HIPAA Compliance for Dentists

Posted By Steve Alder on Jan 15, 2026

HIPAA compliance for dentists consists of complying with the applicable standards of the HIPAA Administrative Simplifications Regulations, state regulations with stronger protections than HIPAA, and any compliance requirements attributable to the operational setup. It is important for dentists to be aware of their HIPAA “status”, understand who within the organization is responsible for HIPAA compliance, and ensure all dental practice workers comply with HIPAA privacy and security policies and procedures.

HIPAA compliance for dentists and dental practices can be particularly complicated. This may be because some dentists do not qualify as covered entities and are not required to comply with the HIPAA Privacy and Security Rules, it may be because state privacy laws pre-empt HIPAA, or because a dental practice is part of a Dental Service Organization which itself may be part of an Affiliated Covered Entity or Organized Health Care Arrangement.

The Administrative Simplification Regulations of HIPAA can be difficult to understand for any type of covered entity or business associate. Not only can the complex nature of the regulations confuse organizations required to comply with them, but it can also confuse the public – evidenced by the fact that two-thirds of complaints to the Department of Health and Human Services’ Office for Civil Rights, the enforcer of HIPAA, are dismissed after review.

Does HIPAA Apply to Dentists?

HIPAA applies to most dentists, but not all dentists. According to the Department of Health and Human Services (HHS), HIPAA applies to dentists, “but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard”. The transactions for which HHS has adopted standards include (but are not limited to):

• Payment and remittance advice
• Claims status
• Eligibility
• Coordination of benefits
• Claims and encounter information
• Enrollment and disenrollment
• Referrals and authorizations
• Premium payment

Voice communications by PSTN phone and paper communications by non-digital fax are not considered “electronic”, and it is possible for a dentist to operate a business using only these channels of information – in which case they would not be required to comply with the HIPAA regulations for dental offices. Dentists might also not be covered by HIPAA if they work at a public school because students’ medical records in public schools are covered by the Family Educational Rights and Privacy Act.

However, if a dentist or dental practice uses (for example) email to make a claim for payment, but non-digital fax for every other operation for which HHS has adopted standards, the dentist is covered by HIPAA for all transactions and must comply with the rules of HIPAA for dental offices. Also, dentists are covered by HIPAA if they do not transmit electronic transactions themselves but use a third party to (for example) make a claim for payment on their behalf.

Confusingly, it is possible for a dentist who does not qualify as a covered entity to be subject to the HIPAA Privacy and Security Rules if they provide a service for, or on behalf of, a dentist who does qualify as a covered entity. As dentists that fail to comply with HIPAA can be subject to substantial penalties, it is important for all dentists to understand if their dental practice is covered by HIPAA; and, if so, what the HIPAA regulations for dental offices are.

Who is Responsible for Dental HIPAA Compliance?

When a dentist qualifies as a covered entity or as a business associate by providing a service for, or on behalf of a covered entity, the responsibility for dental HIPAA compliance depends on the structure of the dental practice. A solo practitioner is naturally responsible for his or her own compliance with HIPAA and must designate themselves as the dental office HIPAA Compliance Officer (or HIPAA Privacy Officer) on their Notices of Privacy Practices.

When a dentist is employed by, or contracted to, an organization, the organization becomes the covered entity. The organization is responsible for appointing (or designating) a HIPAA Privacy Officer and a HIPAA Security Officer – these roles being responsible for developing and implementing policies and procedures that comply with the HIPAA Privacy and Security Rules. The Officers must also develop policies and procedures to comply with the HIPAA Breach Notification Rule.

When a dental practice is part of a Dental Service Organization, Affiliated Covered Entity, or Organized Health Care Arrangement, it is usual for all the entities to share HIPAA Privacy and Security Officers. What this usually means is that all the dental practices in the group have the same Notice of Privacy Practices and apply the same policies and procedures. It also allows them to share PHI for treatment, payment, and health care operations without a Business Associate Agreement.

It is important to note that members of an organization’s workforce (employees, contractors, volunteers, students, etc.) are not business associates for the purpose of HIPAA compliance for dentists. However, they are considered responsible for complying with the policies and procedures implemented by the HIPAA Privacy and Security Officers and can be held personally liable for the wrongful disclosure of individually identifiable health information.

What is HIPAA Compliance for Dentists?

HIPAA compliance for dentists involves complying with the HIPAA Privacy, Security and Breach Notification Rules. The HIPAA Rules for dentists cover how patient healthcare and payment data is created, used, stored, and shared, and the circumstances in which health and payment information can be disclosed without patient authorization. The HIPAA Privacy Rule also gives patients rights over access to their health information.

• As mentioned above, dentists and dental practices should appoint a Dental Office HIPAA Compliance Officer (or Officers). This is the first stage of HIPAA compliance for dentists as the Compliance Officer is responsible for:
• Conducting risk assessments to identify potential vulnerabilities in existing policies and procedures that could result in the unauthorized disclosure of patient data.
• Conducting risk analyses to identify the most appropriate way (as governed by HIPAA) to address the identified vulnerabilities and protect patient data.
• Implementing measures – which may include changes to working practices as well as technological measures – to protect the confidentiality, integrity, and availability of data.
• Developing policies and procedures to support the implementation of the HIPAA-compliant measures, plus a sanctions policy for the failure to comply with the policies and procedures.
• HIPAA training for all employees in the dental office about the purpose of HIPAA compliance for dentists, why compliance is important, and explaining how any new procedures will work.
• Conducting due diligence on any third-party service providers with whom patient data is shared (business associates) and reviewing Business Associate Agreements.
• Developing contingency plans should a disaster occur in order to minimize business disruption and potential penalties for non-HIPAA compliance for dentists.

It is important to note HIPAA compliance for dentists is not a one-off project. Compliance must be maintained, and training regularly provided when changes to work practices occur and new technology is implemented – even if security changes have nothing to do with HIPAA compliance. It is also important any risk assessments and analyses conducted when changes are implemented are documented and retained for a minimum of six years.

HIPAA Compliance for Dental Practices

HIPAA compliance for dental practices is not dissimilar to HIPAA compliance to dentists, although the larger the dental firm, the more vulnerable it is to breaches of patient data and the more it is likely to be targeted by cybercriminals. With this in mind, special attention must be paid to cybersecurity defenses and service agreements with business associates.

Risk assessments and risk analyses will undoubtedly be more involved in larger dental firms, and it may be necessary to tailor training to the specific roles of employees. For larger multi-establishment dental enterprises (the highest growth area in dentistry according to the American Dental Association) it may be necessary to appoint a Dental Office HIPAA Compliance team.

Unlike in Dental Service Organizations, Affiliated Covered Entities, or Organized Health Care Arrangements, it may also be necessary to develop and implement different policies for different dental practices. This will most likely occur in larger, multi-state dental firms where a state privacy law in one state overlays HIPAA, but the same law does not apply in another state.

The Penalties for HIPAA Dental Violations

Penalties for HIPAA violations by dentists are not that common. The earliest recorded fine for dentists covered under HIPAA occurred in 2015, when Joseph Beck of Comfort Dentists, Kokomo, Ind., was fined $12,000 for the unauthorized disclosure of thousands of patient records. Beck had engaged the services of a data company to destroy 63 boxes of patient records but had failed to conduct due diligence on the company, and the boxes were found abandoned by a dumpster.

The imposition of penalties for HIPAA violations by dentists prompted the Chairman of the American Dental Association´s Council on Dental Practice – Dr. Andrew Brown – to issue a statement urging healthcare providers in the dental industry to take HIPAA compliance for dentists seriously. He said: “There are steep consequences for healthcare providers that don’t comply with the law, and we don’t want to see any dentists having to pay tens of thousands of dollars in penalties.”

As dental practices grow in size and gather larger databases of patient healthcare and payment data, they become more attractive targets for cybercriminals. Dentists covered under HIPAA need to ensure they comply with the HIPAA Privacy and Security Rules and – if an unauthorized disclosure of unsecured PHI occurs – the HIPAA Breach Notification Rule as the penalties for HIPAA dental violations can be significant.

HIPAA Training for Dentists

Every person who works in a dental practice must receive HIPAA training for dentists because federal law requires it for all workforce members of a covered entity. Under the HIPAA Privacy Rule, 45 C.F.R. §164.530(b)(1) requires covered entities to train all members of their workforce on policies and procedures related to protected health information (PHI). The HIPAA Security Rule, at 45 C.F.R. §164.308(a)(5), further mandates security awareness and training for all workforce members.

This requirement applies to everyone in the dental office, including dentists, hygienists, assistants, reception and front desk staff, billing and administrative personnel, and any others who may see or handle PHI. Consistent, well designed HIPAA training helps staff understand how to recognize and avoid risky behavior, prevent unauthorized disclosures, handle technology and records securely, and respond appropriately to potential incidents. By improving awareness and reinforcing correct day to day practices, HIPAA training significantly reduces the likelihood of violations, data breaches, and resulting consequences for the practice and its employees.

HIPAA Compliance for Dentists: FAQs

Have there been further penalties for HIPAA violations by dentists?

Yes. In 2019, Elite Dental Associates in Dallas, Texas, agreed to a $10,000 settlement and a Corrective Action Plan for impermissibly disclosing patients’ ePHI on Yelp, failing to implement appropriate privacy policies, and failing to provide patients with a HIPAA Notice of Privacy Practices.  A dental practice can demonstrate to its patients a commitment to HIPAA using a HIPAA compliance logo on its website

Why is a HIPAA Notice of Privacy Practices important?

The HIPAA Notice of Privacy Practices explains to patients how dentists are allowed to use individually identifiable health information and when they are allowed to disclose it without first obtaining the patient´s authorization. The Notice should also explain the circumstances in which authorization is required and provide contact details for the practice’s HIPAA Privacy Officer in case the patient has a question or reason to make a complaint.

Has a dental office employee ever been held liable for a HIPAA violation?

Yes. A former receptionist at a New York dental surgery was sentenced to 2 to 6 years for abusing her access rights and stealing the individually identifiable health information of 653 patients. The information was passed onto a co-defendant in the case, who used the data to steal identities and make fraudulent purchases of high value items.

What HIPAA training do employees of dental practices require?

All members of a dental practice’s workforce (whether employed, students, volunteers, etc.) have to undergo security and awareness training regardless of whether or not they have access to Protected Health Information. Individual workforce members need to be trained on the dental practice’s privacy, security, and breach notification policies and procedures that apply to their functions.

Are there some privacy practices that apply to all workforce members?

It is a good idea to train all workforce members on subjects such as permissible uses and disclosures of Protected Health Information, the minimum necessary standard, and the difference between patient consent and patient authorization. It may also be helpful to explain the background to the HIPAA Privacy and Security Rules and what their objectives are.

What type of business associates might a dental practice share PHI with?

There is a wide range of third-party service providers with whom dental practices might share PHI – for example, a software developer, a cloud-based data storage service (i.e., AWS, Azure, Google Cloud Services, etc.), an accreditation service, an accountant, or a lawyer.

Before PHI is shared with any third-party service provider, the dental practice must conduct due diligence to ensure any PHI shared with the service provider will be used, disclosed, and secured in compliance with HIPAA, and have a Business Associate Agreement in place detailing how PHI shared with the service provider can be used.

Why “might” dentists be covered by HIPAA if they work at a school?

Although students’ medical records are covered by the Family Educational Rights and Privacy Act (FERPA), some educational institutions – i.e., teaching colleges – provide medical services to members of the public as well as students. In such cases, although students’ medical records are covered by FERPA, the medical records belonging to members of the public are covered by HIPAA.