I walked into a dental practice in Austin, Texas, on a sunny Tuesday morning in 2017, expecting a routine compliance consultation. What I found instead was a disaster waiting to happen.
Patient charts were stacked on the front desk, visible to anyone walking by. The office manager was discussing Mrs. Johnson's root canal—loudly—while three other patients sat in the waiting room. X-rays from the previous patient were still displayed on the monitor as the next patient entered the exam room. And when I asked about their data backup strategy, the dentist pointed to a external hard drive sitting next to the coffee maker.
"We're just a small dental office," the dentist told me. "HIPAA is for big hospitals, right?"
Wrong. Dead wrong.
Six months later, that same practice faced a $50,000 OCR settlement after a disgruntled employee reported their violations. The practice survived, but barely. Three staff members were let go. The dentist's reputation in the community took years to recover.
After fifteen years working with healthcare providers—including over 40 dental practices—I can tell you with absolute certainty: dental practices are absolutely covered under HIPAA, and the consequences of non-compliance can destroy your practice.
Why Dental Practices Can't Ignore HIPAA (Even If You Think You're Too Small)
Let me settle this debate once and for all with a story that perfectly illustrates the stakes.
In 2019, I was called in by a three-dentist practice in suburban Chicago. They'd received their first OCR audit notification—a compliance review triggered by a patient complaint. The complaint? A former patient had requested her records, and the practice took 87 days to respond.
"We were busy," the office manager explained. "We got to it when we could."
HIPAA requires responses within 30 days. The violation was clear-cut.
But here's where it got worse. Once OCR started digging, they found:
No written HIPAA policies or procedures
No designated Privacy Officer or Security Officer
No employee training documentation
Unencrypted patient emails sent routinely
No Business Associate Agreements with their IT vendor, billing company, or cloud backup provider
Patient sign-in sheets that displayed full names and reasons for visits
The final settlement? $125,000, plus mandatory corrective action and two years of monitoring.
For a practice grossing $1.2 million annually, this was catastrophic. One of the dentists left to join another practice. They had to take out a loan to pay the fine. Staff morale plummeted.
All because they thought HIPAA "didn't really apply" to them.
"In dental compliance, there are two types of practices: those who take HIPAA seriously, and those who haven't been audited yet."
Understanding Protected Health Information (PHI) in Dental Context
Here's what most dental practices miss: almost everything you handle is Protected Health Information.
Let me break down what counts as PHI in your practice:
Information Type | Examples in Dental Practice | HIPAA Protected? |
|---|---|---|
Demographics | Patient name, address, phone, email, birthdate, SSN | ✅ Yes |
Clinical Records | Treatment notes, diagnoses, x-rays, photos, prescriptions | ✅ Yes |
Financial Information | Insurance details, payment history, treatment plans | ✅ Yes |
Appointment Data | Scheduling information, reminders, no-show history | ✅ Yes |
Correspondence | Emails, texts, voicemails with patient names | ✅ Yes |
Referral Information | Letters to specialists, consultation notes | ✅ Yes |
Employee Records | Staff health information (if treated at practice) | ✅ Yes |
Marketing Lists | Patient names without health info used for general promotions | ⚠️ Restricted |
De-identified Data | Aggregated statistics with no identifying information | ❌ No |
I remember working with a periodontist who was shocked to learn that the "before and after" photos she posted on Instagram—even with faces blurred—could be violations if patients were identifiable through other means (distinctive teeth, visible tattoos, unique jewelry).
We had to take down 47 posts and implement a robust patient consent process for any future marketing materials.
The Three HIPAA Rules Every Dental Practice Must Master
1. The Privacy Rule: Controlling Who Sees What
I'll never forget consulting with a dental practice where the receptionist was the dentist's mother-in-law. Lovely woman, but she had a habit of mentioning patients she'd seen to her friends at church.
"Oh, I saw your daughter Sarah came in for a cleaning! Her teeth look wonderful!"
Innocent? Sure. HIPAA violation? Absolutely.
The Privacy Rule governs how you use and disclose PHI. Here's what it means in practical terms:
Minimum Necessary Standard: Your front desk staff doesn't need access to detailed clinical notes. Your dental hygienist doesn't need to see financial information. Your billing specialist doesn't need full treatment histories.
I helped one practice implement role-based access that reduced PHI exposure by 73%. The dental assistants could see clinical information for their scheduled patients only. The billing team saw financial data but not detailed clinical notes. The result? Better security and improved efficiency.
Required Safeguards for Dental Practices:
Area | Common Violations I've Seen | Proper Solution |
|---|---|---|
Front Desk | Patient charts visible to other patients | Privacy screens, electronic check-in systems |
Reception Area | Calling out full names and procedures | Use first name only or pager systems |
Treatment Rooms | Discussing other patients within earshot | Close doors, lower voices, check for privacy |
Phone Conversations | Loud discussions about treatment in open areas | Private phone area, HIPAA-compliant scripts |
Computer Screens | Monitors visible to patients/public | Privacy screens, automatic screen locks |
Printed Materials | Unattended printouts, faxes, appointment schedules | Immediate retrieval protocols, secure printer areas |
Disposal | Regular trash for patient records | Cross-cut shredding, certified disposal |
2. The Security Rule: Protecting Electronic PHI
This is where most dental practices get into serious trouble. Why? Because digital systems have multiplied faster than security practices have evolved.
A prosthodontist I worked with in 2021 had a wake-up call when his practice management system was hit by ransomware. At 6:30 AM on a Monday, he arrived to find all patient records encrypted with a ransom demand for $45,000 in Bitcoin.
"But we had antivirus software!" he protested.
Antivirus isn't enough. Not even close.
The Security Rule requires three types of safeguards:
Administrative Safeguards
Requirement | What It Means | Real-World Implementation |
|---|---|---|
Security Officer | Designated person responsible for security | Can be the dentist, office manager, or IT professional (documented in writing) |
Risk Assessment | Annual evaluation of security vulnerabilities | Document review of systems, identify threats, prioritize fixes |
Training Program | Security awareness for all staff | Annual HIPAA training, documented with signed acknowledgments |
Access Management | Control who can access what information | Unique user IDs, role-based permissions, terminated employee access removal |
Incident Response | Plan for handling security breaches | Written procedures, tested annually, staff trained on protocols |
Physical Safeguards
A pediatric dental practice I consulted with learned this lesson the hard way. They'd been broken into after hours—not uncommon for dental practices with their medications and equipment.
What made it a HIPAA violation? The thieves also stole three computers containing unencrypted patient records for 4,200 children.
The breach notification alone cost $78,000. The OCR investigation resulted in a $35,000 settlement. The reputational damage was incalculable—parents pulled their children from the practice in droves.
Essential Physical Security Measures:
Asset | Security Requirement | Cost-Effective Solution |
|---|---|---|
Server Room | Locked, access controlled | Dedicated locked closet, access log |
Workstations | Secured when unattended | Automatic lock after 5 minutes idle |
Laptops/Tablets | Encrypted, physically secured | Full disk encryption, cable locks |
Backup Media | Encrypted, stored securely offsite | Encrypted cloud backup, physical media in safe |
Mobile Devices | Encrypted, password protected, remote wipe capable | MDM software, strong passwords, encryption enabled |
Paper Records | Locked storage, controlled access | Locking file cabinets, sign-out procedures |
Technical Safeguards
This is where I see the most variation in dental practices—from cutting-edge security to practices that make me wince.
Critical Technical Controls:
Control | Why It Matters | Implementation Example |
|---|---|---|
Encryption | Protects data if devices stolen or lost | Full disk encryption (BitLocker, FileVault), encrypted email |
Access Controls | Prevents unauthorized PHI access | Unique user IDs, automatic logoff, role-based permissions |
Audit Logs | Tracks who accessed what and when | Enable logging in practice management system, monthly reviews |
Transmission Security | Protects data moving between systems | VPN for remote access, encrypted email, secure file transfer |
Authentication | Verifies user identity | Strong passwords (12+ characters), two-factor authentication for remote access |
Automatic Logoff | Prevents unauthorized access | 5-15 minute timeout on all systems |
"The best security system is the one your team actually uses. Complicated solutions breed workarounds, and workarounds create vulnerabilities."
3. The Breach Notification Rule: When Things Go Wrong
Let me share a breach scenario I dealt with in 2020 that perfectly illustrates why you need a solid breach response plan.
A dental practice's laptop was stolen from a hygienist's car. The laptop contained 1,847 patient records and wasn't encrypted.
