Join ADAMember Log In

The following is a simplified illustration of some of the steps that a dental practice would take to determine how to respond to a suspected breach of patient information. This tool uses terms such as unsecured, breach, and PHI, which are defined in regulations. For more information, see The ADA Practical Guide to HIPAA Compliance Manual, or visit

*This decision tree follows the compromise standard which is effective March 26, 2013 (covered entities must comply by September 23, 2013). The compromise standard replaces the harm standard in the 2009 Breach Notification Interim Final Rule.

Reproduction of this material by ADA constituent and component dental societies, dentists and their staff is permitted. Any other use, duplication or distribution by any other party requires the prior written approval of the American Dental Association. This material is for general reference purposes only and does not constitute legal advice. It covers only HIPAA, not other federal or state law. Changes in applicable laws or regulations may require revision. Dentists and dental societies should contact qualified legal counsel for legal advice, including advice pertaining to HIPAA compliance, the HITECH Act, and the U.S. Department of Health and Human Services rules and regulations.

© 2013 American Dental Association.  All Rights Reserved.

Revised 6/7/2013