How does data breach notification law apply to dental practices, and what triggers notification?

• A. Notification is required when unsecured PHI is breached; laws specify timelines and methods.
• B. Notification is never required for small breaches.
• C. Notification is required only for financial data breaches.
• D. Notification is automatic for any data access, even if no breach occurs.

Answer: (B)

The key idea is that data breach notification for dental practices centers on breaches of unsecured PHI. A breach happens when there is an unauthorized acquisition, access, use, or disclosure of protected health information that compromises its security. If the information is encrypted, many laws provide a safe harbor, so a breach may not trigger notification unless the encryption keys were also accessed. The trigger to notify is the discovery of a breach involving unsecured PHI, and you must inform affected patients without unreasonable delay and no later than 60 days after discovery. In addition, if 500 or more individuals are affected, you typically must notify the Department of Health and Human Services and often the media as well; if fewer than 500, you still notify those affected and file a summary report with HHS on an annual basis. State breach notification laws may add requirements beyond HIPAA. So, notification is not something to avoid for small breaches; the obligation depends on whether PHI was compromised while unsecured, the encryption status, and how many people are affected.