Healthcare by Specialty June 8, 2026 8 min read

Houston Pediatric Dentists and HIPAA: Special Rules You Should Know

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

Parents have the same 30-day records-access right as adult patients: Under 45 CFR § 164.502(g) and 164.524(b)(2), a parent is the personal representative of a minor child and must receive requested records within 30 calendar days; OCR confirmed in the Gums Dental Care case that minor children's records carry the same right-of-access protections as adult patient records.
The first dental-specific HIPAA civil money penalty was $70,000: On October 17, 2024, HHS OCR imposed a $70,000 penalty against Gums Dental Care for right-of-access violations assessed at the willful-neglect Tier 4 level, covering a violation period from August 2019 through March 2022.
Texas dental practices have faced federal enforcement for PHI disclosures in online reviews: Elite Dental Associates of Dallas settled with OCR for $10,000 in October 2019 after disclosing patient PHI in public social-media review responses, making it one of the few Texas dental practices named in a public OCR settlement.
Texas HB 300 sets a 90-day training deadline and a 6-year signed-verification requirement: Texas Health and Safety Code § 181.101(b) requires covered entities to train new employees within 90 days of hire and retain signed training verification for six years, both of which are stricter standards than federal HIPAA imposes.
A documented risk analysis is the most commonly missing safeguard in OCR investigations: Under 45 CFR § 164.308(a)(1)(ii)(A), every covered entity must document a risk analysis for all electronic PHI, and risk analysis deficiency is the most frequently cited Security Rule violation in OCR enforcement actions regardless of practice size.

Quick answer

Houston pediatric dental practices face HIPAA compliance requirements that go beyond what most general practices encounter. A parent requesting a child’s records has the same 30-day right-of-access protection as any adult patient, and federal enforcement has specifically targeted dental practices that delayed or blocked those requests. Two Texas-area dental practices have appeared in public OCR enforcement actions tied to online review responses. Texas adds a 90-day employee training deadline under HB 300 that is stricter than federal law. A documented risk analysis remains the single most commonly missing safeguard in OCR Security Rule investigations, and ransomware incidents now routinely trigger federal enforcement regardless of practice size.

If you run a pediatric dental practice in Houston, you are almost certainly a HIPAA covered entity. Under 45 CFR § 160.103, a dental practice qualifies as a covered entity if it transmits any health information electronically in connection with a covered transaction. A single electronic insurance claim, or even an electronic eligibility verification with Delta Dental or MetLife, satisfies that threshold. Cash-only practices that never submit any electronic transaction are rare exceptions.

Being a covered entity means the full HIPAA triad applies: the Privacy Rule, the Security Rule, and the Breach Notification Rule. For a practice treating children, a distinct layer of complexity involves parental rights, custody arrangements, and a state-level compliance framework under Texas HB 300 that adds obligations beyond what federal law requires.

What Are the Records-Access Rules for Parents and Children?

Under 45 CFR § 164.524(b)(2), a covered entity must act on an access request no later than 30 calendar days after receiving it. One 30-day extension is permitted, but only if written notice of the delay is sent within the original 30-day window. Missing that deadline by even one day is a cognizable HIPAA violation, and OCR has never accepted “we were busy” as a defense.

In pediatric dentistry, the requesting party is usually a parent. Under 45 CFR § 164.502(g), a parent is generally the minor child’s personal representative and holds the same right to access the child’s protected health information as an adult patient holds to their own records. The Gums Dental Care enforcement action illustrates this directly: the original complaint filed in May 2019 alleged that the practice failed to provide complete records for both the patient and her minor children, and OCR found violations in both categories.

On October 17, 2024, HHS OCR imposed a $70,000 civil monetary penalty against Gums Dental Care, a solo dental practice in Maryland. This was the first dental-specific civil money penalty (not a negotiated settlement) under the HIPAA right-of-access provision. OCR found the violation ran from August 2019 through March 2022 at the willful-neglect level, Tier 4 under 45 CFR § 160.404. The practice had tried to charge a $25 flat mail fee even though the patient requested electronic delivery by email. OCR found that fee impermissible for electronic access. The four penalty tiers run from $100 per violation for unknowing failures up to a $50,000 minimum per violation for willful neglect that is never corrected, with an annual cap of $1,500,000 for identical violations. For a solo Houston pediatric dental practice, a single course of willful non-compliance could exceed $70,000.

There are three situations where a parent is not automatically the personal representative: the minor independently consented to care under a state law that does not require parental consent; the minor obtained care through a court order; or the parent previously agreed to a confidential treatment relationship. For Houston pediatric dentists, this matters most in custody situations. When a non-custodial parent requests a child’s records, the practice should verify conservatorship status under the Texas Family Code before releasing anything. A non-managing conservator may not have records access rights under state law, and releasing records to the wrong person is itself a HIPAA violation.

Texas Administrative Code 22 TAC § 108.8 adds a retention obligation that surprises many pediatric practices: dental records for a patient treated as a minor must be kept until the patient reaches age 21, or for five years from the last treatment date, whichever is longer. A patient last treated at age four requires records maintained for 17 years. Those records must remain securely stored and accessible for valid right-of-access requests throughout that entire period.

