...

Ekim IT Solutions

Schedule a Fit Call
Blog / What Is a HIPAA Security Incident in a Dental Practice
All Dental

What Is a HIPAA Security Incident in a Dental Practice

Featured image for the HIPAA security incident explainer blog post showing a medical caduceus symbol next to a blue shield with a checkmark on a dark background representing a guide to what a HIPAA security incident is and how it differs from a reportable breach in a dental practice

Most dental practices know what a HIPAA breach is. But HIPAA defines a separate category called a security incident. Every practice must have procedures for identifying, responding to, and documenting these incidents. That applies even when no breach occurs.

Most dental teams have never been trained on the difference. Here is what you need to know about security incidents, how they differ from breaches, and what your practice must do when one happens.

Red callout box stating that HIPAA requires every dental practice to have a documented incident response procedure whether or not they have ever experienced a breach, warning that OCR investigations frequently find practices with no incident response documentation in place and that the absence of these procedures is a violation independent of any actual incident

What a HIPAA Security Incident Is

The HIPAA Security Rule defines a security incident broadly. It covers any attempted or successful unauthorized access to information in a health IT system. Importantly, the definition also includes interference with system operations. The rule casts a wide net on purpose.

A security incident does not require stolen patient data. For instance, a failed login attempt counts. So does a staff member accessing a record they should not have. Similarly, malware detected on a workstation qualifies as an incident, even if nothing was taken.

The Difference Between an Incident and a Breach

A HIPAA breach is a specific type of security incident. It occurs when unsecured PHI is acquired, accessed, or disclosed in a way the Privacy Rule does not permit. Not every incident rises to that level.

For example, a failed ransomware attack stopped before encrypting files is an incident but may not be a reportable breach. Likewise, a staff member who opened a phishing email without clicking a link triggers an incident but likely not a breach. The distinction matters because the response requirements differ significantly.

The Four-Factor Breach Assessment

When a security incident involves a potential disclosure of PHI, HIPAA requires a four-factor risk assessment to determine whether the incident constitutes a reportable breach. The four factors are: the nature and extent of the PHI involved, the identity of who accessed or could have accessed it, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

If this assessment cannot demonstrate a low probability that PHI was compromised, the incident must be treated as a breach and handled accordingly.

Blue callout box listing four steps when a security incident occurs: contain it by isolating systems, changing passwords, and disconnecting exposed devices immediately, document it by recording what happened and what was done as HIPAA requires this even without a breach, run the four-factor assessment to determine if PHI was involved and if the incident is reportable, and call your IT provider who confirms containment, investigates the cause, and closes the gap

Common Security Incidents in Dental Offices

Phishing emails

A staff member receives an email designed to look like a trusted sender and either clicks a link or opens an attachment. Even if no credentials were entered, this is a security incident that must be documented. If credentials were entered on a fake login page, the incident must be assessed as a potential breach.

Ransomware detection

Ransomware detected on a workstation is always a security incident. Depending on whether patient data was encrypted or exfiltrated before the malware was contained, it may also be a reportable breach. Ransomware incidents require immediate containment, documentation, and a thorough forensic investigation.

Unauthorized access by staff

A staff member accessing a patient record they have no treatment relationship with is a security incident. HIPAA requires access controls and audit logging specifically so these incidents can be detected and investigated.

Lost or stolen devices

A lost laptop, phone, or USB drive that contains or could access patient data is a security incident. If the device was not encrypted, it is likely a reportable breach. If the device was encrypted and the data is inaccessible, it may qualify for the safe harbor exception to breach reporting.

Frequently Asked Questions

Does a dental practice have to report every security incident to HHS?

No. Only incidents that meet the definition of a reportable breach require notification to HHS, affected patients, and in some cases the media. All security incidents must be documented internally regardless of whether they are reportable. This documentation demonstrates that your practice has active incident management procedures in place.

How long do we have to report a breach to HHS?

HIPAA requires breach notification to affected patients and HHS within 60 days of discovering the breach. If more than 500 patients in a state are affected, media notification in that state is also required within 60 days. Delays in notification are treated as separate violations and have resulted in significant fines for dental practices.

What documentation does HIPAA require for security incidents?

HIPAA requires documentation of security incidents and their outcomes. This includes the date of the incident, how it was discovered, what PHI was involved, the results of the four-factor breach risk assessment, and what actions were taken in response. This documentation must be retained for six years.

Does Ekim help dental practices respond to security incidents?

Yes. Ekim IT Solutions provides incident response support for dental practices including containment, forensic investigation, documentation, and remediation. We serve practices across all 50 states remotely and provide on-site support in New England and New York. We also help practices build documented incident response procedures before an incident occurs so the response is coordinated rather than reactive.

Does your practice have a documented incident response plan?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Security, compliance, and everything in between so you can focus on patients.

Schedule a Fit Call: Find out in 15 minutes if we are the right fit for your practice.

author avatar
Ezra Angelo
See Full Bio

Related Posts

Featured image for the network segmentation explainer blog post showing a dental office building with separated Wi-Fi and clinical network icons on a dark background representing a guide to what network segmentation is and why HIPAA requires it for dental practices
All Dental

What Is Network Segmentation for Dental Practices

Featured image for the DSO practice management software selection guide showing dental software platform icons with a decision arrow on a dark background representing a guide to choosing the right practice management software for a multi-location dental group or dental service organization
All Dental

How to Choose Practice Management Software for a DSO

Featured image for the blog post on identifying underperforming dental IT providers, showing a dental IT gear icon with a red X and warning symbols representing the signs that your current dental IT provider is falling short of what your practice needs
All Dental

Signs Your Dental IT Provider Is Not Good Enough