Home > Features > Privacy in the dental practice: Bridging the gap between IT and compliance

Privacy in the dental practice: Bridging the gap between IT and compliance

by Anne Genge, Myla Training Co.

iStock

I usually write about cybersecurity, phishing attacks, ransomware, and network vulnerabilities—but January is Privacy Awareness Month, so it’s a great time to review the challenges of privacy in the dental office. As a Certified Information Privacy & Security Professional working in dentistry for over 20 years, I know you’re often overwhelmed by different types of compliance, and I’m here to help.

Privacy has always been a foundational element of cybersecurity, but it’s also a distinct discipline that deserves its own spotlight. In most provinces, dental practices must navigate a combination of federal, provincial, and college-specific laws and guidelines to ensure compliance with privacy requirements. These frameworks work together to regulate how patient information is collected, used, and protected. While this might seem daunting, understanding the layers of regulation is crucial to safeguarding patient trust and avoiding potential breaches.

Let me start with a couple of stories that underscore how easy it is to slip up when it comes to privacy.

A simple email misstep

Recently, I worked with a dental practice that found itself in a difficult situation after a seemingly minor privacy mistake. Sarah (not her real name), the receptionist, received a call from a specialist’s office requesting records for a patient. Trying to be efficient, she quickly attached the file to an email and sent it to what she thought was the correct address.

Unfortunately, the email was sent to the wrong recipient, a simple typo in the email address caused it to land in a stranger’s inbox. When the patient was informed of the error, they were upset. The patient, who was well-versed in their privacy rights, immediately questioned why their sensitive medical information had been sent without encryption.

This led to a difficult but important conversation for the practice. While the breach didn’t result in financial penalties, it prompted the practice to review its processes and realize the need for clear policies around email encryption and handling sensitive data. This story shows how privacy mistakes aren’t always about malicious intent. They often come down to small oversights that can be easily addressed with the right guidance, policies, and procedures.

Misconfigured permissions: A hidden breach

Another case involved a dental practice upgrading their file-sharing system. Their IT provider configured the system to allow “team-wide” access, assuming this would improve efficiency. However, the new setup unintentionally granted access to employee records, and practice financial details to all staff, even those who didn’t require it to perform their duties.

The breach came to light when a receptionist, Lisa, accidentally opened a file she shouldn’t have had access to and reported the issue to the practice manager. This misconfiguration not only violated privacy laws (PIPEDA) and put the dentist at risk when his employee data and his own private financial and personal data was exposed. This highlights the importance of having privacy policies, procedures, and oversight when implementing new technology. A strong privacy framework with written procedures could have avoided this mistake.

The role of a privacy officer in dental practices

One common issue I see in dental practices is the lack of a designated privacy officer. In many cases, the responsibility for privacy compliance falls by default to the dentist, who rarely has the time or the training to fully understand the role.

A privacy officer is essential to ensuring that a dental practice stays compliant with privacy regulations, preventing breaches, and safeguarding patient trust. Here’s what the role typically entails:

  • Policy development and implementation: Creating and enforcing privacy policies that align with federal and provincial laws.
  • Staff training: Educating team members on privacy best practices and legal responsibilities.
  • Risk assessment: Identifying potential vulnerabilities in how patient data is handled and stored.
  • Incident response planning: Establishing clear protocols for managing breaches, including patient notification and regulatory reporting.
  • Regulatory compliance: Keeping the practice up to date with evolving privacy laws and guidelines from provincial dental colleges.

When there isn’t a designated privacy officer, breaches and other issues often take longer to resolve. Without clear protocols, practices can struggle to respond effectively, leaving patients feeling uncertain and putting the practice at risk of non-compliance. The good news is that appointing a privacy officer—whether internally or through a consultant—is a straightforward and highly effective step toward ensuring privacy compliance.

Privacy is critical, even if it’s not exciting

Privacy in dental practices is governed by a combination of federal and provincial laws, and college guidelines. Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is collected, used, and disclosed. Many provinces like Ontario, Alberta, and British Columbia have additional health-specific privacy laws, such as PHIPA, HIA, and PIPA, respectively. On top of this, provincial dental colleges provide their own guidelines for protecting patient confidentiality.

Unfortunately, privacy is often an afterthought in dental practices, with many assuming their IT provider will handle everything. This misunderstanding creates a gap that can lead to unintentional breaches.

Why IT providers alone aren’t enough

While IT providers play a crucial role in securing systems and preventing cyber threats, many lack the specialized training or certifications necessary to navigate the complex world of privacy compliance. Privacy involves much more than just protecting data from breaches—it’s about understanding and implementing the legal and regulatory frameworks that govern patient information.

IT professionals are often highly skilled in technology, but privacy compliance requires expertise in areas like data governance, policy development, and breach reporting—areas that fall outside the typical IT skill set. This gap is where a certified privacy professional can make all the difference, ensuring that privacy practices align with legal obligations and patient expectations.

How to fix the privacy gap

The good news is that addressing privacy issues doesn’t have to be overwhelming. With a few key steps, dental practices can ensure they’re compliant and create a culture of privacy awareness.

Here are some actionable steps to get started:

  1. Appoint a Privacy Officer: Designate someone within the practice—or hire a consultant—to oversee privacy compliance. This person should understand privacy laws and be responsible for policies, training, and breach response.
  2. Develop clear policies and procedures: Create or update your policies to reflect how patient data is collected, used, stored, and shared. Ensure all staff are familiar with these policies.
  3. Train your team: Provide regular training on privacy best practices, including how to handle sensitive information and what to do in case of a breach.
  4. Use encryption and access controls: Ensure all patient data sent electronically is encrypted and that access to files is restricted to those who need it.
  5. Conduct privacy impact assessments: Regularly evaluate your processes and systems to identify potential risks and address them proactively.
  6. Have a breach response plan: Create a clear plan for how your practice will handle breaches, including notifying affected patients and meeting regulatory reporting requirements.

Privacy as a professional commitment

Protecting patient privacy is about more than avoiding fines—it’s about maintaining the trust your patients place in you. Privacy compliance doesn’t have to be intimidating or burdensome. With the right processes, training, and support, it can be a seamless part of your practice’s operations.

As Privacy Awareness Month reminds us, privacy isn’t just a legal obligation—it’s a professional commitment to care. By taking small, actionable steps, dental practices can close the privacy gap, ensuring compliance while fostering patient confidence.

Let’s use this month as an opportunity to make privacy a priority. It’s a manageable challenge, and with the right approach, it’s one that benefits everyone.

Need Help? Feel free to contact me: anne@myla.training. 

Resources: What laws and guidelines apply to you in your province?

Here is a list of federal laws, provincial regulations, and dental college guidelines to help guide practices in each province. Use this as a starting point to ensure your privacy practices align with the legal and ethical standards required in your region.

Federal Legislation

Personal Information Protection and Electronic Documents Act (PIPEDA): Governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.

Provincial Legislation and Dental College Guidelines

Alberta

  • Health Information Act (HIA): Regulates the collection, use, and disclosure of health information.
  • College of Dental Surgeons of Alberta (CDSA): Provides standards of practice, including privacy and management of patient health information.

British Columbia

  • Personal Information Protection Act (PIPA): Oversees the handling of personal information by private organizations.
  • College of Dental Surgeons of British Columbia (CDSBC): Offers guidelines on patient records and privacy.

Manitoba

  • Personal Health Information Act (PHIA): Manages the collection, use, and disclosure of personal health information.
  • Manitoba Dental Association (MDA): Provides resources on privacy obligations for dental professionals.

New Brunswick

  • Personal Health Information Privacy and Access Act (PHIPAA): Controls the handling of personal health information.
  • New Brunswick Dental Society (NBDS): Offers guidelines on maintaining patient confidentiality.

Newfoundland and Labrador

  • Personal Health Information Act (PHIA): Regulates the management of personal health information.
  • Newfoundland and Labrador Dental Association (NLDA): Provides privacy resources for dental practitioners.

Nova Scotia

  • Personal Health Information Act (PHIA): Governs the use and disclosure of personal health information.
  • Nova Scotia Dental Association (NSDA): Offers guidelines on patient privacy and record-keeping.

Ontario

  • Personal Health Information Protection Act (PHIPA): Establishes rules for handling personal health information.
  • Royal College of Dental Surgeons of Ontario (RCDSO): Provides standards and guidelines, including those related to privacy.

Prince Edward Island

  • Health Information Act (HIA): Manages the collection and use of health information.
  • Dental Association of Prince Edward Island (DAPEI): Offers resources on privacy practices for dentists.

Quebec

  • Act Respecting the Protection of Personal Information in the Private Sector: Regulates personal information handling by private entities.
  • Ordre des dentistes du Québec (ODQ): Provides guidelines on patient confidentiality and privacy.

Saskatchewan

  • Health Information Protection Act (HIPA): Oversees the management of personal health information.
  • College of Dental Surgeons of Saskatchewan (CDSS): Offers standards and guidelines, including those related to privacy.

Northwest Territories

  • Health Information Act (HIA): Regulates the handling of health information.
  • Northwest Territories Dental Association (NWTDA): Provides privacy guidelines for dental professionals.

Nunavut

  • Health Information Act (HIA): Manages the collection and use of health information.
  • Nunavut Dental Association (NDA): Offers resources on privacy practices for dentists.

Yukon

  • Health Information Privacy and Management Act (HIPMA): Governs the handling of personal health information.
  • Yukon Dental Association (YDA): Provides guidelines on patient privacy and confidentiality.

It’s essential for dental practices to be aware of and comply with both federal and provincial privacy laws, as well as adhere to the guidelines set forth by their respective dental colleges. Regularly reviewing and updating privacy policies and procedures will help ensure compliance and maintain patient trust.

About the Author

Anne Genge, Certified Information Privacy Professional, Certified Healthcare Cybersecurity Professional, Certified Healthcare Security Risk Assessment Specialist. Anne is the founder of Myla Training Co., Canada’s first-ever online privacy and cybersecurity training platform for dental professionals. With over two decades of experience, Anne has become a leading expert and trainer in this field. Anne collaborates closely with practice owners, managers, dental teams, and IT providers to ensure the safety of patients and practice data while enabling compliance with privacy regulations. Anne can be reached at anne@myla.training or call 877-363-9229 x702.

RELATED NEWS

NewsPractice Management

Survey: AI tools nearly matching primary care referrals when choosing a healthcare provider

·
Oral Health
Dental Products & TechnologyDental VideoRestorative Dentistry

Dr. Howard Glazer shares how you can achieve a stellar restoration by Stela

·
SDI
Photo: Koelnmesse / IDS
Dental IndustryDental Products & TechnologyNews

IDS Cologne 2025: How innovations are simplifying dentistry and enhancing patient care

·
Oral Health
Dental IndustryFeaturesNews

Canada rekindles oral health data surveys to track trends: ‘It was serendipity’

·
Dina Al-Shibeeb, Oral Health Group
Dental Products & TechnologyNews

Quebec company’s papain-based gel approved for anesthesia-free caries removal

·
Oral Health
FeaturesNewsOral Health

Scientists use art like comics to share dental findings amid ‘intersectoral’ push to improve Quebecers’ health

·
Dina Al-Shibeeb
DentistryFeaturesNews

U.S. hygienists reject ADA resolutions allowing non-licensed practitioners, including foreign-trained dentists, to perform services

·
Oral Health
Dental Products & TechnologyNews

UB Professor Using AI to Teach Dental Students, Transform Periodontal Care

·
Oral Health
Dental Products & TechnologyNews

Sangi’s Remineralizing Toothpaste Inducted into Space Technology Hall of Fame

·
Oral Health
Dental Products & TechnologyNews

DEXIS Announces AI Enhancements to Dental Implant Workflow

·
DEXIS
Dental Products & TechnologyNews

Oral Science Celebrates 20 Years Of Synergy At The PDC With 4 New Innovations

·
Oral Science
Dental Products & TechnologyNews

DEXIS Launches ORTHOPANTOMOGRAPH™ OP 3D™ LX in Canada Featuring Multiple New Innovations

·
DEXIS
NewsPractice Management

Survey: AI tools nearly matching primary care referrals when choosing a healthcare provider

Dental Products & TechnologyDental VideoRestorative Dentistry

Dr. Howard Glazer shares how you can achieve a stellar restoration by Stela

Dental IndustryDental Products & TechnologyNews

IDS Cologne 2025: How innovations are simplifying dentistry and enhancing patient care

RESOURCES

Women in Oral Health Care 2023

Technology: Today & Tomorrow

HPV-Related Head and Neck Cancers. Meet the Authors.

Making the most of failure in your dental career

email marketing concept, person reading e-mail on smartphone, receive new message

Newsletters are still worth the effort; here’s how to improve their impact

Skill elasticity is the new norm—but what’s the catch?

How to address social media complaints as a dentist | Weekly Wisdom

How to address social media complaints as a dentist | Weekly Wisdom

How to make your dental patients feel comfortable | Weekly Wisdom