As of December 2025, OCR’s Right of Access Enforcement Initiative had reached its 54th enforcement action, with at least six actions specifically involving dental practices. Settlements have ranged from $3,500 to $200,000, and OCR has repeatedly held that practices cannot charge per-page copy fees when a patient requests electronic delivery of electronic records. Family Dental Care in Chicago paid $30,000 after a patient waited over five months for complete records following a May 2020 request.

Yes, and it has already happened to dental practices in Texas. Responding to a Google or Yelp review by confirming that someone is a patient, referencing their visit date, or mentioning any treatment details is an impermissible disclosure of PHI under the HIPAA Privacy Rule.

On October 2, 2019, Elite Dental Associates of Dallas, Texas agreed to pay $10,000 and implement a corrective action plan to settle HIPAA violations arising from social-media responses to patient reviews. The practice disclosed patient PHI in public online responses, making it one of the very few Texas dental practices named in a public OCR settlement. The facts are directly relevant to every Houston pediatric practice managing its online presence.

On March 28, 2022, OCR imposed a $50,000 civil money penalty against a dental practice in North Carolina for disclosing PHI on its public website in response to a negative review. That penalty was assessed rather than negotiated, in part because the practice failed to respond to OCR data requests and an administrative subpoena. On December 14, 2022, OCR announced a resolution agreement with New Vision Dental in California after it repeatedly disclosed patient full names and visit details on its Yelp page when responding to reviewers who had used only their Yelp monikers.

The pattern is consistent: any practice response that goes beyond “thank you for your feedback, please call our office” risks a federal investigation. For a pediatric dental practice, a response that references a child patient’s treatment discloses a minor’s PHI, which compounds the severity of the violation. The 2022 OCR guidance on online tracking technologies also confirmed that patient portals and appointment schedulers where users log in remain subject to full HIPAA scrutiny when third-party analytics tools like Google Analytics or Meta Pixel are present.

How Does Texas Law Change the Compliance Picture?

Texas Health and Safety Code § 181.101(b), enacted as part of HB 300 effective September 1, 2012, requires covered entities to train employees on state and federal PHI law within 90 days of hire and to obtain a signed verification of completed training retained for six years from the signature date. The 90-day window is stricter than HIPAA’s undefined “reasonable period” standard. A front-desk employee hired in January must have documented, signed training completed by April 1 of the same year.

Texas also maintains a separate civil penalty structure under Health and Safety Code § 181.201. Penalties range from $5,000 per violation per year for negligent violations up to $25,000 per violation per year for knowing or intentional violations. Knowing or intentional use of PHI for financial gain can reach $250,000 per violation. Where violations form a pattern or practice, a court may assess up to $1,500,000 annually. These Texas penalties are separate from and cumulative with federal HIPAA civil money penalties enforced by OCR. A Houston pediatric dentist facing both OCR and the Texas Attorney General for the same underlying conduct is exposed to two independent enforcement frameworks at the same time.

Texas Administrative Code 22 TAC § 108.72 requires every entity providing dental services in Texas to formally designate a licensed Texas dentist as custodian of records in writing. Group practices with multiple dentists must complete this designation. The custodian must provide records to treating dentists within 15 days of a written request and must furnish records to the Texas State Board of Dental Examiners on demand. Texas Administrative Code 22 TAC § 108.13 also gives the parent or guardian of a child under 18 the right to be present during treatment; a dentist may exclude a parent only when presence would negatively impact care quality, and that determination must be documented in the patient record.

On the Notice of Privacy Practices front, a federal court in the Northern District of Texas vacated most of the 2024 Reproductive Health Care Privacy Rule on June 18, 2025. Certain NPP modifications survived the ruling. Houston pediatric dental practices must update their Notice of Privacy Practices by February 16, 2026 to reflect the surviving requirements under 45 CFR § 164.520(b)(1)(ii)(E).

Are Ransomware and Vendor Breaches on Your Radar?

Ransomware is now a primary driver of HIPAA enforcement across healthcare practice sizes. In April 2026, OCR settled four separate HIPAA Security Rule ransomware investigations totaling $1,165,000 in payments, ranging from $30,000 to $500,000 per settlement. Those were OCR’s 19th through 22nd completed ransomware investigations. OCR treats ransomware as a presumed HIPAA breach unless the covered entity can demonstrate through forensic evidence that PHI was not compromised. Small practices rarely have that documentation. OCR settled one ransomware case with a small specialty neurology practice for $25,000 in April 2025, suggesting it scales penalties to practice size, but a two-year corrective action monitoring period came with that settlement regardless.

Vendor breaches create direct exposure as well. On March 5, 2026, OCR settled a HIPAA investigation with MMG Fusion, a dental practice management software company whose breach affected approximately 15 million individuals. MMG agreed to pay $10,000 and implement a corrective action plan monitored for three years. OCR found violations including failure to conduct an adequate risk analysis and failure to timely notify covered-entity dental clients of the breach. Every Houston pediatric dental practice should verify that its practice management software vendor, billing service, IT support firm, and any cloud-based system handling patient data has a signed Business Associate Agreement in place. A practice whose vendor suffers a breach without a valid BAA may face joint HIPAA liability.

