HIPAA Compliance · Dental Specialty
HIPAA Compliance for
Dental Practices.
Written, OCR-defensible Risk Analysis built for the way dental practices actually run. CIPP/US certified. Free 30-min discovery call to scope the right engagement. No retainer. No software subscription. Houston-based, serving solo and group dental practices nationwide.
Why Dental Practices Need a Dental-Specific Approach
Generic HIPAA Documentation
Misses Where Dental Practices Actually Get Hit.
Most off-the-shelf HIPAA compliance platforms were built for general medical practices. Dental practices have four distinct compliance pressure points that those platforms do not address with the depth OCR has been applying in recent enforcement actions.
Patient Records Include Imaging and Photography
Dental patient record sets include radiographic images, intraoral photographs, and 3D scans. All of these are PHI under HIPAA. Where this PHI lives, who can see it, how it is shared with referring specialists, and whether the practice management software vendor has a current BAA covering image data are all questions a generic Risk Analysis does not answer.
Parental Access Is a 2026 Enforcement Priority
Dental practices serve large pediatric populations. On December 3, 2025, OCR Director Paula M. Stannard issued a Dear Colleague letter formally declaring parental access to minor children's medical records an enforcement priority. EHR "flip the switch" age cutoffs that automatically restrict parental access at age 13 may themselves violate HIPAA. Dental practices using these platforms need to review their portal configurations now.
The Vendor Stack Is Wider Than People Think
A typical small dental practice has 8 to 14 vendors that touch PHI: practice management software, imaging systems, secure email, cloud backup, IT support, billing service, insurance verification, appointment reminder service, and increasingly an AI scribe or AI caries-detection tool. Each requires a BAA that meets the specific provisions of 45 CFR 164.504(e). Many existing BAAs do not.
Front-Desk Workflow Creates Administrative-Safeguard Risk
Hospitals have separated administrative and clinical areas. Dental practices typically do not. Patient names visible on the schedule, treatment discussions audible across the operatory, sign-in sheets at the front desk, and shared workstations all create administrative-safeguard exposure that requires specific mitigations in the Risk Analysis under 45 CFR 164.308(a)(3).
Recent OCR Enforcement Against Dental Practices
The Settlements Are Not Hypothetical.
They Are Recent.
OCR has settled multiple right-of-access cases with dental practices in the last three years. Every settlement cited specific failures that a properly constructed Risk Analysis and Risk Management Plan would have caught.
October 2024
Gums Dental Care — $70,000. OCR fined Gums Dental Care for willfully failing to provide a mother timely access to her and her minor children's dental records. The violation was classified as willful neglect, uncorrected, the highest HIPAA penalty tier.
December 2025
Concentra, Inc. — $112,500. Texas-based occupational health and dental services provider. The 54th Right of Access enforcement action since the initiative launched in September 2019.
September 2022
Three dental practices settled simultaneously. Paradise Family Dental paid $25,000 after a mother was denied access to her and her child's records for over eight months. Family Dental Care paid $30,000. Great Expressions Dental Center of Georgia paid $80,000. All three settlements cited the same Right of Access failure pattern.
2024–2025 trend
OCR's Risk Analysis Initiative. Launched in fall 2024. The first seven settlements ranged from $10,000 (Northeast Surgical Group, a small Michigan practice) to $350,000 (NERAD). Every single settlement cited the same root failure: a missing or inadequate Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). By April 2026, OCR had completed 13 Risk Analysis Initiative investigations and 19 ransomware-related breach investigations. Small practices have not been protected by size.
What You Get
Six Deliverables.
One Engagement.
North Privacy Advisors produces a complete, dental-specific HIPAA compliance package in three weeks. Every deliverable is a written document that an OCR investigator can read in the first hour of a complaint review.
Practice Walkthrough
Remote or on-site review of your clinical, administrative, and technical workflows. We talk to the front desk, the hygienists, the assistants, and the IT vendor, not just the practice owner. This is where most software-generated Risk Analyses fail because they cannot see how your front desk handles insurance cards, where the printed schedule sits during the day, or which staff have administrative rights to the practice management system.
Written, Dated, Signed Risk Analysis
A document that meets 45 CFR 164.308(a)(1)(ii)(A) and maps to all nine elements of HHS Final Guidance: scope, data collection, threats and vulnerabilities, current security measures, likelihood and impact analysis, risk rating, documentation, periodic review, and risk management. Built specifically for dental practice workflows.
Risk Management Plan
For each identified risk above a Low rating, a documented owner, action, deadline, and current status. This is what closes the loop OCR wants to see between identifying risk and actually addressing it. Required under 45 CFR 164.308(a)(1)(ii)(B), which OCR has named as an enforcement priority in 2025–2026.
Vendor and BAA Inventory
A complete list of every vendor that touches PHI in your dental practice (PMS, imaging system, IT, cloud backup, secure email, billing service, insurance verification, appointment reminders, AI tools), each with current BAA status. Identifies missing BAAs in priority order with a ready-to-send BAA request template.
Workforce Training Documentation Review
A review of your existing training records against the HIPAA workforce training requirement at 45 CFR 164.530(b) and, for Texas practices, the stricter HB 300 standard requiring training within 90 days of hire and signed records retained for six years. Identifies gaps in content, attendance, and retraining cadence. OCR enforcement actions consistently cite missing or undocumented training.
60-Minute Readout Session
A live walkthrough with you and any staff you want present. We review the Risk Analysis, the Risk Management Plan, the vendor inventory, and what to do in the next 30, 60, and 90 days. Recorded if you want it for staff training later.
Your Dental Practice
Deserves Real Documentation.
Book a free 30-minute consultation. No pitch, no pressure. We will tell you whether a Risk Analysis is the right next step or whether the $750 Privacy Exposure Review is a better starting point.
Book a Free Consultation