...

Ekim IT Solutions

Schedule a Fit Call
Blog / What Is a HIPAA Security Incident in a Dental Practice
All Dental

What Is a HIPAA Security Incident in a Dental Practice

Featured image for the HIPAA security incident explainer blog post showing a medical caduceus symbol next to a blue shield with a checkmark on a dark background representing a guide to what a HIPAA security incident is and how it differs from a reportable breach in a dental practice
HIPAA Compliance Guide

Most dental practices know what a HIPAA breach is. But HIPAA defines a separate category called a security incident. Every practice must have procedures for identifying, responding to, and documenting these incidents. That applies even when no breach occurs.

Most dental teams have never been trained on the difference. Here is what you need to know about security incidents, how they differ from breaches, and what your practice must do when one happens.

HIPAA Requirement

HIPAA requires every dental practice to have a documented incident response procedure, whether or not they have ever experienced a breach.

OCR investigations frequently find that practices had no incident response documentation in place. The absence of these procedures is a violation independent of any actual incident.

What a HIPAA Security Incident Is

The HIPAA Security Rule defines a security incident broadly. It covers any attempted or successful unauthorized access to information in a health IT system. Importantly, the definition also includes interference with system operations. The rule casts a wide net on purpose.

A security incident does not require stolen patient data. For instance, a failed login attempt counts. So does a staff member accessing a record they should not have. Similarly, malware detected on a workstation qualifies as an incident, even if nothing was taken.

The Difference Between an Incident and a Breach

Security Incident

Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations. Every practice must document and respond to these.

Reportable Breach

A specific subset of incidents where unsecured PHI is acquired, accessed, used, or disclosed in a way the Privacy Rule does not permit. Requires notification to patients, HHS, and in some cases the media.

A HIPAA breach is a specific type of security incident. It occurs when unsecured PHI is acquired, accessed, or disclosed in a way the Privacy Rule does not permit. Not every incident rises to that level.

For example, a failed ransomware attack stopped before encrypting files is an incident but may not be a reportable breach. Likewise, a staff member who opened a phishing email without clicking a link triggers an incident but likely not a breach. The distinction matters because the response requirements differ significantly.

Need incident response documentation and HIPAA technical safeguards in place before something goes wrong? Ekim IT Solutions works exclusively with dental practices.

Schedule a Fit Call →

The Four-Factor Breach Assessment

When a security incident involves a potential disclosure of PHI, HIPAA requires a four-factor risk assessment to determine whether the incident constitutes a reportable breach. The four factors are: the nature and extent of the PHI involved, the identity of who accessed or could have accessed it, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

If this assessment cannot demonstrate a low probability that PHI was compromised, the incident must be treated as a breach and handled accordingly.

Incident Response Protocol

Four steps when a security incident occurs

1

Contain it.

Isolate systems, change passwords, disconnect exposed devices immediately.

2

Document it.

Record what happened, when, and what was done. HIPAA requires this even if no breach occurred.

3

Run the four-factor assessment.

Determine if PHI was involved and if the incident is reportable.

4

Call your IT provider.

They confirm containment, investigate the cause, and close the gap.

Common Security Incidents in Dental Offices

Phishing emails

A staff member receives an email designed to look like a trusted sender and either clicks a link or opens an attachment. Even if no credentials were entered, this is a security incident that must be documented. If credentials were entered on a fake login page, the incident must be assessed as a potential breach.

Ransomware detection

Ransomware detected on a workstation is always a security incident. Depending on whether patient data was encrypted or exfiltrated before the malware was contained, it may also be a reportable breach. Ransomware incidents require immediate containment, documentation, and a thorough forensic investigation.

Unauthorized access by staff

A staff member accessing a patient record they have no treatment relationship with is a security incident. HIPAA requires access controls and audit logging specifically so these incidents can be detected and investigated.

Lost or stolen devices

A lost laptop, phone, or USB drive that contains or could access patient data is a security incident. If the device was not encrypted, it is likely a reportable breach. If the device was encrypted and the data is inaccessible, it may qualify for the safe harbor exception to breach reporting.

Frequently Asked Questions

No. Only incidents that meet the definition of a reportable breach require notification to HHS, affected patients, and in some cases the media. All security incidents must be documented internally regardless of whether they are reportable. This documentation demonstrates that your practice has active incident management procedures in place.
HIPAA requires breach notification to affected patients and HHS within 60 days of discovering the breach. If more than 500 patients in a state are affected, media notification in that state is also required within 60 days. Delays in notification are treated as separate violations and have resulted in significant fines for dental practices.
HIPAA requires documentation of security incidents and their outcomes. This includes the date of the incident, how it was discovered, what PHI was involved, the results of the four-factor breach risk assessment, and what actions were taken in response. This documentation must be retained for six years.
Yes. Ekim IT Solutions provides incident response support for dental practices including containment, forensic investigation, documentation, and remediation. We serve practices across all 50 states remotely and provide on-site support in New England and New York. We also help practices build documented incident response procedures before an incident occurs so the response is coordinated rather than reactive.
If a security incident hit your practice today, would your team know exactly what to do?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We help dental practices build and document incident response plans that meet HIPAA requirements so your team is never making it up as they go when something goes wrong.

No incident response plan means no playbook when it matters most. Find out if your practice is prepared.
Check your incident readiness →

Related Posts

Branded featured image for the blog post "What Is Endpoint Detection and Response for Dentists" with illustrated security shield and magnifying glass imagery
All Dental

What Is Endpoint Detection and Response for Dentists

Featured image for the network segmentation explainer blog post showing a dental office building with separated Wi-Fi and clinical network icons on a dark background representing a guide to what network segmentation is and why HIPAA requires it for dental practices
All Dental

What Is Network Segmentation for Dental Practices

Featured image for the DSO practice management software selection guide showing dental software platform icons with a decision arrow on a dark background representing a guide to choosing the right practice management software for a multi-location dental group or dental service organization
All Dental

How to Choose Practice Management Software for a DSO