The practice called me in a panic. "What do we do?"
Here's what we had to do:
Immediate Actions (Within 24-48 Hours):
Secure the breach area (file police report)
Assess the scope (identify all potentially affected patients)
Contain the breach (disable remote access, change passwords)
Document everything (critical for OCR reporting)
Notification Requirements:
Breach Size | Notification Timeline | Required Actions |
|---|---|---|
Under 500 patients | Within 60 days of discovery | Notify affected individuals by mail, document notifications, report to HHS annually |
500+ patients | Within 60 days of discovery | Notify affected individuals, notify media, report to HHS immediately |
Any size | Immediately if high risk | Consider offering credit monitoring, identity theft protection |
The laptop breach cost that practice:
$34,000 in breach notification costs
$28,000 for credit monitoring services (1 year for all affected patients)
$15,000 in legal fees
$12,000 for forensic analysis
Immeasurable reputational damage
Total: $89,000 for a stolen $800 laptop that wasn't encrypted.
Business Associate Agreements: The Hidden Compliance Landmine
Here's a question I ask every dental practice: "Do you have Business Associate Agreements with all your vendors who handle PHI?"
The usual response? Blank stares.
Let me tell you about a dental group that learned this lesson expensively. They used a cloud-based scheduling system, an outsourced billing company, an IT support firm, and an online backup service. None had signed Business Associate Agreements.
When OCR audited them, this single issue resulted in a $40,000 fine.
Who Needs a Business Associate Agreement?
Vendor/Service | Handles PHI? | BAA Required? |
|---|---|---|
Practice Management Software | Yes - patient records, billing | ✅ Required |
Billing Company | Yes - patient names, insurance, services | ✅ Required |
IT Support/Managed Services | Yes - access to systems with PHI | ✅ Required |
Cloud Backup Service | Yes - backing up patient data | ✅ Required |
Email Provider | Yes - if patient communications occur | ✅ Required |
Appointment Reminder Service | Yes - patient names, phone numbers, appointments | ✅ Required |
Credit Card Processor | Yes - links payments to patients | ✅ Required |
Dental Lab | Yes - patient names, case details | ✅ Required |
Collection Agency | Yes - patient names, balances | ✅ Required |
Shredding Company | Yes - destroying PHI documents | ✅ Required |
Accountant/CPA | Maybe - depends on data provided | ⚠️ Evaluate |
Attorney | Maybe - depends on case details | ⚠️ Evaluate |
Equipment Repair | Maybe - if they access systems with PHI | ⚠️ Evaluate |
I worked with a 6-dentist practice that needed BAAs with 23 different vendors. It took us three months to track them all down and get signed agreements. But it was absolutely necessary.
Patient Rights: What You Must Provide (And How)
I've seen dental practices get into trouble not because they refused patient rights, but because they didn't know what those rights were.
The Six Critical Patient Rights:
Right | What It Means | Your Timeline | Common Mistakes I've Seen |
|---|---|---|---|
Access to Records | Patients can request copies of their records | 30 days (can extend once by 30 days with written notice) | Taking 60+ days, charging excessive fees, requiring reasons |
Amendment | Patients can request corrections to records | 60 days to approve or deny | Automatically approving all requests, not documenting denials |
Accounting of Disclosures | Patients can request list of who you've shared PHI with | 60 days | Not maintaining disclosure logs, incomplete records |
Confidential Communications | Patients can request alternative contact methods | Immediately accommodate reasonable requests | Requiring detailed explanations, refusing reasonable requests |
Restriction Requests | Patients can request limits on use/disclosure | Must consider, can deny (except for specific cases) | Not documenting requests and responses |
Privacy Practices Notice | Patients must receive your privacy practices | At first service date, posted prominently | Outdated notices, no signed acknowledgments |
The $25,000 Records Request That Taught Me Everything
A dental practice once called me about a patient who'd requested her complete records dating back 15 years. The practice wanted to charge her $2,400 ($160 per year of records).
"That's what our attorney told us we could charge," they said.
Wrong. So very wrong.
HIPAA limits fees to the cost of copying and postage (or preparing an electronic summary). You can charge for labor, but it must be reasonable.
We recalculated:
Actual staff time: 2 hours at $25/hour = $50
Copying costs: 347 pages at $0.15/page = $52.05
Postage: $8.75
Total reasonable fee: $110.80
The practice had already sent the patient a bill for $2,400. The patient filed a complaint with OCR.