Under 45 CFR § 164.308(a)(1)(ii)(A), every covered entity must complete an accurate, thorough, and documented risk analysis covering all electronic PHI regardless of practice size. Risk analysis deficiency is the most frequently cited Security Rule violation in OCR enforcement actions year after year. In 2023, risk analysis was the top deficiency identified across seven breach investigations that resulted in settlements totaling over $6 million. HHS provides a free Security Risk Assessment tool, but completing the tool (not just opening it) must be documented.

A January 6, 2025 Notice of Proposed Rulemaking in the Federal Register (docket 2024-30983) proposes the most significant update to the HIPAA Security Rule since 2003. Key proposals include mandatory encryption of ePHI at rest and in transit, 72-hour contingency plan activation capability, and elimination of the current “addressable” specification category that has historically given small practices flexibility. As of June 2026, the rule has not been finalized, but the proposed direction signals where OCR enforcement expectations are heading.

For breach notification, covered entities must notify affected individuals no later than 60 calendar days after discovery under 45 CFR § 164.404. Breaches affecting fewer than 500 individuals (the most common scenario for a pediatric dental practice) must be logged and reported to HHS by March 1 of the year following discovery under 45 CFR § 164.408. Failure to maintain that log is itself a citable violation.

What to do next

A completed, documented HIPAA risk analysis is the foundation for addressing every compliance gap covered in this article. If your Houston pediatric dental practice has not completed one recently, a structured HIPAA risk analysis will identify weaknesses in your records-access workflow, vendor BAA coverage, employee training documentation, breach notification procedures, and online-review response policies. North Privacy Advisors works with Texas dental practices to conduct, document, and remediate risk analyses under the standard required by 45 CFR § 164.308(a)(1)(ii)(A). Contact us to schedule an assessment before the next OCR enforcement sweep finds you instead.

Last Updated: June 8, 2026

Frequently Asked Questions

Do parents automatically have the right to see their child's dental records?

In most cases, yes. Under 45 CFR § 164.502(g), a parent is generally the personal representative of a minor child and holds the right to access the child's protected health information. The exceptions are narrow: the minor independently consented to care under a state law that does not require parental consent, the minor obtained care under a court order, or the parent previously agreed to a confidential relationship between the minor and the provider. For divorced parents in Texas, the practice should verify conservatorship status before releasing records, because a non-managing conservator may not have access rights under the Texas Family Code.

How long does a Houston pediatric dental practice have to provide records after a request?

A covered entity must act on an access request within 30 calendar days of receiving it under 45 CFR § 164.524(b)(2). One 30-day extension is allowed, but only if the practice sends written notice of the delay and the expected completion date within the original 30-day window. OCR has pursued enforcement actions against dental practices for delays as short as five months; Family Dental Care in Chicago paid $30,000 after a five-month delay, and Gums Dental Care faced a $70,000 civil money penalty for a violation period spanning nearly three years.

Can responding to a Google or Yelp review violate HIPAA?

Yes. Confirming that a reviewer is a patient, referencing their visit, or mentioning treatment details in a public response is an impermissible disclosure of PHI under the HIPAA Privacy Rule. Elite Dental Associates of Dallas settled with OCR for $10,000 in 2019 for this type of violation. A dental practice in North Carolina received a $50,000 civil money penalty in 2022 after OCR found it disclosed PHI on its public website in response to a negative review. The safest policy is to take any substantive discussion offline immediately.

What are the Texas-specific compliance rules for dental practices beyond HIPAA?

Texas HB 300 (Health and Safety Code § 181.101) requires covered entities to train new employees within 90 days of hire and retain signed training verifications for six years, both stricter than the federal standard. Texas also maintains a separate penalty structure under § 181.201 ranging from $5,000 for negligent violations to $250,000 for knowing use of PHI for financial gain, and these penalties stack on top of federal HIPAA fines. Texas dental records rules additionally require retaining pediatric patient records until age 21, which can mean a 17-year retention obligation.

Does a ransomware attack at my dental practice count as a HIPAA breach?

Generally yes. OCR treats ransomware as a presumed breach unless the covered entity can demonstrate through forensic evidence that there is a low probability PHI was compromised. In April 2026, OCR settled four ransomware investigations totaling $1,165,000. OCR scaled one settlement with a small specialty practice to $25,000, suggesting it accounts for practice size, but every ransomware event triggers a mandatory HIPAA investigation and potential corrective action plan.

What is a Business Associate Agreement and which vendors require one?

A Business Associate Agreement (BAA) is a HIPAA-required contract with every vendor that creates, receives, maintains, or transmits PHI on a practice's behalf. For a Houston pediatric dental practice, this includes cloud-based EHR vendors, billing services, IT support firms, and shredding companies. The March 5, 2026 MMG Fusion settlement, involving a breach affecting approximately 15 million dental patients, showed OCR will hold software business associates directly liable for Security Rule violations including failure to conduct a risk analysis.

Last updated: June 8, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation