GDPR and US Dental Practices: Do You Need to Care?

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. You've probably seen headlines about massive fines, strict requirements, and companies scrambling to comply.

If you run a dental practice in Arizona, you might be wondering: does this affect me? The short answer for most practices is no. The slightly longer answer is: probably not, but maybe.

Let's figure out if GDPR matters for your practice and what to do if it does.

What GDPR Actually Is

GDPR is European Union privacy law that gives EU residents strong rights over their personal data. It applies to any organization that processes personal data of people in the EU, regardless of where the organization is located.

Key GDPR requirements include:

• Getting clear consent before collecting personal data
• Allowing people to access, correct, or delete their data
• Reporting data breaches within 72 hours
• Appointing a Data Protection Officer in some cases
• Implementing appropriate security measures
• Documenting data processing activities

Fines for non-compliance can be up to 4% of global annual revenue or €20 million (about $23 million), whichever is higher.

Does GDPR Apply to Your Dental Practice?

GDPR applies if you:

1. Have patients who are EU residents, OR
2. Offer services to people in the EU (even if you don't currently have EU patients), OR
3. Monitor behavior of people in the EU

For most US dental practices, this means GDPR only applies if you have EU residents as patients.

Scenarios Where GDPR Applies

Military Base or Border Town Practices

If you're near a military base with European personnel or in a border area with Canadian or Mexican patients who are EU citizens, you might have EU residents as patients.

Tourist or Expat Heavy Areas

Practices in areas with significant international tourism or expatriate communities might treat EU residents occasionally.

Second Home Markets

Arizona has snowbirds who spend part of the year here. Some are EU residents maintaining primary residency in Europe.

International Patient Programs

If you advertise dental tourism or actively recruit international patients, GDPR likely applies even if you don't currently have EU patients.

Scenarios Where GDPR Doesn't Apply

If you're a typical dental practice in Arizona serving local patients with no EU residents, GDPR doesn't apply to you. You're governed by US laws (HIPAA, state privacy laws) but not GDPR.

If GDPR Does Apply to You

Patient Rights

EU residents have rights under GDPR that go beyond HIPAA requirements:

Right to Access

Patients can request a copy of all personal data you hold about them, in a commonly used electronic format. You have one month to provide it.

This is similar to HIPAA's right of access but potentially broader.

Right to Rectification

Patients can request correction of inaccurate data. You must correct it or explain why you're not correcting it.

Right to Erasure ("Right to be Forgotten")

In some circumstances, patients can request deletion of their data. This conflicts with healthcare record retention requirements, so there are exceptions for health data.

Right to Data Portability

Patients can request their data in a format that allows them to transfer it to another provider.

Consent Requirements

GDPR requires clear, specific consent for data collection and processing. Your patient intake forms might need updating to meet GDPR standards if they're used for EU residents.

Under GDPR, consent must be:

• Freely given (no bundling consent with other terms)
• Specific (clear about what you're consenting to)
• Informed (patients understand what they're agreeing to)
• Unambiguous (active opt-in, not pre-checked boxes)

Data Breach Notification

GDPR requires breach notification to authorities within 72 hours, which is faster than HIPAA's 60-day requirement.

If you have EU resident patients, you need processes to detect breaches quickly and notify appropriately.

Vendor Agreements

Any vendors who process EU patient data on your behalf (practice management software, billing services, IT support, etc.) need GDPR-compliant agreements.

Most major dental software vendors have updated their agreements to address GDPR, but verify this if you have EU patients.

Practical Steps If GDPR Applies

Identify EU Patients

Add a field to your patient intake process asking about residency. "Are you a resident of the European Union?" Citizenship alone isn't what matters, residency is.

Update Privacy Notices

Your HIPAA privacy notice might not fully meet GDPR requirements. Consider a GDPR-specific privacy notice for EU resident patients.

Review Consent Forms

Make sure consent forms meet GDPR standards for clarity and specificity.

Establish Data Subject Rights Procedures

Have a process for handling patient requests to access, correct, or delete their data. Document these procedures.

Update Vendor Contracts

Get GDPR-compliant data processing agreements from vendors who handle EU patient data.

Document Everything

GDPR requires documentation of your data processing activities. Create records of what data you collect, why, how you protect it, and how long you keep it.

If GDPR Doesn't Apply to You

Even if GDPR doesn't legally apply, some of its principles are good practice:

• Clear privacy notices that patients actually understand
• Easy processes for patients to access their own data
• Strong data security measures
• Regular review of what data you're collecting and why
• Quick breach detection and notification

HIPAA already requires much of this, but GDPR's approach is sometimes clearer and more patient-friendly.

Don't Panic

GDPR headlines have been alarmist. For most US dental practices, GDPR either doesn't apply or affects a small number of patients.

If you do have EU resident patients:

• You probably don't need a Data Protection Officer (only required for large-scale processing)
• You probably don't need to appoint an EU representative (only required if you're actively targeting EU markets)
• Fines are theoretically huge but in practice targeted at major violations by large companies

Focus on the fundamentals: know if you have EU patients, understand their rights, update your processes accordingly.

Our Take

GDPR is probably not a major issue for most Arizona dental practices. But if you do have EU resident patients, you need to be aware of the requirements and take reasonable steps to comply.

The good news is that if you're already doing HIPAA compliance well, you're most of the way there. GDPR adds some specific requirements, but the core principles (protect data, respect patient rights, be transparent) are the same.

If you're not sure whether GDPR applies to your practice or need help implementing GDPR-compliant processes, we can help. We've been working with Arizona dental practices since 1991, and we're keeping up with international privacy requirements as they evolve.

Don't let GDPR headlines stress you out. For most practices, it's either not applicable or requires modest updates to existing privacy practices. Focus on what matters for your specific situation.