From Dr. Bicuspid:
The investigation found that neither NYP nor CU made efforts prior to the breach to ensure that the server was secure and that it contained appropriate software protections. Moreover, the OCR determined that neither entity had conducted an accurate and thorough risk analysis
The 4.8 million dollar settlement was the result of a data breach at a hospital not a dental office, but there are some lessons to be learned. Reading the article it is hard to determine exactly how the breach happened. It seems to be related to a personal computer on the hospital network.
The fine and settlement is not related to actual loss suffered by patient victims it is based on the failure to do the suitable reviews and paperwork.
As professionals we do have an obligation to keep patient data confidential. In the digital age it is a lot easier for data thieves to steal patient information than it used to be. HIPAA actually has some good procedures we can use for what I call PMT (protect My Patient) security.
However in the dental industry the majority of so called data breaches are the result of lost or stolen computers and there is no evidence that any patients have been harmed. Never the less the dentist is liable and may face fines if he/she has not practiced CYA (Comply Yet Again).
That means running the reports and filling out the forms. It is not clear to me how filling out a form keeps the data secure but those are the rules.
For lots more on HIPAA see here: