March 2013 GDA Action

ACTIONTHE JOURNAL OF THE GEORGIA DENTAL ASSOCIATION MARCH 2013

GDAction 0313.qxd 3/14/13 8:30 PM Page 1


AFTCO Transition Consultants . . . . . . . . . . . . .24

Atlanta Dental Imaging . . . . . . . . . . . . . . . . . . .13

Center for TMJ Therapy . . . . . . . . . . . . . . . . . .29

Craniofacial Pain Center of Georgia . . . . . . . .19

Dental Care Alliance . . . . . . . . . . . . . . . . . . . . . .8

Fidelity Bank . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Full Spectrum Seminars . . . . . . . . . . . . . . . . . . .9

GDA Dental Recovery Network . . . . . . . . . . . .28

Georgia Dental Insurance Services . . . . . . . . .32

Georgia Denture & Implant Specialists . . . . . .17

Georgia Mission of Mercy . . . . . . . . . . . . . . . .31

Great Expressions Dental Centers . . . . . . . . . .27

Hospital Dentistry—Dr. Kurtzman . . . . . . . . . .14

Law Office of Stuart J. Oberman . . . . . . . . . . .15

National Practice Transitions, LLC . . . . . . . . . .26

Dr. Mark Padolsky—TMD Dentist . . . . . . . . . .27

Paragon Dental Practice Transitions . . . . . . . .30

Professional Practice Management . . . . . . . . .24

Southeast Transitions . . . . . . . . . . . . . . . . . . . .28

UBS Financial Services . . . . . . . . . . . . . . . . . . .2

index of advertisers

GDA ACTION (ISSN 0273-5989) The official publication ofthe Georgia Dental Association (GDA) is published monthly.POSTMASTER: Send address changes to GDA Action at7000 Peachtree Dunwoody Road N.E., Suite 200,Building 17, Atlanta, GA 30328. Phone numbers in state are(404) 636-7553 and (800) 432-4357. www.gadental.org.

Closing date for copy: first of the month preceding publicationmonth. Subscriptions: $17 of membership dues is for thenewsletter; all others, $75 per year. Periodicals postage paidat Atlanta, GA.

Dr. David Bradberry Delaine HallGDA Editor GDA Managing Editor1070 Woodlawn Dr NE 7000 Peachtree Dunwoody Rd NESuite 250 Suite 200, Building 17Marietta, GA 30068 Atlanta, GA 30328

2012-13 Georgia Dental Association OfficersSidney R. Tourial, DDS, PresidentMarshall H. Mann, DDS, President ElectDouglas B. Torbush, DDS, Vice PresidentJames B. Hall III, DDS, Secretary / TreasurerR. David Bradberry, DMD, Editor

GDA/GDIS Executive Office Staff Members

Martha S. Phillips, Executive Director

Nelda Greene, MBA, Associate Executive Director

Delaine Hall, Director of Communications

Skip Jones, Director of Marketing (GDIS)

Courtney Layfield, Director of Member Services

Victoria LeMaire, Medical Accounts Manager

Judy Lively, Administrative Assistant (PT)

Melana Kopman McClatchey, General Counsel

Denis Mucha, Director of Operations (GDIS)

Margo Null, Property and Casualty Accounts Manager

Meg Robinson, Director of Governmental Affairs

Patrice Williams, Administrative Assistant

Phyllis Willich, Administrative Assistant

Pamela Yungk, Director of Membership & Finance

GDA Action seeks to be an issues-driven journal focusing on current mattersaffecting Georgia dentists, patients, and their treatment, accomplished throughdisseminating information and providing a forum for member commentary.

© Copyright 2013 by the Georgia Dental Association. All rights reserved. No partof this publication may be reproduced without written permission. Publicationof any article or advertisement should not be deemed an endorsement of theopinions expressed or products advertised. The Association expressly reservesthe right to refuse publication of any article, photograph, or advertisement.

11 New Credit Card Surcharge

Allowance: What Dentists Must Know

18 Legally Naked in a Well-Dressed

World: Do You Need an Attorney?

20 How to Determine if Your

Practice Would Benefit from

Cyber Liability Coverage

23 Make GDA Annual Meeting

Room Reservations for July

4 Parting Shots

5 Editorial

6 Letters to the Editor

7 News and Views

10 Calendar of Events

25 Classifieds

As if the previous thousands of pages of HealthInsurance Portability and Accountability Act(HIPAA) regulations weren’t enough, thelong delayed HIPAA Omnibus rule, all 563pages of it, was issued in January. The newrule makes significant changes to theexisting rules and requires us to changeour procedures once more, all in an effortto keep patient information safer. Dentistsmust comply with the new HIPAA rules bySeptember 23, 2013. See page 12 to findout what actions your office must take.

ACTIONTHE JOURNAL OF THE GEORGIA DENTAL ASSOCIATION MARCH 2013

other features sections

on the cover

Member Publication American Association of Dental Editors

ACTION

V O L U M E 3 2 , N U M B E R 3 • M A R C H 2 0 1 3

Note: Publication of an advertisement is not to be construed as anendorsement or approval by the GDA or any of its subsidiaries,committees, or task forces of the product or service offered in the

advertisement unless the advertisement specifically includes anauthorized statement that such approval or endorsement hasbeen granted.


4 GDA ACTIONMARCH 2013


One of the things I often like to do is watchdifferent animals as they go about their dailylives. Because of my location I have the goodfortune of watching ducks and geese on analmost daily basis. They both tend to begenerally organized into their groups duringdaily tasks. They sleep, bathe, and go aboutgathering food daily. They instinctively knowthe what, when, and how of doing all this in amanner that reduces any danger to them butyields the most food, safety, and protection.

What is interesting is that only some ofthem know when a real threat faces them andwhen something is just a nuisance. I say somesince it appears about half the brood is wild.The other half seems to be “city-fied.” Thesewaterfowl are the ones that do not prepare asmuch, live more day to day, and do not flysouth for the winter. I’ve been told that this isdue to the birds being “urbanized.” They don’tneed to travel to survive winter; there areplenty of resources for them in suburbanAtlanta due to the migration of people.

Recently on a people level life hasreminded me of the Scout motto “BePrepared.” In many ways I have had to look atand answer this question: ‘Am I prepared?’Now as I write, this brings to mind thequestion, ‘Are you prepared?’

As doctors our answers to this questioncan be divided into many parts. Do you haveall of your “ducks” in a row in the insurancearena? Everyone usually has the variousinsurance policies completed and in place asneeded. But do you have any instructionswritten out about the coverage and how tostart the ball rolling on making the coveragework? Do you have a set of instructions forboth home and office in the event you or youroffice become incapacitated in any way? Icannot recommend this enough. Our GDAinsurance agency highly recommends this.Though no one can ever be really prepared foran emergency, having detailed instructionsfor others to follow greatly reduces stress ata time when most people have difficultyjust thinking.

Do you have a set of guidelines outliningwho your family and staff can contact forhelp, and in what areas, should you become

incapacitated? Are there instructions for youremployees that can help them keep day-to-dayoperations going? If you are a solo practitioner,are you part of a group that has agreed to helpone another? Take the time to write outinstructions and put agreements in place.Even if your incapacitation is a short-termdisability, this will make a tremendousdifference to the people trying to fill thevacuum your absence creates. What will guideyour practice forward if you are not there topersonally direct the ship?

On a slightly less serious note, are youprepared if your office systems becomeincapacitated? A few years ago I had to movemy office, so I decided to upgrade some of myequipment. Now, I’m an engineer by back-ground so you can imagine that I’m a littlehands-on when it comes to design andimplementation. Even then, thanks to thecomplexity of modern electronics, I left gaps.And they showed up the first time bad weath-er rolled through. Electrical power surges,anyone? Our computers had basic protectionbut we still ended up with issues. Make surethat every electronic item in your office is atleast double-surge protected including thatvery “in-expensive” pan machine. The engineerin me rapidly decided to implement multiplelayers of surge protection, from where thephone and electrical lines come into thebuilding all the way down to each individualunit. Since spikes in electricity are generallyfaster than protectors to stop ‘spikes’ frombrown-outs I also placed voltage softenerson crucial equipment (like my server andpan x-ray).

I was more than a little botheredpost-storm when I remembered that myinstallation expert had not recommended thisdegree of planning. It took a lot of thunderand lightning for me to get my ducks in a row.

Make your plan. Write down that plan.Make sure others know about the plan. Younever know when a zap might come along. Beprepared and may your ducks line up.

Ducks All in a Row

5GDA ACTIONMARCH 2013

editorialperspective

R. David Bradberry, DMD



Dr. Bradberry,

Kudos to the GDA for seizing the opportunity to present definitivedata refuting the purported dental manpower shortage in Georgia,and by inference other states as well. The inequity between dentalmanpower and patient utilization is a nationwide problem, andthe actions of the GDA will be appreciated by dentists across thecountry. Hopefully this will lead to the demise of the completelysuperfluous mid-level provider. Because of practitioner / patientinequity, most young dentists are either struggling as start-up solopractitioners, “indentured” to corporate dentistry, or working asassociates in established practices with no real path to partnershipor ownership.