The investigation revealed this wasn't an isolated incident—the practice had been overcharging for records requests for years. The settlement? $25,000, plus refunds to 43 patients.
Technology Solutions for Dental HIPAA Compliance
After working with dozens of dental practices, I've identified the technology stack that provides the best security-to-cost ratio.
Essential Security Technology:
Technology | Purpose | Approximate Cost | ROI/Benefit |
|---|---|---|---|
Practice Management System (HIPAA-compliant) | Core patient records, scheduling, billing | $300-800/month | Central compliance foundation, BAA from vendor |
Full Disk Encryption | Protects all devices if stolen | Free (built into Windows/Mac) | Eliminates breach notification for lost/stolen devices |
Password Manager | Secure, unique passwords for all systems | $40-80/year per practice | Prevents password reuse, improves security |
Two-Factor Authentication | Extra security for remote access | Free-$10/user/month | Prevents 99.9% of account compromises |
Cloud Backup (Encrypted, BAA) | Disaster recovery, ransomware protection | $50-200/month | Practice survival insurance, mandatory BAA |
Email Encryption | Secure patient communications | $3-8/user/month | HIPAA-compliant patient communication |
VPN for Remote Access | Secure work from home | $5-15/user/month | Safe remote access to practice systems |
Security Awareness Training | Employee education | $25-50/employee/year | Reduces human error (biggest vulnerability) |
Anti-Malware/EDR | Endpoint protection | $5-15/device/month | Ransomware protection, threat detection |
The $180,000 Ransomware Attack That Could Have Been Prevented
A oral surgery practice I consulted with in 2022 got hit with ransomware. Every patient record, every x-ray, every piece of financial data—encrypted.
The ransomware gang demanded $75,000 in Bitcoin. The practice was desperate. They had surgeries scheduled. Patients needed their records. They had no backups.
"We thought our IT guy was handling backups," the surgeon told me.
Their IT provider had configured backups, but they were stored on the same network as the practice systems. When ransomware struck, it encrypted the backups too.
They paid the ransom (against my advice). It didn't work—the decryption key was corrupted. They had to rebuild from scratch:
$75,000 ransom (wasted)
$42,000 for forensic investigation
$38,000 to rebuild systems and data
$25,000 in lost revenue (3 weeks of disruption)
Total cost: $180,000
The solution that would have prevented this? Cloud backup with immutable storage, costing $120/month.
They would have saved $178,560.
"Backup isn't backup unless it's tested. Tested backup isn't backup unless it's offsite. Offsite backup isn't backup unless it's encrypted. You need all three, not just one."
Building Your HIPAA Compliance Program: A Practical Roadmap
After implementing HIPAA programs for over 40 dental practices, here's the step-by-step approach that actually works:
Phase 1: Foundation (Months 1-2)
Week 1-2: Assessment and Gap Analysis
Task | Deliverable | Owner |
|---|---|---|
Inventory all systems with PHI | Complete asset list | Office Manager |
Review current policies and procedures | Gap analysis document | Privacy Officer |
Identify all Business Associates | Vendor list with BAA status | Billing Manager |
Conduct preliminary risk assessment | Risk assessment report | Security Officer |
Week 3-4: Designate Officers and Structure
Appoint Privacy Officer (can be the dentist, office manager, or dedicated role)
Appoint Security Officer (can be same person as Privacy Officer in small practices)
Establish compliance committee (even if it's just 2-3 people meeting monthly)
Set up documentation system (physical binder or electronic folder structure)
Months 2: Quick Wins
Implement immediate improvements that show progress:
Enable encryption on all devices (often free, built-in feature)
Implement automatic screen locks (5 minutes idle time)
Start using unique user IDs (stop sharing passwords)
Begin audit logging in practice management system
Post updated Notice of Privacy Practices
Create visitor sign-in log
Phase 2: Implementation (Months 3-6)
Month 3: Policies and Procedures
Create or update your HIPAA documentation:
Policy Category | Key Documents | Priority |
|---|---|---|
Privacy | Notice of Privacy Practices, Patient Rights procedures, Minimum Necessary policies | High |
Security | Access Control policy, Password policy, Encryption requirements, Incident Response plan | High |
Breach Response | Breach notification procedures, Investigation protocols, Documentation requirements | High |
Training | Annual training program, New hire orientation, Acknowledgment forms | High |
Business Associates | BAA requirements, Vendor assessment process, Contract review checklist | Medium |
Physical Security | Facility access, Workstation security, Device disposal | Medium |
Sanctions | Violation response, Disciplinary procedures, Termination protocols | Medium |
Month 4: Business Associate Agreements
I created a simple tracking system for one practice that worked beautifully:
Vendor Name | Service Provided | PHI Access? | BAA Status | BAA Date | Annual Review Date |
|---|---|---|---|---|---|
DentalSoft Pro | Practice Management | Yes | ✅ Signed | 03/15/2024 | 03/15/2025 |
QuickBill Services | Billing/Collections | Yes | ⏳ Pending | - | - |
TechSupport LLC | IT Services | Yes | ✅ Signed | 02/01/2024 | 02/01/2025 |
BackupCloud Co | Data Backup | Yes | ✅ Signed | 01/10/2024 | 01/10/2025 |
Month 5-6: Training and Testing
Conduct initial HIPAA training for all staff (document with sign-in sheets)
Test incident response procedures (tabletop exercise)
Perform first risk assessment
Review and update as needed
Practice breach notification procedures
Phase 3: Maintenance (Ongoing)
Monthly Tasks:
Review access logs for unusual activity
Check for software updates and patches
Test backup restoration (sample restore)
Review new patient privacy acknowledgments
Quarterly Tasks:
Security awareness reminder training
Review and update risk assessment
Audit user access permissions
Test disaster recovery procedures
Annual Tasks:
Comprehensive HIPAA training (all staff, documented)
Full risk assessment review
Policy and procedure review/update
BAA renewal and review
Privacy Officer report to leadership
Mock OCR audit (self-assessment)
Common Dental Practice HIPAA Mistakes (And How to Avoid Them)
After 15 years, I've seen the same mistakes repeatedly. Here are the top violations I encounter:
Mistake #1: The "Shared Password" Practice
The Violation: Everyone in the practice uses "Dental123" to log into the practice management system.
Why It's a Problem: You can't audit who accessed what. You can't remove access when someone leaves. You violate the unique user identification requirement.
The Fix:
Create unique usernames for each staff member
Implement role-based access (front desk sees scheduling, not clinical notes)
Change passwords when anyone leaves
Use password manager to generate and store complex passwords
Cost: $0-40/year for password manager Time: 2-4 hours to set up Risk Reduction: Eliminates one of the most common OCR citations
Mistake #2: The Unencrypted Email Practice
The Violation: Sending patient information via regular email to patients, specialists, or insurance companies.
Example I Witnessed: A dental practice emailed a treatment plan with full clinical notes to a patient's personal Gmail account. The patient's account was compromised. The hacker accessed health records for 40+ patients who'd been emailed over 6 months.
The Fix:
Implement encrypted email (ZixCorp, Paubox, others)
Use patient portal for clinical communication
Never send PHI via regular email, even if patient requests it
Train staff on secure communication methods
Cost: $3-8/user/month for encrypted email Alternative: Free patient portal in most practice management systems
Mistake #3: The "We'll Get to It Eventually" Records Request
The Violation: Taking 60, 90, or 120+ days to fulfill patient records requests.
Real Case: A patient requested her records to take to a new dentist. The practice was busy, so it got pushed to the bottom of the priority list. 93 days later, when they finally sent the records, the patient had already filed an OCR complaint.
The Fix:
Create a records request log (track receipt date and 30-day deadline)
Designate a specific person responsible for requests
Set up a process: receive request → log it → fulfill within 15 days → document completion
Use calendar reminders for deadlines
Cost: $0 (just process and accountability) Time Saved: Avoiding $10,000-50,000 fine and OCR investigation
Mistake #4: The "No BAA" Vendor Relationship
The Violation: Using cloud services, IT support, or billing companies without signed Business Associate Agreements.
Shocking Statistic: In my assessments, I find that 68% of dental practices are missing BAAs with at least one critical vendor.
