HIPAA Rules for Dentists

Posted By Steve Alder on Jan 16, 2026

The HIPAA Rules for dentists are the same as for any other healthcare provider that qualifies as a HIPAA covered entity inasmuch as, if a dentist qualifies as a HIPAA covered entity, they must comply with the applicable standards of the HIPAA Privacy, Security, and Breach Notification Rules. However, not all dentists qualify as a covered entity, and certain HIPAA regulations for dental offices may not apply in every state if the state has passed a privacy law with more stringent data protection or increased patient rights.

The issue of HIPAA in dentistry is a complex one. This can because some dentists do not fulfil the criteria to be covered entities and others may have hybrid roles, provide services to a covered entity as a business associate, or operate in a state with more stringent privacy laws than HIPAA.

It is not only dentists that find the HIPAA Rules for dentists challenging. 65% of complaints from members of the public relating to HIPAA violations are dismissed after review due to not having an eligible case for action. While not all the complaints are attributable to dentist HIPAA violations, the high percentage of dismissed cases implies the public also finds HIPAA in dentistry complex.

Does HIPAA Apply to Dentists?

In most cases, yes. However, there are some dentists who do not qualify as HIPAA-covered healthcare providers because they do not “transmit information in an electric form in connection with a transaction for which the Department of Health and Human Services has adopted a standard”. The adopted standards include eligibility checks, authorizations, and claims information.

To further confuse the issue of does HIPAA apply to dentists, certain voice communications by telephone and paper communications by non-digital fax are not considered “electronic” transactions. A dentist communicating exclusively by phone and fax may not qualify as a HIPAA-covered healthcare provider and may not have to follow the HIPAA Rules for dentists.

An exception to the criteria exists if a dentist engages a third-party administrator or Dental Support Organization on their behalf to perform eligibility checks, obtain authorizations, and transmit claims information. In such cases, even though the dentist or dental office is not fulfilling the requirements to qualify as a HIPAA-covered healthcare provider, they are still considered a HIPAA dentist.

Further exceptions exist if a dentist who does not qualify as a covered entity provides a service for, or on behalf of, a dentist who does qualify as a covered entity, or if a solo practitioner divides their time between working in a public school (which is exempt from HIPAA) and working in a qualifying practice. In the first exception, the dentist is a business associate. In the second, they are a hybrid entity.

Additionally, dentists that work for dental firms as employees are not usually HIPAA covered entities. Although a qualifying solo practitioner is most likely to be a covered entity under HIPAA, dentists that work for dental firms as an employee, contractor, or volunteer are governed by the policies and procedures put in place by the dental firms to comply with the HIPAA laws that apply to dentists.

Which HIPAA Laws Apply to Dentists?

In circumstances in which HIPAA does apply to dentists, qualifying dentists and dental practices have to comply with the HIPAA Privacy Rule, the HIPAA Security Rule, and – if a data breach exposes unsecured Protected Health Information – the HIPAA Breach Notification Rule. A brief summary of each of these HIPAA Rules follows, with links to further information.

The HIPAA Privacy Rule for Dentists

The HIPAA Privacy Rule requires dentists to implement appropriate safeguards to protect the privacy of individually identifiable health information and places conditions on the uses and disclosures of Protected Health Information (PHI). The permissible “minimum necessary” uses and disclosures of PHI not only apply to electronic communications, but also to oral and written communications.

The HIPAA Privacy Rule also requires dentists to provide each new patient with a Notice of Privacy Practices. The Notice must explain how the dentist can use of disclose PHI within the HIPAA laws for dentists, explain when the patient’s authorization is required before a disclosure, and explain their rights in respect of patient access to medical information.

To ensure the HIPAA laws for dentists are applied, dentists are required to appoint a HIPAA Privacy Officer or designate the role to an existing member of the workforce. In larger organizations – for example, Dental Service Organizations or Organized Health Care Arrangements – it may be necessary to establish a HIPAA compliance team to implement the HIPAA Privacy and Security Rule standards.

The HIPAA Security Rule for Dentists

The HIPAA Security Rule is primarily comprised of three sets of “requirements” – technical requirements, physical requirements, and administrative requirements. The technical requirements cover how patient information should be communicated electronically (for example unencrypted email is not allowed, nor is SMS). The technical requirements also detail the processes and controls that have to be implemented in order to protect electronic PHI when it is at rest or in transit.

The physical HIPAA regulations for dental offices concern the security of computer systems and the environment in which computer systems are situated. Responsibilities included in the physical HIPAA regulations for dental offices include establishing a faculty plan and a contingency plan in the event of an emergency and implementing validation procedures to restrict physical access to electronic PHI stored on computer systems.

The administrative HIPAA rules for dentists require that a HIPAA Security Officer is appointed to select and implement compliant software systems. Security Officers are also responsible for developing “best practice” policies, training dental office employees on security awareness, and monitoring activity on systems containing electronic PHI. HIPAA Privacy and Security Officers are also responsible for ensuring HIPAA compliance by employees and business associates.

The Breach Notification Rule for Dentists

If an impermissible disclosure of unsecured PHI results in a data breach, the Breach Notification Rule requires dentists to notify the affected individuals within 60 days of the breach being discovered. The dentist must also notify HHS’ Office for Civil Rights and, if more than 500 individuals are impacted by the data breach, the local media.

In addition to implementing measures to reduce the risk of a data breach to a “reasonable and acceptable level”, the HIPAA Privacy and Security Officers must also develop procedures for employees or patients to report a data breach and measures to mitigate the impact of the data breach. These may include credit monitoring services and identity theft protection.

It is important to be aware that, as well as having privacy laws that pre-empt HIPAA, some states also have Breach Notification Rules with shorter notification periods. In theory, a dentist could be in compliance with the HIPAA breach notification rules for dentists, but still be in violation of local laws or laws such as the Texas Medical Records Privacy Act that apply nationwide for residents of the state.

The Penalties for Violating the HIPAA Rules for Dentists

Although 65% of complaints relating to HIPAA violations are dismissed after review, there has been more than 100,000 complaints about HIPAA Privacy Rule and Security Rule violations upheld by HHS’ Office for Civil Rights. In most cases, complaints are resolved by the provision of technical assistance to prevent a repeat of the violation, or by the imposition of a Corrective Action Plan if the violation is attributable to an underlying problem.

However, the Office for Civil Rights and State Attorneys General can impose financial civil penalties for violating the HIPAA Rules for dentists, and there have been several large fines issued in the past ten years:

• In 2015, Joseph Beck of Comfort Dentists, Kokomo, Ind., was fined $12,000for the unauthorized disclosure of thousands of patient records in boxes found abandoned by a dumpster.
• In 2019, Elite Dental Associates in Dallas, Texas, agreed to a $10,000 settlement and a Corrective Action Plan for impermissibly disclosing patients’ ePHI on a review website.
• In 2022, three dental practices reached settlements totaling $142,500 for noncompliance with patients’ access rights, disclosing PHI on social media, and impermissibly using PHI for marketing purposes.
• In 2024, Gums Dental Care of Silver Springs, MD, becaome the 50th HIPAA covered entity to be found guilty of a patients’ rights violation when it was fined $70,000 for a right of access violation.

Individual members of the workforce can also be held accountable for violating the HIPAA Rules for dentists. While in most cases, employees who violate HIPAA can be suspended, terminated, or lose their license to practice, in 2018 a dental surgery receptionist was sentenced to 2 to 6 years for abusing her system access rights and stealing the individually identifiable health information of 653 patients.

HIPAA Training for Dentists to Avoid HIPAA Violations

All staff working in a qualifying dental practice must receive HIPAA training because HIPAA explicitly requires covered entities, including dentists, to train their workforces on privacy and security requirements. The HIPAA Privacy Rule states that covered entities must train all members of their workforce on policies and procedures related to protected health information (PHI) under 45 C.F.R. §164.530(b)(1), and the HIPAA Security Rule requires security awareness and training for all workforce members under 45 C.F.R. §164.308(a)(5).

This applies to everyone in the dental office, including dentists, hygienists, assistants, front desk staff, billing personnel, and any other team members who may handle or be exposed to PHI. Providing regular, role-appropriate HIPAA training helps staff recognize risky behaviors, understand how to use technology securely, avoid improper disclosures, and respond correctly to privacy and security incidents. As a result, effective training reduces the likelihood of HIPAA violations, lowers the risk of costly breaches and penalties, and helps protect both the practice and its patients.

HIPAA Rules for Dentists FAQs

What is individually identifiable health information?