As noted in the editorial perspective in the January 2013 GDAAction, we must make a more concerted effort to educate thepublic about the advantages of regular dental care, and we musteducate ourselves in ways that allow us to more effectivelyserve our patients. But we must also be realistic. There is alimit to our potential for patient motivation. When we think ofthe considerable marketing efforts dentists already make, inconjunction with the robust advertising done by manufacturersof dental consumer products, we are likely near the limits of ourabilities to motivate the public.

A fundamental problem in my opinion, and one that seems to belargely unrecognized, is the reduction in per capita dental needsover the last few decades without a corresponding reduction indental providers, increased population notwithstanding. (We arewitnessing the remarkable impact of fluoride and preventionmeasures.) Those of us who practiced in the 1970s and 1980s haveseen the problems caused by an excess of practitioners, and we areseeing the same problems now. I emphasize this issue in the hopethat we will make efforts to curtail the manpower oversupply.However, because of the recent spate of new dental schools and /or class enlargements, our profession is going to be facing a surplusof practitioners for the foreseeable future.

Dentistry is no different from other professions or businesses. Weare all impacted by the realities of the marketplace.

Sincerely,Stephen D. Carter, DDS

Dr. Carter is a general practitioner in Snellville, Georgia.

lettersto editor

Letters to theEditor are Welcome

The Georgia Dental Association invites

members to submit questions and comments

for potential publication in GDA Action to Editor

Dr. David Bradberry at [email protected]

or Managing Editor Delaine Hall at

[email protected]. Please note that the GDA

will not publish unsigned letters submitted to

GDA Action, or letters submitted under a

name the GDA office cannot verify. The GDA

reserves the right to edit all letters for clarity

and length. Unpublished letters will not be

returned. Opinions presented in letters and

commentaries are the authors’ opinions, and

do not necessarily reflect the adopted policies

of the Georgia Dental Association.



Congratulations to the DDD Foundation,Inc., on the January premiere of theirfundraising video produced by Encyclomedia.The media firm selected the DDDFoundation, which provides dental carefor patients with developmental disabilitiesthrough a clinic in Atlanta, as the winner ofa competition for a professional video worth$50,000 to showcase their organization.

“The video is inspiring, engaging, andit gives a behind the scenes view of a typi-cal day at the clinic,” said Dr. DeidraRondeno, the dentist who established thefoundation in 1999 and opened the clinicspace in 2002.

Demand for the care that Dr. Rondenoand her staff provide has increased eachyear of the clinic’s existence. As a result,the dental clinic has outgrown its currentspace and is working to raise funds andsecure grants in order to relocate to alarger facility. The Foundation has hosted

5K runs and golf tournaments as a way tobring in money, but the funds raised havethus far gone to meet current financialneed with little left over to plan for expan-sion. So, as 2013 begins, the DDDFoundation will use the video to helpsecure greater community and corporatefinancial support.

“It’s challenging work, yet we havefound a way to provide the servicesnecessary to address the needs of thisunderserved community and we want tohelp many more,” Dr. Rondeno told TheAtlanta World. “It’s also very fulfilling workbecause we leave every day knowing weare making a difference in our patients’lives. Not only are we improving their oralhealth, but we also help to reduce some ofthe stress in the lives of their families andcaregivers who love them and want to keepthem healthy.”

To read more about the DDD Foundation,visit www.dddfoundation.org. You may viewa trailer for the fundraising video atwww.youtube.com/watch?v=P9DKtWREzZ8.

The Ben Massell Dental Clinic of Atlantaturned 100 years old in 2012. Clinicofficials capped a year of remembering thethousands of indigent patients helped byclinic volunteers with a gala fundraiser inJanuary 2013. The event placed a spotlighton the decades of service offered by Dr.Emile Fisher, the first specialist (he is aperiodontist) to volunteer at the Clinicin 1956. The gala also celebrated alldentists who have volunteered to carefor individuals with tremendous dentalneed and educate them about how toobtain optimal oral health. The GDA wasone of two presenting sponsors for thefundraising event.

Kudos to all dentists who volunteer toprovide care for the less fortunate,whether it is at a large facility like The BenMassell Dental Clinic, a clinic that is openone day a week in a church trailer, in their

private offices, or at an event sponsored bya dental organization. The GDA honorsyour commitment to giving back.

The Georgia Academy of Dental Practicehonored Dr. Ronald Goldstein of Atlantawith the chapter’s first LifetimeAchievement Award during its January2013 meeting. He was also chosen as thechapter’s first Honored Lifetime Member.

“We bestowed these honors on Dr.Goldstein to recognize his contributions toesthetic dentistry in Georgia as well asthroughout the world,” said GADPPresident Dr. Joe Chafin. “Our Januarymeeting speakers, Dr. Dennis Tarnow andDr. Stephen Chu, have collaborated withDr. Goldstein in the past, and Dr. Chu hasa chapter in Dr. Goldstein’s newest bookEsthetics in Dentistry. All of this made it

generalnews

NORTHERNDr. Fisher

NORTHERNDDD Foundation

NORTHERNDr. Goldstein

Dr. Deidra Rondeno working in herAtlanta practice that is made up nearlyentirely of mentally challenged patients.The practice won a contest to have aprofessionally produced fundraisingvideo made—this photo is a still fromthe shoot. Dr. Rondeno hopes the videowill help the clinic win funds to supportexpansion.

Ben Massell Dental Clinic volunteerdentists Dr. Stephen Bankstonand Dr. Emile Fisher. Dr. Fisherwas honored at a January galacelebrating the clinic’s 100thbirthday for his 60+ years ofservice and dental philanthropicendeavors.

NEWS AND VIEWSContinued on page 8



the perfect time for the GADP to honorDr. Goldstein.”

Dr. Goldstein is known worldwide as a‘teacher of teachers’ especially withregards to expanding the horizons ofesthetic dentistry of already practicingclinicians. Dr. Goldstein is considered apioneer in making dentists aware of theirpatients’ need for more attractivesmiles in modern society. Dr. Goldsteinand his family endowed the GeorgiaRegents University Ronald GoldsteinCenter for Esthetic and Implant Dentistryin order to educate future dentists on howesthetic teams can provide patients withoptimum cosmetic and functional results.

“Many colleagues and family membersenjoyed the Lifetime Achievement Awardpresentation and reception the GADPheld in Dr. Goldstein’s honor,” said Dr.Chafin. “It was a wonderful day for ourGACD members to have such wonderfulspeakers, and to honor our good friendRonald Goldstein.”

Many of our MCG / GHSU dental schoolgraduates may remember experiencingTable Clinic Day. The Georgia DentalAssociation has been a proud sponsor of

this event for nearly all of the 24 yearsit has been held, and two office staffmembers attended the Clinic Day thisyear in February to provide studentswith GDA and GDIS product and serviceinformation and giveaways. As a PlatinumSponsor, the GDA staff members werealso able to network with students during a

GDA / ASDAClinic Day

NEWS AND VIEWSContinued from page 7

Dr. Ronald Goldstein (fifth from right) was honored in January with the GeorgiaAcademy of Dental Practice’s first Lifetime Achievement Award and as the chapter’sfirst Honored Lifetime Member. Shown are GADP board members Brian Lindke, Dr.Hugh Flax, Rhonda Mullins, Belinda Bryant, Dr. Joe Chafin, Dr. Chris Sholota, Dr. JimForester, Pinhas Adar, and Dr. Jim Merriman. Not pictured are board members Drs.Sarah Roberts and Jill Golsen.



cocktail party the evening before TableClinic Day.

“Having a GDA presence at this eventis important to demonstrate Associationsupport for the students,” said PamelaYungk, GDA Director of Membership.“That helps make it easy for students to sayyes when we ask them to join the GDAupon graduation.

“We typically answer a lot of questionsabout practice insurance and legislativeactivities and a variety of other topics atour vendor area,” Mrs. Yungk continued.“What was nice this year was the numberof students who were excited about takingpart in the Georgia Mission of Mercy. Weprovided them with volunteer informationfor that event.”

Mrs. Yungk was joined in Augusta forClinic Day by Georgia Dental InsuranceServices’ Director of Marketing SkipJones. The staff members will be joined byAssociate Executive Director NeldaGreene in May for Transition Day at thedental school, when senior students havethe opportunity to transfer from ASDA tothe ADA and GDA.

College of Dental Medicine studentsJimmy Cassidy III and Wendy Cardenasat a reception preceding Clinic Day inAugusta.

Vice President of the Georgia RegentsUniversity ASDA chapter Alena Reich fillsout nametags for a pre-Clinic Day event.

Paul Trotter, Chris DeLeon, and BartWilson during Clinic Day at the Collegeof Dental Medicine at GRU. Theystopped to talk with GDA staff membersPamela Yungk and Skip Jones who werepresent for the event.

NEWS AND VIEWSContinued on page 10



The GDA extends sympathy to thefamily and colleagues of the followingindividuals.