The Fix:
Inventory every vendor who could access PHI
Request BAAs from all identified vendors
If vendor refuses to sign BAA, find alternative vendor
Track BAA renewal dates
Review annually
Cost: $0 (vendors must provide BAAs if they handle PHI) Time: 20-40 hours initially to track down and execute all BAAs
Mistake #5: The Unattended Computer Screen
The Violation: Computers left unlocked with patient information visible while staff step away.
What I See: Staff member checking a patient in, gets called to answer the phone, leaves computer showing full patient record—visible to the next patient in line.
The Fix:
Enable automatic screen lock after 5 minutes (15 minutes maximum per HIPAA)
Train staff to manually lock (Windows: Win+L, Mac: Cmd+Ctrl+Q) every time they leave workstation
Position monitors so screens aren't visible to patients
Use privacy screen filters
Cost: $15-30/monitor for privacy screens Policy Cost: $0, just training and enforcement
The ROI of HIPAA Compliance for Dental Practices
Let's talk money. Because ultimately, that's what practice owners care about.
Investment Required for Small Practice (1-3 dentists):
Category | Annual Cost |
|---|---|
Privacy Officer time (internal, 5 hours/month) | $3,000 |
HIPAA training program | $800 |
Technology improvements (encryption, backup, security) | $2,400 |
Encrypted email | $720 |
Policy templates and updates | $500 |
Annual risk assessment (can be internal) | $1,200 |
Total Annual Investment | $8,620 |
Potential Costs of Non-Compliance:
Violation Type | Minimum Penalty | Maximum Penalty | Typical Settlement |
|---|---|---|---|
Lack of BAAs | $10,000 | $50,000 | $25,000 |
No risk assessment | $10,000 | $50,000 | $20,000 |
Delayed records access | $5,000 | $25,000 | $12,000 |
Unencrypted device breach (500+ patients) | $50,000 | $250,000 | $85,000 |
No training documentation | $5,000 | $50,000 | $15,000 |
Potential Total | $80,000 | $425,000 | $157,000 |
Break-Even Analysis: You'd need to avoid just one minor violation every 18 years for HIPAA compliance to pay for itself.
But the real ROI isn't avoiding fines. It's:
Patient Trust: 73% of patients say data security influences their choice of healthcare provider
Competitive Advantage: HIPAA compliance becomes a marketing differentiator
Insurance Benefits: Many professional liability carriers offer discounts for documented compliance programs
Operational Efficiency: Security systems often improve workflow and reduce inefficiencies
Peace of Mind: Sleep better knowing you're protected and doing right by your patients
Your Next Steps: Getting Started Today
If you're reading this and feeling overwhelmed, take a deep breath. I've helped practices go from zero compliance to fully compliant in less than six months. You can do this.
This Week:
Designate your Privacy and Security Officers (can be the same person)
Do a walk-through of your practice looking for obvious PHI exposure
Make a list of all your vendors who handle patient information
Enable encryption on all laptops and mobile devices
This Month:
Create a simple risk assessment (even a basic spreadsheet is a start)
Implement automatic screen locks on all computers
Request BAAs from your top 5 vendors
Schedule HIPAA training for all staff
Next 90 Days:
Develop or update your HIPAA policies
Complete vendor BAA collection
Conduct comprehensive risk assessment
Implement priority security improvements
Document everything
A Final Story: Why This Matters
I want to leave you with a story that reminds me why HIPAA compliance isn't just about avoiding fines—it's about protecting real people.
In 2018, I worked with a pediatric dentist whose practice was breached. Among the stolen records was information about a 12-year-old girl in foster care. Her records contained notes about abuse, social services involvement, and her biological parents' location.
The records ended up on the dark web. Within weeks, her biological father—who'd lost parental rights due to abuse—used the information to track her down. The girl had to be relocated. Her foster family lived in fear.
The dentist was devastated. "I became a dentist to help children," she told me, tears in her eyes. "And my carelessness put a child in danger."
That practice now has the most rigorous HIPAA program I've ever seen. Every staff member understands that PHI isn't just data—it's real people's lives, their safety, their privacy, their dignity.
That's why HIPAA matters.
It's not about checking boxes or avoiding fines. It's about honoring the trust your patients place in you every time they sit in your chair and share their health information.
Your patients trust you with their oral health. They trust you with their personal information. They trust you to protect their privacy.
Don't let them down.
"HIPAA compliance isn't a burden—it's a privilege. It's the price we pay for the honor of being trusted with our patients' most private information."