Individually identifiable health information is health information collected from a patient that identifies the patient or could be used with other information to identify the patient. To be covered by HIPAA, individually identifiable health information has to relate to the past, present, or future physical or mental health or condition of the patient, the provision of health care to the patient, or the past, present, or future payment for the provision of health care to the patient.

What is the difference between individually identifiable health information and Protected Health Information (PHI)?

The difference between individually identifiable health information and Protected Health Information is that individually identifiable health information is information that identifies an individual and relates to their physical or mental health condition, treatment for the condition, and/or payment for the treatment.

Protected Health Information is individually identifiable health information plus any other information that could be used to identify the individual that is maintained in the same designated record set. For example, a patient’s telephone number is Protected Health Information when maintained in the same designated record set as their individually identifiable health information, but not when it is maintained in a database absent any health or payment information.

What are the permissible uses and disclosures of PHI for dentists?

Permissible uses and disclosures of PHI for dentists include uses for treatment, payment, and health care operations such as quality assessment, provider performance evaluations, and compliance reviews. Dentists are also permitted, but not required, to disclose PHI for public health and benefit activities such as reporting abuse to public health agencies or disclosing PHI to law enforcement.

What is the Minimum Information Necessary Rule?

The Minimum Information Necessary Rule stipulates that covered entities should only use, disclose, or request the minimum amount of PHI necessary to achieve the objective of the use, disclosure, or request. For example, if a dentist wanted to check the eligibility of a patient to receive a certain level of treatment, it would not be permitted to send the payer the patient’s entire medical history.

What does patient access to medical information mean?

Patient access to medical information means that, except in certain circumstances, patients have the right under the HIPAA Privacy Rule to obtain and review a copy of the PHI maintained about them by a covered entity or business associate. Patients also have a right to request corrections when information is inaccurate or incomplete, and request an accounting of disclosures to find out who their PHI has been shared with in the previous six years.

Why is dental treatment provided at a public school exempt from HIPAA?

Dental treatment provided at a public school is exempt from HIPAA because students’ medical records are considered to be part of their educational records under the Family Educational Rights and Privacy Act (FERPA). As FERPA has more stringent data protection requirements than HIPAA in terms of permissible uses and disclosures, FERPA preempts HIPAA.

What validation procedures are necessary in a dental office?

The validation procedures necessary in a dental office relate to authenticating the identity of anybody with access to onsite servers that store PHI. However, other forms of identity and access management should be implemented to prevent unauthorized access to cloud-based databases, EHRs, and other systems on which PHI is stored – along with event logs to record system access.

Do all dentists qualify as covered entities under HIPAA?

Not all dentists qualify as covered entities under HIPAA. This is because, to qualify as a covered entity, healthcare providers must transmit information in an electronic form in connection with a transaction for which the Department of Health and Human Services has adopted standards. The transactions for which the Department has adopted standards can be found in 45 CFR Part 162 of the HIPAA Administrative Simplification Regulations.

Are there circumstances in which dentists do not qualify as covered entities but still have to comply with the HIPAA Rules?

There are circumstances in which dentists do not qualify as covered entities but still have to comply with the HIPAA Rules. The most common example is when a non-qualifying dentist treats a patient on behalf of a covered entity. In this example, the dentist is providing a service as a business associate and has to comply with the HIPAA Security and Breach Notification Rules as well as any standards of the HIPAA Privacy and General Rules applicable to the service being provided.

Why are certain voice communications by telephone not considered electronic transactions?

Certain voice communications by telephone are not considered electronic transactions when they are conducted via a traditional landline telephone that uses a circuit-switched voice communication service through the Public Switched Telephone Network. If a dentist uses a VoIP or UCaaS voice communication service (i.e., Skype, Teams, RingCentral, etc.), the communication is considered electronic and HIPAA applies to both the content of the call and the technology it is made on.

What HIPAA Rules apply to dentists?

All “applicable” HIPAA Rules apply to dentists that qualify as covered entities or business associates. Like most healthcare providers, dentists are not required to comply with every standard, regulation, or implementation specification of the HIPAA Administrative Simplification Regulations because many of them will not apply to dentists’ activities.

What happens if there is a data breach in a dental practice?

What happens if there is a data breach in a dental practice is that the practice has to notify affected individuals of the breach within sixty days. HHS’ Office for Civil Rights also has to be notified (within sixty days if the breach affects more than 500 patients); and, if more than 500 patients are affected, the practice has to notify local media outlets within sixty days.