William Douglas Lyles, DDS, who diedFebruary 13, 2013, at the age of 70. Dr.Lyles was a member of the GDA throughthe Southwestern District. He was a 1967University of Tennessee School ofDentistry graduate and a general dentist.He was an American Dental AssociationLife Member.

Charles Hardy Roszel, DDS, who diedFebruary 12, 2013, at the age of 70. Dr.Roszel was a 1967 University of MichiganSchool of Dentistry graduate and a gener-al dentist. He was instrumental in estab-lishing the Floyd County Dental Clinicwhich provided care to thousands of indi-gent residents of Northwestern Georgia.

Walter Dan Stinson Jr., DDS, who diedFebruary 6, 2013, at the age of 74. Dr.Stinson was a member of the GDAthrough the Northern District. He was a1963 Emory University School ofDentistry graduate and a general dentist.He was an American Dental AssociationLife Member.

NEWS AND VIEWSContinued from page 9

DENTISTSIn Memoriam

MARCH 2013Sat, March 30: Dental Dash at Dawn 5K Run / Walk, Old FourthWard, Atlanta. 8AM. Benefits the DDD Foundation for the developmentally disabled. Visitwww.dddfoundation.org for details.

APRIL 2013Fri-Sat, Apr 5-6: ADA Conference on Recruitment & Retention,Chicago.

Sat, Apr 6: GDA Board of TrusteesMeeting, GDA Office.

Fri, Apr 12: Georgia Association of Orthodontists Certification Course for Dental Assistants, Marietta, 9AM – Noon. Register atgaortho.org/assistants.

Wed, Apr 17: Northern District CE,Villa Christina, Atlanta, 6:30 Dinner, 7 Lecture.

Fri-Sat, Apr 19-20: GDA PresidentsElect Conference, Lake LanierIslands.

Wed, Apr 24: GDA Transition Day forSeniors, College of Dental Medicine,Augusta.

Fri, April 26: Rehoboth Life Care Ministries Dental Clinic Golf Invitational, Southern Hills Golf Club, Hawkinsville. 1PM. Visit www.careforlifeclinic.com or call (478) 953-7770 for details.

MAY 2013Fri, May 3: GDA Officer Visit toSoutheastern District MembershipMeeting, Savannah.

Mon, May 6: Northern DistrictExecutive Committee Meeting, GDA Office.

Thu, May 9: Central District ExecutiveCouncil Meeting, Macon.

Mon-Wed, May 13-15: ADAWashington Leadership Conference, DC.

Fri, May 17: Southwestern DistrictMembership Meeting, Tifton.

Fri, May 17: Georgia Association ofOrthodontists Certification Course for Dental Assistants, Columbus, 9AM – Noon. Register atgaortho.org/assistants.

Sat, May 18: Special Smiles DentalScreenings, Emory Campus.

Mon, May 27: GDA Office Closed for Memorial Day Holiday.

Fri, May 31: GDA Finance CommitteeMeeting, GDA Office.

Fri, May 31: GDIS, GDHC, GFOHboard meetings, GDA Office.

JUNE 2013Thurs-Sun, June 13-16: GeorgiaMission of Mercy, North Atlanta TradeCenter, Norcross.

Fri-Sat, June 14-15: GDA ExpandedDuties Assistants Course, Athens. See www.gadental.org for registrationdetails.

Fri, June 21: LEAP Course, GDAOffice.

Sat, June 22: GDA Board of TrusteesMeeting, GDA Office.

Sat, June 22: Emile T. FisherFoundation for Dental EducationBoard Meeting, GDA Office.

JULY 2013Wed, July 4: GDA Office Closed forIndependence Day Holiday.

Thurs-Sun, July 25-28: GDA AnnualMeeting, Hilton Head, SouthCarolina. See www.gadental.org forregistration details.

AUGUST 2013Sat, Aug 10: GDA Board of TrusteesMeeting / Committee Orientation, GDA Office.

Upcoming GDA / Dental Events

Need to consult a back

issue of GDA Action?

Find them at

www.gadental.org.

Select the

“For Members”

green button and then

choose the “GDA

Publications” link from

the drop down menu.



Beginning January 27, 2013, merchants,including dentists who accept credit cardpayments, will have the option of imposinga surcharge of up to 3% on consumers whenthey use a credit card to pay for services.This surcharge is the result of what may bethe largest anti-trust settlement in U.S.history. The litigation began in 2005when a group of retailers claimed thatMasterCard, Visa, and nine other companiesconspired to fix the fees that stores pay toaccept credit card purchases. After yearsof negotiations the credit card companiesand banks settled the case by agreeing topay $6 billion to the merchants who sued.What is important to businesses andconsumers is that part of the settlementallows merchants to charge customersa fee equal to the cost of acceptingcards, which was previously prohibitedby the credit card companies. Whilemerchants may charge consumers theadditional fee, merchants are not requiredto assess the surcharge.

Dentists should keep the followingfacts in mind both when using a credit cardto pay for purchases and in consideringwhether to charge patients a surcharge.GDA members may call the GDA office at(800) 432-4357 with additional questions.

• Before choosing to apply any surcharge,dentists may want to consider a numberof factors, including what potentialimpact the surcharge may have on yourpatients’ experience in your office;whether others in the profession mayapply the surcharge; and what informa-tion must be disclosed to your patients.

• Retailers, including dentists, may notapply the surcharge to purchases madeusing a debit card or a prepaid card.

• The surcharge applied to purchases maynot exceed 3% even if the retailer ischarged more than that by a credit cardcompany.

• Should a retailer, including a dentist, chooseto impose a surcharge on credit card

purchases, customers must be notified ofthe surcharge before they make the actualpurchase. A sign must be conspicuouslyplaced at the store or facility entranceand at the point of sale. If the purchaseis occurring on-line, a sign must be onthe first page that references credit cardbrands. Many of the credit card compa-nies will have sample point-of entry andpoint-of sale language that retailers canuse in their facilities and on their websites.

• Surcharges must be disclosed on everyreceipt, whether the purchase is in-storeor on-line. This probably means that thereceipt provided to a patient in a dentaloffice must state that a surcharge wasadded to the bill should the dental officeelect to apply the surcharge.

• It has long been illegal to charge a cred-it card surcharge in 10 states: California,Colorado, Connecticut, Florida, Kansas,Maine, Massachusetts, New York,Oklahoma, and Texas. The surchargewill continue to be illegal in those states.The remaining 40 states, includingGeorgia, will allow the new “checkout”fee. However, if a buyer in one of the 10states makes a purchase online and thecompany is in one of the 40 states whichpermit the surcharge, the purchaser mayhave to pay that additional charge.

• Dentists may need to notify their creditcard company representatives of theirintent to charge the surcharge. To deter-mine if this is required, dentists shouldsimply contact the company to inquire.

Credit Card Surcharges:What Dentists Must Know When Using and Accepting Cards



As if the previous thousands of pagesof Health Insurance Portability andAccountability Act (HIPAA) regulationsweren’t enough, the long delayed HIPAAOmnibus rule, all 563 pages of it, wasissued at the end of January. The new rulemakes significant changes to the existingrules and requires us to change ourprocedures once more, all in an effort tokeep patient information safer.

Unfortunately, as with most govern-ment regulations, the end effect to thosewho are governed by the rule is that wehave much more cost and liability. At theend of the day, who knows whetherpatient information will be any safer thanit was before? Regardless, dentists mustcomply with the new HIPAA rules bySeptember 23, 2013. And it is myopinion that we are all going to have tomake some changes in the way we practicedentistry to comply.

Penalties for ViolationsWill Increase DramaticallyUnder these new rules, the penaltystructure has changed significantly; infact, a fine can now be as much as $1.5million per violation. These fines arepartially based on how much of aneffort you’ve made to get your office intocompliance and what actions you’ve takento ensure that your patients’ information issafe. If you have not made a significanteffort to take adequate precautions to pro-tect your patients’ information, this can beconstrued as “willful neglect.” This meansthat you knew (or should have known) thatyou had a problem and failed to take stepsto correct it. The more neglect, the big-ger the fine, so making a significanteffort is incredibly important.

Regular risk assessments and regular,well-documented training demonstrateseffort on your part and shows that you areserious about complying with the rules.These actions would hopefully minimizeany potential HIPAA fines.

HIPAA Breaches andMalpractice Coverage Most dental malpractice insurancecarriers will pay for certain HIPAAviolations, but there are exceptions.Check with your carrier to see howmuch coverage you have and what theterms are in the event of an issue. AdditionalHIPAA coverage can be acquired; however,be aware that if a violation is considered tobe a result of willful neglect, oftentimes,your malpractice carrier will refuse to paybecause it is considered to be an inten-tional act on your part, and therefore, isnot covered by insurance.

Set Up and Maintain a HIPAA ProgramIf you are not already doing so, now is thetime to set up a HIPAA program inyour practice and maintain the programregularly. Get a manual, choose a securityofficer in your office to oversee the HIPAAprogram, and then fill out the manual soyou have written policies and procedures.The American Dental Association sells“The Practical Guide to HIPAA Training”for $202.50 as one possible option. You canalso find information about policies andprocedures at www.hhs.gov/ocr/privacy.

Perform regular employee training onHIPAA issues, as needed, and documentthe training. Most importantly, you need toperform regular risk analyses and assess-ments to evaluate potential issues in youroffice regarding patient information, takeaction to fix any problems you find, andthen document your actions. You can’t dothis once and then say you’re done. Therisk assessments must be done whenevernecessary, and at least on a regularlyscheduled basis. The schedule needs to bedocumented in your materials.

Posting of Policies andPatient AcknowledgementsThe new rules require us to makechanges to our existing privacy policies.You do NOT have to distribute the

new policies to current patients orhave them sign a new acknowledge-ment of receipt. However, you wouldhave to post the new policies, havecopies available for those patients whorequest them, and distribute thesenew policies to new patients and havethem sign an acknowledgement.

If a practice has a web site or socialmedia presence, such as a Facebook page,and posts privacy notices there, commonsense would dictate replacing all currentnotices with the new information.Including a statement that the practice haschanged its privacy practices, and thatpatients should read the new informationcould show a good faith effort to ensurepatients are aware of the updated practices.

The new policies must state that apatient’s information cannot be sold orused for marketing or fundraising purposeswithout previous signed authorization bythe patient, and that a patient will beinformed if there are any financialconflicts of interest with the dentist andany products or services utilized within thepractice or as part of treatment. Thepatient must also acknowledge thisconflict of interest statement in writing.The policies must state that a patient willbe notified of any breaches of informationin a timely manner.

The new rules also state that if apatient personally pays for a procedureand asks that information about thatprocedure NOT be disclosed to theirinsurance company, so long as the patientpays in full for the procedure in a timelymanner, the practice cannot make thedisclosure.

If you use electronic health records,and patients want an electronic copy oftheir records, they should be able to get anelectronic copy, if possible. If patientinformation is not maintained in an elec-tronic format, then the information mustbe provided in a mutually agreed uponformat. The rule specifically states that ahealth care provider doesn’t have to buynew software or change a current computersystem in order to comply with this

New HIPAA Rules: Dentists to Face More StringentNotification and Reporting Requirements Laney Kay, JD



requirement. If a patient requests, in writing,that a copy of his record be sent to a specificthird party, the record must be sent, asdirected.

Big Changes Coming in Business AssociateDisclosuresSome of the biggest changes we willsee involve business associates.According to a presentation made in June2012 by an attorney with the Departmentof Health and Human Services, more than20% of all large breaches of private healthinformation are caused by business associ-ates.(1) With that sort of track record,business associates came under fiercescrutiny by federal regulators. The resultis that under the new regulations busi-ness associates are now regulated bythe HIPAA rules. They are subject to thesame liability and the same fines andpenalties, and they must adhere to thesame policies and procedures and complywith all of the HIPAA requirements.

Many of your business associates maynot be aware of these new rules, so beforeyou renew any contracts with them, letthem know that they will be subject to allHIPAA requirements and what thatmeans. This is especially important if youdeal with someone who, for example,shreds secure patient information as a sidebusiness, or performs work for your prac-tice as a favor. If there is a breach and theHIPAA agencies start investigating allinvolved parties, the ramifications to bothof you may be huge.

I imagine that there are some compa-nies that are going to stop working withhealth care providers altogether becausethey don’t consider it worth the hassle ofdealing with HIPAA.

In case you do not recall or know, abusiness associate is a business entity thatrequires access to your patients’ privatehealth information on a routine basis aspart of performing tasks. If the businesscreates, receives, maintains, or transmitsdata on your behalf, that entity is a busi-ness associate. Here are some examples ofbusiness associates in dentistry:

• Anyone who stores your patients’information or converts, or transmits it,or transcribes it;

• Anyone who works on your computersystem and has access to your patients’information;

• A consultant, lawyer, or accountantwith access to patients’ personal healthinformation;

• A clearing house that prepares electron-ic claims for filing with insurance compa-nies;

• A shredding company that takes patientcharts offsite for disposal;

• Your dental software company if theyhave remote access to your system;

HIPAAContinued on page 14



• Billing services, collection agencies, andany other entity that accesses yourpatients’ financial information.

Please note that dental labs, insurancecompanies, other doctors, and phar-macies are not business associates anddo not require an agreement.

Does the liability of our businessassociates relieve us of our liability ifthey screw up? Of course not. Thegovernment is now allowed to fine every-one, but ultimately, we are still responsiblefor the acts of our business associates andanyone working for them on our behalf,and are responsible for ensuring thatpatients are properly notified and protect-ed in the event of a breach.

So how can we protect ourselves?The most important thing is to make

sure that we have written agreementswith our business associates thatclearly designate each party’s respon-sibilities. The agreements need to haveindemnification agreements that acknowl-edge that, in the event of a breach causedby the business associate, it will be respon-sible for all announcements and notifica-tions, and will pay for any actions neededto mitigate damages, such as credit protec-tion services.

If your business associate has subcon-tractors, you do not have to have personalagreements with the subcontractors; thatis your business associate’s responsibility.However, make sure that your contractincludes a section that says that the busi-ness associate is also responsible forindemnification of any damages caused bysubcontractors. Since you are still ulti-mately liable for the acts of your businessassociates and any subcontractors theyhire, these agreements are very importantto protect your interests in the event of abreach.

Big Changes on Way in Breach Definition and Reporting The new rules will also bring us significantchanges in the definition and report-ing of breaches. Basically, a breach is ause or disclosure of protected healthinformation which compromises thesecurity or privacy of a patient’s protectedhealth information. What are examples ofa breach? The most common example iswhen a computer gets hacked or gets avirus, but can also include situations inwhich a computer, smart phone, or backupdevice such as a thumb drive or externalhard drive containing patient informationis lost or stolen.

It is also a breach if you mail oremail one patient’s bill to anotherpatient or you fax a patient’s informa-tion to the wrong fax number.

Under the old rules, if a breachoccurred, the business would need toevaluate the situation to see if the breachcould result in a risk of significant risk of

HIPAAContinued from page 13



harm to the person; if so, notificationwould have to be performed. Under thenew law, if any situation occurs thatcould compromise patient information,it is presumed that a breach hasoccurred and notification is necessaryunless a risk assessment shows that itis not likely that the information hasbeen compromised.

You can’t just say ‘it’s not a breach’ ifan incident occurs. You must perform arisk assessment to determine if a breachoccurred. Since the presumption is that abreach has occurred, unless you candemonstrate a low probability that theinformation was compromised, an assess-ment must be performed to see whetheryou need to go any further. Every riskassessment must be done thoroughly,completely, and in good faith and theconclusions have to be reasonable.

A proper risk assessment considersfour factors, and all four of these factorsmust be considered together in orderto make a reasonable assessment of thesituation.

1) First, evaluate what type of informationwas potentially compromised and howmuch was actually disclosed. If you have asituation where only patients’ names weredisclosed, but no other information, that ismuch less of a problem than if thepatients’ Social Security numbers anddates of birth were disclosed.

2) Second, consider who received theinformation. For example, consider a situ-ation where you accidently faxed thewrong patient’s information to a specialist.They called and told your office that yousent the information to the wrong doctorbut that they destroyed it as soon as theyrealized the mistake. Because they are adoctor you are familiar with and they arealso a health care provider who is underHIPAA constraints, it is unlikely the infor-mation would be used improperly. In thiscase, it is likely that a completed riskassessment would show little likelihoodthat the information was compromised, sono breach notification would be necessary.In that case, you would finish the risk

assessment, document your findings, andplace a document in your HIPAA manualto show you properly evaluated the situation.

On the other hand, if you accidentlyfax a patient’s medical record to hisemployer, that’s an entirely different situa-tion and it is likely that notification wouldbe necessary.

3) Next, determine whether the informationwas actually acquired or viewed or if therewas only the potential for those scenarios.For example, if you had a laptop stolen andthe cops caught the guy coming out theback door before he had a chance to doanything with the machine, it is unlikelythat a risk assessment would show that tobe a reportable breach. If an EOB was mailedto the wrong patient, and it was returnedto you unopened, a risk assessment would

HIPAAContinued on page 16



show that the information had not beencompromised. If the patient received adocument mailed to them in error, openedit, and called you to tell you they got thewrong bill, patient information has beencompromised.

4) Finally, consider the extent to whichthe risk to the information has been miti-gated. In some situations, it is possible todetermine that there is little risk that thecompromised information will be usedimproperly. For example, if the wrong typeof patient information is sent to a businessassociate or practice employee and theyassure you the information was immedi-ately destroyed and will not be used, thelikelihood that the information will be dis-closed is minimal. Or, if information is sentto an unauthorized person, and they sign aconfidentiality agreement assuring that theinformation will not be used or disclosed,depending on the situation that may besufficient activity to prevent improperusage of the information.

