us at

Meet NextGen Ambient Assist, your new AI ally that generates a structured SOAP note in seconds from listening to the natural patient/provider conversation.

Read Now

Oscar King, MBA, CISM, CISA

Sr. Manager, Account Management