HIPAA Compliance for Dental Practices: What's Actually Required

On this page

• What HIPAA actually requires
• Find your situation: which rule applies
• Your patients' rights and the Privacy Rule
• Keeping patient data secure: the Security Rule
• When something goes wrong: breach and enforcement
• What HIPAA compliance costs
• Frequently asked questions

What does HIPAA actually require of a dental practice?

HIPAA requires a covered dental practice to protect patient information across four rules that interlock rather than stand alone. The Privacy Rule governs how that information is used and disclosed. The Security Rule governs how its electronic form is safeguarded. The Breach Notification Rule sets what happens after an exposure. The Enforcement Rule defines how the HHS Office for Civil Rights, known as OCR, investigates and sets penalties.

You are almost certainly covered. A dental practice becomes a HIPAA "covered entity" the moment it sends a standard electronic transaction: an insurance claim, an eligibility check, a claim-status inquiry. Nearly every practice that bills insurance electronically meets that test. The trigger is the electronic transaction, not the dentistry and not the number of chairs. When HHS proposed the 2026 Security Rule overhaul, it weighed the burden on small and rural providers and declined to carve them out.

Here is what each rule does.

The Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) sets the floor for how you may use and share PHI. It carries the minimum-necessary principle, the Notice of Privacy Practices, and patient rights such as access to records. It applies to PHI in any form: paper, spoken, or electronic.

The Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) covers ePHI specifically. It asks for three kinds of safeguards (administrative, physical, and technical), all anchored by a written risk analysis. It is built to be flexible: you choose reasonable, appropriate measures for your size and setup, then document them.

The Breach Notification Rule (Subpart D, sections 164.400 to 164.414) sets what you must do after an impermissible exposure of unsecured PHI. You notify affected patients, notify HHS, and in larger breaches notify the media, each on a defined clock.

The Enforcement Rule (Part 160, Subparts C, D, and E) is how OCR runs investigations and sets civil penalties. A breach is the point where these rules meet. It is an impermissible Privacy-Rule disclosure of unsecured PHI, which starts the Breach Notification clock and can draw an Enforcement-Rule penalty when the underlying Security-Rule safeguards were missing.

One more piece sits on the horizon. HHS has proposed a major Security Rule overhaul that would tighten almost every technical safeguard. It is a proposed rule, not law. We cover where it stands and what it would change in the 2026 Security Rule guide.

Find your situation

Most HIPAA questions are really one question: which rule covers this, and what do I do about it? Find the situation closest to yours below, then open the guide that goes deep on it. Each guide is anchored to a real OCR case, so you can see how the rule plays out, not only what it says.

Your security setup and risk

• Do I need a security risk assessment? The foundation of the Security Rule. Read the dental risk-assessment guide
• What does a risk assessment cost? Security Rule, budget side. See what a risk assessment costs
• Is my email compliant and encrypted? Security Rule, transmission. How HIPAA treats email
• Does HIPAA require multi-factor authentication? Security Rule, authentication. The MFA explainer
• Is the 2026 Security Rule in effect, and does HIPAA require encryption? Security Rule, proposed. Where the 2026 rule stands

Vendors, AI, and the tools you use

• Do I need a BAA with my software or IT vendor? Privacy and Security Rules. The BAA guide
• Can I use ChatGPT with patient information? Privacy and Security. ChatGPT and patient data
• Are AI scribes and note-takers compliant? Privacy and Security. AI scribes and HIPAA
• Are my staff pasting patient data into free AI tools? Workforce policy. Free AI tools: the staff policy
• Is the Meta Pixel or Google Analytics on my site a problem? Privacy Rule, online tracking. Tracking pixels on your site

Patient requests and their records

• A patient asked for their records. Privacy Rule, the Right of Access. Handling a records request
• Can a parent get their child's records? Privacy Rule, personal representatives. Parental access to a child's records
• Who can get a deceased patient's records? Privacy Rule. A deceased patient's records
• Can I post patient photos or reply to a review? Privacy Rule. Social media and patient photos
• Can I text appointment reminders? Privacy Rule plus a separate law, the TCPA. Texting patients
• How long do I keep records, and how do I dispose of them? Privacy and Security Rules. Keeping and disposing of records
• I got a subpoena or a court order for records. Privacy Rule. Subpoenas and court orders

When something goes wrong

• We had a data breach. What now? Breach Notification Rule. Breach response, step by step
• We got hit by ransomware. Is it a breach? Breach and Security Rules. Ransomware response
• What happens in an OCR investigation or a failed audit? Enforcement Rule. Inside an OCR investigation
• Do I need cyber insurance? Risk transfer. Cyber insurance for a dental practice

Staff access and cost

• Who should have access, how do I offboard staff, and can staff get in trouble for snooping? Privacy and Security Rules. Staff access and offboarding
• What does full HIPAA compliance cost? Program cost. The full cost breakdown

What are your patients' rights under the Privacy Rule?

The Privacy Rule governs how a dental practice may use and disclose PHI, and what patients can demand. Two ideas run through it. Share only the minimum necessary for the task at hand, and give patients defined rights over their own records. It applies to PHI in every form, not only the electronic kind.

Every covered dental practice must have a Notice of Privacy Practices (45 CFR 164.520). This is the plain-language document that tells patients how you use their information and what rights they have. You give it to each patient at the first visit, make a good-faith effort to get a written acknowledgment, and post it where patients can see it, including on your website if you have one. It is a baseline obligation, not a formality you can skip.

The minimum-necessary standard (45 CFR 164.502(b)) means you limit PHI to what the specific job requires. The front desk does not need a patient's full clinical history to confirm an appointment. Note the word "necessary." Treatment is a recognized exception, so a dentist pulling a chart to treat the patient is not barred. The principle is about restraint, not about locking clinicians out of records they need.

Patients also have rights you must honor on a clock. The biggest is the right of access: a patient can ask for a copy of their records, and you generally have 30 days to provide it, with one 30-day extension allowed if you notify the patient in writing. It is also the focus of OCR's Right of Access Initiative, the highest-volume category of HIPAA enforcement, so it is worth getting right. The steps are in the records-request guide. Patients can also ask you to amend a record they believe is wrong and request an accounting of certain disclosures. Specific situations carry their own rules: a parent asking for a child's file, a review reply that names a patient, a subpoena, a deceased patient's records. The map above points you to the right guide for each one.

How do you keep patient data secure under the Security Rule?

The Security Rule protects ePHI through three kinds of safeguards: administrative, physical, and technical. Underneath all of them sits one requirement that everything else depends on, an accurate and thorough written risk analysis. The rule is deliberately flexible, but flexible does not mean optional. You assess your risks, then put reasonable, appropriate controls in place and document them.

The three safeguard types. Administrative safeguards (45 CFR 164.308) are the policies, the risk analysis, the training, and the assignment of responsibility. Physical safeguards (164.310) cover the building and the hardware: who can walk up to a workstation, how devices and media are handled, how old equipment is destroyed. Technical safeguards (164.312) are the controls inside the software: access limits, audit logs, and authentication.

The risk analysis is the foundation, and by a wide margin the most-cited failure in enforcement. It is a Required specification (164.308(a)(1)(ii)(A)), which means you must do it. There is no "document why not" escape for this one. It is an honest inventory of where ePHI lives and what could go wrong, refreshed as your practice changes. If you do one thing this quarter, do this. The risk-assessment guide walks through what it involves.

Train your team. Both the Privacy Rule (164.530(b)) and the Security Rule (164.308(a)(5)) require workforce training, and OCR expects it to be real and periodic, not a binder nobody opens.

Name your officers. You must designate a Privacy Official (164.530(a)) and assign responsibility for security (164.308(a)(2)). In a solo practice this is often one person, sometimes the owner. The point is accountability: a named person owns each side.

Lock down the physical layer. Turn screens away from the waiting room, log off shared workstations, control who holds keys and badges, and dispose of old records and devices so PHI cannot be recovered. Improper disposal is its own violation. How long to keep records and how to destroy them is its own topic, mapped above.

Here is the part practices get confused by, and the part AI assistants get wrong. The Security Rule labels each implementation specification Required or Addressable (164.306(d)). Required means do it. Addressable does not mean optional. It means assess it, implement it if it is reasonable and appropriate, or document why not and put an equivalent measure in place. Two specifics matter because they are so often misstated. Encryption of ePHI is Addressable today (164.312(a)(2)(iv) and (e)(2)(ii)). Multi-factor authentication is not named at all. The rule sets an authentication goal (164.312(d): verify that a person seeking access is who they claim) and your risk analysis picks the method. The MFA guide explains why "not required by name" is not the same as "safe to skip."

The proposed 2026 rule would change much of this. It would make encryption a standalone requirement, mandate MFA, and remove the Required-versus-Addressable distinction. It is proposed, not law. The detail is in the 2026 Security Rule guide.

If you want a fast read on where your own practice stands, our free Scorecard checks the ten core Security Rule controls OCR cites most and shows whether the broader HIPAA foundation is in order. Check my practice.

What happens when something goes wrong?

When unsecured PHI is exposed in a way the rules do not permit, it is presumed to be a breach. You can rebut that presumption only with a documented four-factor assessment (164.402) showing a low probability that the information was compromised. Ransomware that encrypts ePHI is treated as a presumed breach. Encryption acts as a safe harbor only if the data was already unreadable when the incident happened.

The four factors are the nature and extent of the PHI involved, who the unauthorized person was, whether the information was actually acquired or viewed, and how far the risk has been mitigated. The instinct after an incident is to restore from backup and move on, but restoring data does not end the duty to assess and, where required, to notify. Breach response, ransomware specifics, and whether cyber insurance fits your practice each have a dedicated guide in the map above.

Step back from any single rule and a pattern shows up in the enforcement record. Across OCR's enforcement actions, one failure is cited more than any other: the missing or inadequate risk analysis. That is also OCR's own emphasis. It runs a Risk Analysis Initiative built around exactly this gap, and independent reviews of OCR's recent Security Rule settlements reach the same conclusion. (An analysis by the law firm Shook, Hardy & Bacon of OCR's enforcement set found inadequate risk analysis in 13 of the 20 matters it examined.) A second pattern is about volume rather than theme. OCR's Right of Access Initiative, which targets practices that do not give patients their own records on time, is the highest-volume enforcement initiative, with more than 45 enforcement actions to date. We document these cases in depth, each anchored to its own OCR settlement, and the records-request guide covers the access rules. Both patterns are real, and neither means OCR cares about only one thing. They point to the same lesson: the unglamorous groundwork, done and documented, is what enforcement rewards.

For the underlying numbers, which dental and healthcare breaches happened, what they cost, and what the settlements actually said, see our Dental HIPAA Breach and Enforcement Report, built from HHS and OCR public data.

What does HIPAA compliance cost?

There are two costs, and mixing them up leads to bad budgeting. The first is the risk analysis, a one-time or periodic assessment of where you stand. The second is the ongoing program: the training, the tools, the policies, and the periodic re-assessment that keep you compliant year to year. They are priced differently and bought at different times.

We keep the actual dollar ranges in the guides that focus on them, because the numbers move with your size and setup. For what a risk assessment runs, see the risk-assessment cost guide. For what a full compliance program costs across a year, see the full cost breakdown.