Once you determine a breach hasoccurred, the method of notificationrequired by the HITECH rules are still ineffect. (The Health Information Technologyfor Economic and Clinical Health Act wascreated in 2009 to promote widespreadadoption of health information technologyand forced the modification of HIPAA pri-vacy, security, and enforcement rules.)

First, whenever a patient’s informationis breached, the patient has to be notified.If the breach involves fewer than 500 peo-ple in a single geographic area, thenthe breach has to be logged and reportedto the U.S. Department of Health &Human Services (HHS) at “the end of theyear in which the breach was discovered,”and patients have to be notified as soonas possible.

If the breach involves more than 500people in a single geographic area, youmust notify HHS and your patients imme-diately, and absolutely within 60 days ofthe breach. You must then notify the localmedia. This could involve calling the localtelevision station, or sending a press

release for publication to a newspaper thatserves the affected area. The media notifi-cation has to contain the same informationas the information given to the patients,which is generally:

• A brief description of what happened;

• Description of the type of informationinvolved;

• The steps involved individuals shouldtake to prevent further harm;

• Information on what your office is doingto investigate, mitigate harm, and pre-vent future breaches; and

• Phone numbers and addresses (includinga toll free number) that patients can useto contact the office with any questions.

You also have to try to mitigatethe situation as much as possible. WhenBlueCross BlueShield suffered a breach,they offered credit monitoring to 2.5million patients for a year. Credit mon-itoring costs at least $10 a month perpatient. Do the math. Add in notificationcosts, negative publicity costs, the hassleand stress of HIPAA coming in your officeto investigate the breach, AND possiblefines, and you are looking at an unbeliev-ably expensive problem.

Some Exceptionsto the Breach RuleThere are specific exceptions to the breachrule that do not necessitate notification orevaluation. If a person who is supposed tohave access to patient information acci-dently accesses information that sheshould not have access to, but no furtherdisclosure happens, that’s not a breach.This isn’t usually relevant in dental facili-ties, but an example would be if an insur-ance processor in a large dental practiceaccidently goes into the clinical record andthat is not the information she’s normallysupposed to access. Another exceptionwould be a situation in which a disclosureis made to an unauthorized person, but theunauthorized person couldn’t access orretain the information. Examples of thissituation would be if you mailed a bill tothe wrong patient, but the mail wasreturned unopened meaning the informa-

tion wasn’t viewed, or your front desk per-son hands the wrong EOB to a patient butimmediately realizes it and retrieves itbefore the person has a chance to look atthe information.

How Dental OfficesCan Avoid a BreachThe HHS HIPAA web sitewww.hhs.gov/ocr/privacy lists of all theentities that have suffered breaches involv-ing 500 or more patients. If you look at allof the small health care providers on thelist, almost every single breach was relatedto a stolen device, either a computer or anunencrypted smart phone with full accessto patient information. Occasionally, thelist notes that a computer was hacked or abackup was lost, but most of the incidentswere related to stolen or compromisedtechnological devices.

The best way to deal with a breach isto avoid a breach. What is the singlemost important thing we can do toprotect our patients’ information andavoid potential breaches? Encryptyour hard drive.

There are only two methods ofmaking patients’ information unusable:shredding it, or encrypting it. If theinformation on your hard drive isencrypted and the hard drive isstolen, or lost, or someone hacks intoit, the information is not usable. If theinformation isn’t usable, a risk assessmentwill show that a breach has notoccurred and the breach notificationprocess is avoided. As we’ve discussed,that’s a huge deal.

Talk to your computer support personabout encryption. There can be problems,especially if you have an older system.Encryption can slow down a computer tothe point that it’s almost unusable. In thatcase, you may have to weigh the costs andbenefits of upgrading your system versusrisking a breach. My personal opinion isthat it’s cheaper to upgrade your systemthan deal with a breach, so consider yourdecision carefully.

Some computer experts have arguedthat using encrypted passwords is suffi-cient and will comply with all ofHIPAA’s requirements of how to protectinformation from unauthorized access.That is absolutely true. Encryptedpasswords are perfectly adequate

HIPAAContinued from page 15



protection from someone being ableto easily access your equipmentand will absolutely satisfy what isrequired by HIPAA . However, ifsomeone breaks into your office andsteals your computers, or takes yoursnazzy smart phone that has access toyour system, or hacks into your system,that is a breach. If they can get past thepasswords, the information is fullyaccessible to them because it’s notencrypted and is therefore usable.That’s a breach, and notification is neces-sary. If it’s encrypted, a risk assessmentwill show there’s no breach. That’s anenormous difference.

What Do We Need To Do Now?Bottom line, here are four of themost important things you can do toprotect yourself and your patients’information under this new rule:

(1) Set up a HIPAA program and maintainit regularly;

(2) Encrypt your hard drive to protect yourpatients’ information;

(3) Understand the concept of businessassociates and the related liability issuesand make sure you have business associateagreements that protect you and yourpatients’ information;

(4) Always disclose the minimum amountof information necessary when dealingwith patients’ information.

There is plenty of information outthere to help you get your office into com-pliance. Good luck!

References1- Slide 9, “Breach Notification for HIPAACovered Entities and BusinessAssociates,” June 7, 2012.http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-4_dholtzman_ocr-hitech-breach-notifcation-rule.pdf.

Laney Kay, JD, of Entertaining Training,LLC, has been writing and speaking ontechnical and regulatory topics andwomen’s issues since 1989. Her expertise isin taking very complex and / or incrediblyboring topics and making them fun andinformative. She has written many articlesfor state and national journals and hastaught courses at multiple Hinman DentalSociety and American Dental Associationmeetings as well as at many other national,state, and district meetings, study clubs,and individual offices all over the country.



I am not an alarmist, so please understandthat this article is not intended to createfear or anxiety. After practicing law forover 29 years, I consider myself a realist.That is why I find it markedly troubling toregularly meet with clients who find them-selves in financial or legal trouble aftersigning binding contracts or agreementswithout having had an attorney reviewthem beforehand. This category of docu-ments typically relates to CommercialLeases, Asset Purchase Agreements,Employment / Independent ContractorAgreements, and construction contracts.The importance of having these bindingagreements reviewed by counsel cannot beoverstated. Signing them without anattorney’s advice is exposing yourselfto hidden perils and obligations forsignificant events in your professionallife.

Most clients who present with thisissue voice the same reasoning: “I used anagent for my lease (or a broker for buying/ selling my practice), and I thought theywere looking out for me.” Now, let me beabsolutely clear: It is never my intent todisrespect or criticize these professionals.I work with dozens of them, and havefound most to be very qualified and hon-orable people, and am not suggesting thatyou eliminate them from being involved.They provide a very valuable service, andknow the opportunities and pricing for themarketplace. However, they are not attor-neys and often times do not recognize thelegal issues involved with these docu-ments, especially some specific concernsfor health care professionals.

Commercial Leases Aren’t Simplyall Location, Location, LocationThe attorneys for a landlord customarilydraft lease documents. Typically they arewordy and lengthy, sometimes up to 75

pages, and are intentionally worded toprotect the landlord’s interests.Tenant brokers are utilized to negotiatethe business terms, and some are morefamiliar than others with the legal issuesrelated to the health care professions.Good brokers suggest having the client’sattorney review the letter of intentand lease before they are executed.Unfortunately, some others do notrecognize the specific areas of criticalimportance to dentists and physicians.

For instance, one of the biggestpitfalls that often times is unaddressedby brokers and tenants in the negotia-tion of commercial leases involves thetenant’s right to “assign” the leaseupon the sale of their practice. I havebeen retained on numerous occasions toassist when the tenant wishes to sell his orher practice, and the landlord either refus-es to consent to the assignment ordemands that the existing tenant remainresponsible until the end of the lease. Thisridiculous scenario is the same as sellingyour house and having the new mortgagecompany demand that you guarantee thefuture mortgage payments by the buyer.How unfair is that?

Similarly, the typical commerciallease requires that the tenant beresponsible for the replacement of themajor components related to theHVAC system, as opposed to the main-tenance, even though the units areowned by the landlord and may benear the end of their life before youtake possession of the premises.Having an operational HVAC system inplace is a necessity for the property, so thelandlord would have it whether or not youwere there. You are renting the space for afixed period of time and have no owner-ship interest in the property. This obliga-tion could cost you thousands of dollarsand could essentially allow the landlord to

have a new system installed, at your cost,long after you move out of the premises.

The final point on this topic for thisarticle, though definitely not the last con-cern, relates to the tenant’s obligation foradditional expenses known as “CommonArea Maintenance (CAM)” charges orlandlord’s “Operating Expenses.” Whennot reviewed to assure otherwise,commercial leases make this categoryincredibly broad and at times oppres-sive for the tenant, basically ensuringthat the landlord is reimbursed forevery single operating expense itincurs. Clearly defined parameters mustbe incorporated into the lease to identifyexactly which expenses qualify for reim-bursement and which are excluded fromthe tenant’s responsibility.

What You Are Actually Buying inthe Asset Purchase AgreementBuying a practice is usually either the mostexpensive or second most expensive ven-ture undertaken by a dentist or physician.I work with the majority of the brokersactive in the Georgia market and findamong them a wide array of philosophieson the issue of retaining legal counsel.Some are receptive and encouraging, rec-ognizing that having the purchaser do soalso protects the broker from liability.Unfortunately, others aggressively discour-age the purchaser from having counselinvolved to review the documents, despitethe fact that virtually every agreement ofthis type includes a front page disclaimerstating that it is a legal document whichshould be reviewed by each party’s finan-cial and legal professional. There isabsolutely never a sound reason forentering into a practice transactionwithout having your accountant andattorney involved in the process.Attorneys exist to assist with the comple-

The Unrecognized Pitfalls ofSigning Legal Documents Without Counsel

Legally Naked in a Well-Dressed World:

Andrew Shaul, Esq.



tion of the deal while protecting clientinterests, not to sabotage the process orundermine the broker, and certainly neverto have a client incur unnecessary costs.

All “Asset Purchase Agreements” or“Purchase Sale Agreements” shouldinclude the proper warranties and repre-sentations from both the purchaser andseller, which should not be ambiguous orconflict with other provisions. The purchasershould be protected from false or misleadingclaims about the practice, and both partiesshould have recourse if things go wrong.You should involve an attorney to protectyour interests. I have personally han-dled several dozen breach-of-contractclaims over the years related to AssetPurchase Agreements which involvedblatant lies and omissions about thetrue condition of the practice beingpurchased. I have found that the inclusionof the proper language in these documentsprovides for accountability and allows anaggrieved party the contractual support topursue the appropriate legal recourse.

Employment and IndependentContractor Agreements: A Job for Your AttorneyIn Employment / Independent Contractoragreements the focus is frequently on howmuch you will be paid. Fair enough, asthat is naturally of major importance to usall. However, it pays to give appropriateattention to the other provisions of theagreement. For example:

• Are you really being offered a set term ofone or two years, or does the terminationsection allow either side to end the rela-tionship with 30 or 60 days notice? If so,are you recognizing that you only haveemployment for this period of time?

• If the contract is terminated within theinitial 30, 60, or 90 days, are you con-tractually bound by the restrictivecovenants? If you are changing jobs ormoving to a particular city, please recog-nize that you may be barred from work-ing at another desired location if thecovenants are excessive.

• Does the agreement truly say that you’llbe able to buy-in at a designated time, ordoes it say that discussions about thebuy-in will begin?

• How are patients being assigned to you?If you are being compensated through apercentage of collections, you are notgoing to be very happy if most of yourday involves checking hygiene!

• Are you entitled to your percentage ofcollections for any period of time afteryou leave or are terminated withoutcause? If not, you may be leaving thou-sands of dollars on the table.

• As an employer, are you protecting yourpatient records and other proprietaryinformation from being copied by adeparting associate?

LEGAL DOCUMENTSContinued on page 29



Advances in technology have broughtabout valuable ways that dentists can keeptrack of patient information electronically.Unfortunately, along with the technologi-cal advances have come waves of new reg-ulations to control how electronic informa-tion is stored and transmitted. This is inaddition to regulations already on thebooks regarding control of paper records.

As you will read elsewhere in thisissue, a new Health Insurance Portabilityand Accountability Act (HIPAA) rule ismaking significant changes to existingrules regarding patient information in adental office and what dentists must do inthe event of a breach of that information.Dentists will likely be required to makesignificant changes to their office proceduresin order to keep patient information safe.

As the September 23, 2013, date forcomplying with the new HIPAA lawapproaches, the GDA expects dentists tobe bombarded with offers for compliancematerials. One phrase dentists are likely tohear is “cyber liability.” GDA subsidiaryGeorgia Dental Insurance Services(GDIS), along with GDIS insuranceprovider The Hartford, offers thisguide to data breaches, patient informationsecurity, and how cyber liability insurancemay provide an option to dental officeswho want assistance with protecting theirpractices. After reading the guide, GDAmembers are welcome to call a GDISrepresentative at (800) 432-4357 or(404) 636-7553 to find out more on thecoverage, its costs, and its value.

Q: What is considered a data breach?

A: A data breach is considered as the loss,theft, accidental release, or accidentalpublication of Personally IdentifiableInformation (PII) and Protected HealthInformation (PHI). This informationcan include Social Security numbers,bank account numbers, credit or debitcard numbers, driver’s license numbers,email address, and a patient’s history andmedications.

Q: What are the most commoncauses of breaches?

A: Mostly, it is us—humans who commithuman errors. Consider these reports:

According to The Hartford publica-tion “Data Breach: Just the Facts,” com-mon causes of breaches are theft or releasedue to unauthorized access (such as by for-mer employees or vendors); stolen or lostpaper and electronic files; stolen or lostlaptop, smart phone, tablet, or computerdisks; stolen credit card information; hack-ing; and employee error or oversight.

A study entitled “The Post BreachBoom” published by the PonemonInstitute© in February 2013 identifiedemployee or contractor negligence andsystem error or malfunctions as the twoprimary types of data and security breachincidents. Malicious insiders and externalattacks were less prevalent. The studyfound that an organization’s failure tothoroughly wipe or erase a device containingsensitive or confidential data and anemployee or contractor losing a devicecontaining sensitive or confidential datawere prominent reasons that a breachoccurred.

The Ponemon study went on to notethat 34 percent of their study respondentsdiscovered a non-malicious breach only byaccident after an average of 49 days.

Human errors are the most commonthreats to exposing a person’s personalinformation to data breaches accord-ing to an analysis of reported databreaches by Rapid7, a security intelligencecompany. Rapid7 compiled the databreach information for the analysisbased on the number of reported publicinformation data breaches from January2009 to May 2012 in the Chronology ofData Breaches maintained by the PrivacyRights Clearinghouse, a nonprofitprivacy advocacy group.

A 2012 news story from the creditreporting agency Experian noted that thebiggest factor responsible for the largestnumber of breaches of data was unintended

disclosure due to negligence and clericalerrors. The second most responsible factorwas the loss of a portable data storagedevice. Hacking was relatively low onthe list.

Q: I already have a Business OwnersProperty coverage plan. Aren’t Iset in the case of a breach?

A: Cyber liability or security coverage istypically not offered as part of standardBusiness Owners’ coverage. These planswere created to cover standard risks, likefire or theft, and honestly, advances intechnology and their attendant risks havesomewhat outpaced what insurers consideras risks. Businesses must consider everyday whether to purchase special coveragedepending on their degree of risk. Forexample, a business owner with a facilitynear a river may decide to purchase floodcoverage. A large retailer with numerousemployees might carry coverage foremployee dishonesty, which covers loss ofbusiness property due to embezzlement,fraud, or another criminal act. Any business,small or large, that handles or stores anyprivate business, customer, patient, oremployee data is at risk from a databreach. This includes dental practices. So,the purchase of cyber liability coveragecould mitigate that concern for a dentalpractice and provide peace of mind.

Q: If I decide to purchase an insuranceendorsement for data breaches,what is my cost?

A: The cost of coverage varies accordingto practice size and other factors, such asthe sensitivity of your data, the controlsyou already have in place to protect yourinformation, the limits of coverage thatyou select, and policy features you choose,such as third party legal defense. Policiesmay range from $300 to $2,000 per year.A GDIS representative can help youdetermine your true cost.

How to Decide Whether Cyber Liability Coverage is the Answer to the Threat of Data Breach in the Dental Office



Q: What sorts of breaches candental offices experience?

A: A review of recent data breachesexperienced by dental offices brings upseveral scenarios. A 2012 incident inCalifornia resulted when a vendor visitinga dental office to help upgrade the prac-tice’s imaging and management softwaredownloaded patient files, including SocialSecurity numbers, onto an unencryptedUSB device. The vendor then placed theUBS device in an envelope and sent it in

the regular mail to the vendor headquarters.The envelope arrived torn and without thedevice. What likely happened is that the devicewas ripped from the envelope by post officeprocessing equipment. Nevertheless, theincident was considered a breach, and thepractice had to notify patients and the state.Other recent incidents include thefts ofoffice laptop and desktop computers, andseveral instances where dental officesimproperly discarded patient records dueto be shredded in public trash receptacles.

Q: I am never going to throw anyrecords in the trash. I have a firewallon my practice computer system.Why might I need cyber liabilitycoverage?

A: The cost of the coverage is relativelylow in comparison to what could be instore for a dental practice should a breach

1. Lock and Secure Sensitive Information Stored in PaperFiles and on Removable Storage Devices. Theft or loss, andthe subsequent unauthorized release, of sensitive data, orPersonally Identifiable Information (for example, SocialSecurity number, credit / debit card information, medicalrecords / charts), stored in paper files and / or a removablestorage device may constitute a data breach. Never leavesensitive information unattended. Store it in a lockeddrawer, cabinet, safe, or other secure container when notin use. Also consider installing an alarm system that alertslaw enforcement if you have a break-in on your premises.

2. Restrict Access to Data. Restrict access to sensitive data,whether physical or electronic, to those who have a “needto know.” Most employees do not need unrestricted accessto your company’s entire network. Remember to limit net-work access on computer stations located in public spaces,such as the reception area.

3. Properly Dispose of Sensitive Data When No LongerNeeded or Required. Shred documents containing sensitivedata prior to recycling. Remove all data from computersand electronic storage devices—including those on copymachines—prior to disposing of them.

4. Record and Regularly Review Data Practices. Distributeand explain data protection practices to all employees.Review and revise these practices on a regular basis—atleast annually. Make sure to retrain staff as changes to yourdata practices are made.

5. Password Protect Systems. Password protection helps toprevent unauthorized access to sensitive information, pro-tect security of personal information, and prevent unau-thorized access to user and email accounts. All users shouldbe assigned unique user names and strong passwords foraccess to systems—changed at least quarterly. Conduct apassword audit on a regular basis.

6. Encrypt Data. Encryption helps protect the security andprivacy of files as they are transmitted or while on your

computer. Install encryption onto all laptops, mobiledevices, flash drives, and back-up tapes, and encrypt emailsthat contain sensitive information.

7. Ensure That Remote Access to Your Network is Secure.Remote access to your network should be made throughappropriately enabled Virtual Private Network (VPN) con-nections and multi-factor authentication (e.g. soft tokensor fingerprints in addition to passwords). Passwords shouldbe changed on a regular schedule and meet minimumcomplexity and length requirements.

8. Keep Software and Operating Systems Current. Keepingyour software and operating systems current by installingsoftware and security updates is your first line of defenseagainst hackers, who often take advantage of unprotectedsystems to gain access to sensitive data stored on a com-puter. You should also have a firewall and up-to-date anti-virus programs. A firewall helps to prevent your systemfrom being attacked, while anti-virus software inspects thefiles and programs on your system to ensure they are notinfected. Both are critical in helping to protect sensitiveinformation stored electronically. To maintain the most up-to-date protection, download recently issued system andsecurity updates and antivirus and anti-malware updates tohelp protect you against the newest forms of viruses,Trojan horses and other malicious software.

NOTE: If your network security functions are outsourced toa Third Party, obtain documentation to understand howyour company’s data is protected, and, when appropriate,perform on-site due diligence. It’s also important to havecontract language that specifies privacy and data securityexpectations and grants you the right to audit theThird Party.

While these data protection policies, procedures, andtraining can help reduce the likelihood of a data breach,no company can be completely certain that its customer,patient, or employee data could never be at risk. To learnmore, visit www.hartforddatabreach.com.

The Hartford Provides Tips to Help Reduce Your Risk of a Data Breach

CYBER LIABILITY COVERAGEContinued on page 30









Dental Equipment for Sale

For Sale: Panoramic machine, PC-1000Panoramic Corporation and developer. SchickIntra Oral sensors with USB connectors(2/4) 3. Ader 3045 Perception Units (2).Apollo Suction 1.5 HP. Call (404) 229-2998 or email: [email protected].

Dental Related Services

Hands On Extraction Class. SaturdayAugust 31, 2013. Myrtle Beach, SouthCarolina. Eight hour AGD approved CEclass. Taught by Drs.’ Fletcher and Murph.Participants will learn about crane picks,301 elevators, extraction techniques,elevating flaps, and suturing. For moreinformation call Dr. Murph at (843) 488-4357or email [email protected] offering 40-hour Hands on Classesin Guatemala.

Dentists Availablefor Locum Tenens

Dentist available daily for illness, CE,etc. to check hygiene and emergencies.Buckhead, Sandy Springs, Dunwoody, allof North Fulton, Cobb County. Reasonabledaily rate. Call PETE TRAGER (404) 303-1204 or (404) 226-6457.

Dentist will fill in for illness, vacation, orcontinuing education. Licensed, insured,DEA #. Call (404) 786-0229 or [email protected].

DENTIST: Need Part Time Fill In?Vacation, Illness, Maternity? GENERALDENTIST SOLD LONG ESTABLISHEDPRACTICE. GA & DEA LICENSED.(Available Expanded Atlanta Area.) Cell:(404) 219-4097. Home: (404) 842-1196.Jesse Hader, DDS.

Dentist available during emergencies,vacation, CDE courses. I have a currentlicense, DEA certificate, and insurance.Contact me at (706) 291-2254 or cell (706)802-7760. I hope I can be of service to you.Patrick A. Parrino, DDS, MAGD.

Positions Available

Full & Part time positions available forGeneral Dentist, Endodontist, andPediatric Dentist for Fulton, Henry,Clayton, Cobb, & Gwinnett counties.Medicaid Provider number is a plus.Please call Angie at (770) 968-4602 or faxresume to (770) 692-0452. Or please [email protected].

Dental Consultant Position: Responsiblefor the review and determination of claims andpreauthorization sent in by dental specialistsand other providers. Works closely withDeltaCare Operations Department inAlpharetta and is expected to abide byDeltaCare USA processing policies. A DDS orDMD degree from an accredited dental school.A minimum of 5 years of private practicedentistry and 2 plus years of training. Emailinquiries to [email protected].

Associate—Atlanta: Lucrative opportu-nity for an experienced general dentist.Large patient base, well-established prac-tice, high income area. Extensive crownand bridge, CAD / CAM, implant restora-tive, composite operative, esthetic den-tistry including DaVinci Veneers. Ability toperform rotary endo a plus. Excellentcompensation package. Please emailresumes to [email protected] or faxto (770) 926-8483.

SAVANNAH: General dentist with a caring,patient focused approach wanted to joinbusy practice. Associate and / or buy-inopportunities are available. Please contactNick Cease, (502) 254-8514, [email protected].

CLASSIFIEDSContinued on page 26

classified ads

How GDA members canplace classified ads

AD FORM: Submit all ads on a GDA ClassifiedAdvertisement Form. To obtain a form,call Skip Jones at (800) 432-4357 or(404) 636-7553, or email [email protected].(Note: The GDA may accept or reject anyad for any reason and in its sole discretion.)

AD DEADLINE: Ads and ad check payments are due by thefirst of the month before the publicationmonth (i.e., Dec. 1 for January).

AD RATES: ADA member dentists pay $75.00 per60-word ad per month. There is a 25 centsper-word charge for each word over 60.Non-dentist-owned companies (real estatefirms, etc.) pay $195 per 60-word ad permonth (additional word charges as above).Non-member dentists may notplace ads.

LATE FEE:Ads for which full prepayment is notreceived by the first day of the ad’spublication month (i.e.; Nov. 1 for aNovember ad) will incur a $25 late fee inaddition to the ad rate.

FORMS OF PAYMENT: Submit a check or money order with the adform. (Make checks payable to GDA.)Credit cards are not accepted as payment.

WEB SITE PLACEMENT: Prepaid ads will appear on the GDA Website www.gadental.org for the month thead appears in print. Non-prepaid ads willNOT be placed online.



Coast Dental is one of the largestproviders of general and specialty dentalcare in the United States with practices inCalifornia, Florida, Georgia, Nevada, and Texas.Coast Dental is currently looking for GeneralDentists and Specialists to practice in thegreater Atlanta area. We have full and part-timeopportunities available for experienceddentists to practice where contributions arevalued and the sky is the limit on opportunitiesto grow. Coast Dental offers competitive wageswith sign-on bonuses available for selectlocations, a great benefits package, and a chanceto work with advanced technology anddevoted people who take a visionary approachto making every patients smile a work of art.If you are interested in an opportunityin one of our practices, please [email protected] or apply online athttp://www.coastdental.com/careers/dentists.

Savannah, Georgia: Take advantage ofthis awesome opportunity! Cutting edgedental practice in Coastal Georgia seekinghighly motivated dentist. Our dentists haveoutstanding clinical skills and a chair sidemanner that makes every patient feelcomfortable. Our dentists are leaders inthe office working to develop and foster ateam environment so their practice cangrow and mature, achieving financial suc-cess. Our operating model provides youwith great earning potential. In addition,our office offers an outstanding opportunityfor growth and the support to make it allhappen. Minimum Education andExperience: * Must hold degree fromaccredited dental school. * Generalpractice residency experience preferredbut not required. * Experience withimplant placement, surgical procedures,and / or endodontic procedures stronglydesired. * IV sedation certification stronglydesired. Contact: [email protected] email your resume to the aboveaddress in .doc or .pdf format.

NORTH ATLANTA #8902—Associateneeded for Norcross general practice.Prefer experienced dentist capable of mostskills. Practice is fee for service. For moreinformation, call Dr. Earl Douglas (770)664-1982 or email [email protected].

Pediatric Dentist Needed: We have anoutstanding full time opportunity for aPediatric Dentist / General Dentist (wouldrequire a minimum of at least 2 years’experience in pediatric dentistry) in oursuccessful, well-respected, quality-orient-ed private pediatric dental practice for theright candidate. We are seeking a special,motivated, personable individual to joinour success. We are a booming practice withtremendous growth and earning potential.We offer in office sedation. We offerexcellent compensation and benefits. Formore information, please contact AmandaRentschler at [email protected] (678) 352-1090 / (678) 429-9931

CLASSIFIEDSContinued from page 25



SAVANNAH: ASSOCIATE NEEDED—AWESOME OPPORTUNITY #8903.STOCKBRIDGE: ASSOCIATE NEED-ED #8894. Call Dr. Earl Douglas (770)664-1982 or email [email protected].

ATLANTA / DUNWOODY AREAASSOCIATE: #8887—Board certified /eligible OMS NEEDED IMMEDIATE-LY. For more information, call Dr. EarlDouglas (770) 664-1982 or [email protected].

Charleston, South Carolina—Join apediatric practice with multiple offices.Join a fun, well-respected, paperless pedi-atric practice and live in a great city on thebeach. The position is for someone lookingfor a great place to work in a friendly andcomfortable working environment, competitivesalary & benefits. Email CV [email protected] or call (843) 816-KIDS (5437). Visit coastalkidsdental.com.

Practices / Office Space Available

Dental Space Available! Duluth, GA.Already built-out and plumbed with dentalequipment! Convenient location offSugarloaf Parkway near I-85. Built in 2007,3-6 operatories, sterilization, consultationroom, kitchen. Front office and privatedoctor office. Split design dental space,perfect for new dentist or specialist satelliteoffice. Upscale building in a high growtharea with excellent demographics. Move inready! Contact Suellyn at (770) 623-4840.

South Georgia: Excellent Net Income$850,000 gross. 4 ops, turnkey influencedpractice, 40% FFS 60% Insurance, Highquality life, 2 1/2 hours to Atlanta and GACoast. Call Dr. John Wagner (636) 517-1136.

Practices for Sale: AUGUSTA #8747—Gross collections $1.26M; COLUMBUSAREA #8824—Gross Collections $389K.For more information, call Dr. EarlDouglas (770) 664-1982 or [email protected].

CLASSIFIEDSContinued on page 28



*NEW* DALTON. If you would like tomake some money this is the practice foryou. Average annual collections are morethan $2 million. 5 total operatoriesequipped with Adec and all of the besttechnology. Excellent location! The sellingdoctor would like to stay for 3 years.Asking price $1.6 million, must be pre-approved with a bank. The real estate isalso for sale. Please call or email for detailsusing reference #GA1025. For more infor-mation call (678) 482-7305, email [email protected].

*NEW* GWINNETT COUNTY. This isthe type of practice every dentist dreamsof! Excellent location, all FFS practicewith very high quality dentistry, 7 operato-ries, collected $1.3M+ in 2012 with astrong hygiene department. Please call oremail for details using reference #GA1028.For more information call (678) 482-7305,email [email protected].

*NEW* PAULDING COUNTY. Wellestablished practice with room to grow! AllFFS patients. The practice collected$300K in 2011 with 50% overhead. Thereare 3 ops with an additional roomplumbed. Seller is ready to retire. Pleasecall or email for details using reference #GA1008. For more information call (678)482-7305, email [email protected].

Available: CANTON: Beautiful officegrossing $393,000, 4 operatories. LAKEOCONEE AREA: Exceptional opportunity,grossing $823K. NORTH ATLANTA:Gorgeous new facility with 6 operatories,grossing $1.4M with high volume of cosmeticsand implants. WOODSTOCK: Beautiful5 operatory office grossing $400K.Richane Swedenburg, New South DentalTransitions: (770) 630-0436, [email protected]. Check new listings atwww.newsouthdental.com.

CLASSIFIEDSContinued from page 27



Poorly-Constructed Construction Contracts are aFuture Built on QuicksandThere are several well-respected compa-nies in Georgia that focus on building-outand renovating dental and medical prac-tices. Please understand that I am not tak-ing shots at builders. I simply want toemphasize that all items and aspectsof the project need to be addressedand included in the contract with thenecessary amount of specificity for thehealth care industry. Many builders usetemplates for their contracts, which at firstglance appear to be short and concise. Inthis case, brevity is not a positive, as thereare many moving parts to a project, all ofwhich need to be addressed. Builders havea huge advantage in that they can file liensagainst the property, which can preventfinal funding for the project.

So, make sure the document is com-prehensive. The first and most obviousfactor is the cost. Are you getting a firmbid? Does the quote include accurate andrealistic allowances, which could otherwisesignificantly increase the final amount asyou select the finishes?

The contract must also clearly spellout what this project will cost you beyondthe actual dollar figure. This is called thescope of the project.

• Does it include a detailed recitation ofwhat will be done and the materialsbeing used?

• Does it contain a firm timeframe so youcan logistically coordinate the start andfinish dates for your practice? For a newpractice this last variable is incrediblyimportant, as you need to be able toschedule new patients for the openingand not being able to rely on the date orhave any recourse can result in a tremen-dous loss of goodwill when you have tocancel the patients since the space is notready!

• How are disputes resolved? Is therebinding arbitration, mediation, or doesthe contract state that a representative ofthe builder has the final say?

ConclusionI acknowledge that the legal profession hasmany flaws and that attorneys have anapproval rating that is barely above thepathetic ratings of Congress. Among othercolorful and shocking monikers, attorneysare called obstructionists and obsessivefear-mongers, and are labeled paranoidand overly-contentious.

Notwithstanding these unflatteringgeneralizations, developing a relationshipwith trusted legal and financial advisors isan absolute necessity in the businessworld, especially when you are committingand guaranteeing your personal assets fortens or hundreds of thousands of dollars.There is never a legitimate justification forcommitting yourself to a legal obligationwithout having the benefit of counsel.Attorneys exist to assist and protect, not toduplicate or replace the work of the otherprofessionals involved in a transaction. Yes,working with an attorney is an investment,but otherwise you are going naked in awell-dressed world.

Andrew Shaul is the founder and Presidentof The Shaul Law Firm, PC, and hasbeen practicing since graduating fromEmory University School of Law in 1983.His firm provides dentists and physicianswith legal representation for the negotiat-ing and drafting of Asset PurchaseAgreements (practice transitions), con-tracts, commercial leases, shareholderbuy-ins, and employment agreements, aswell as litigation for any health care relat-ed disputes. Mr. Shaul has also served asGeneral Counsel and Chief OperatingOfficer for a multi-location medicalfacility in Metro Atlanta. As well as beinga featured presenter for several dentalstudy clubs, Mr. Shaul speaks before thegraduating classes of dentists at GeorgiaRegents University on matters relatedto employment contracts, restrictivecovenants, and partnership opportunities.

LEGAL DOCUMENTSContinued from page 19



occur. The Hartford encourages dentiststo visit https://databreachcalculator.com/GetStarted.aspx to get a taste of the cost toa dental practice in the case of an informationbreach. The calculator asks questionssuch as:

• What are the most common causes ofdata breaches,

• If a business has a privacy and dataprotection security policy in place,

• What sorts of data do business employ-ees handle,

• If the business stores sensitive data on alaptop or removable storage,

• If a business allows access to sensitivedata remotely (for example, with a smartphone), and

• Does the business encrypt sensitiveinformation.

A GDA staff run-through on the quizanswering the questions as a solo dentistproduced an estimation that the average

cost per record may be $200 and anaverage cost per breach could be$600,667. Of course, your personalanswers may vary.

Consider the case of a Missouri dentalpractice that suffered the theft of adesktop computer containing sensitiveinformation in 2010. The estimatednumber of individuals affected was 9,309.The Ponemon Institute estimated that itwould cost the practice $50 per patient toperform the required notifications, so innotification costs alone the practice wasfacing a charge of nearly $500,000. Thepractice closed not long after the theftand subsequent activity.

Q: What does the GDIS databreach insurance provide?

A: The coverage has several parts, including:

• Services that can assess whether a breachoccurred and assist with regulatory com-pliance if it is determined that a breachoccurred.

• The ability to notify impacted patientsand employees and associated expensessuch as letter preparation and mailingcosts.

• Assistance in informing your patientsthat a breach has occurred

• Advertising services to organize andcreate a media response if required.

• Monitoring services to pay for credit,fraud, public records or other monitor-ing alerts, if warranted.

Available limits are $10,000; $25,000;$50,000; and $100,000 with per claimdeductibles of $1,000 for $10,000 and$25,000 limits, and $2,500 for $50,000 and$100,000 limits.

The coverage also includes access to adata breach web site that provides tips andresources to help you minimize the chancefor a breach and safeguard PII and PHI,information on how to create a data breachincident response plan, legal requirementsby state, guidance on what needs to bedone if a breach occurs, and access to ateam to assist you with questions. A GDISrepresentative is happy to discuss thecoverage with you and see if such coveragecan help you in your practice.

CYBER LIABILITY COVERAGEContinued from page 21



Suite 200, Building 17, 7000 Peachtree Dunwoody RoadAtlanta, Georgia 30328-1655

www.gadental.org

ACTIONInside This Issue

• New HIPAA Rules Place StringentRequirements on Dentists

• New Credit Card SurchargeOption: What Dentists Need to Know

DATED MATERIALPLEASE DELIVER AS SOON AS POSSIBLE
