What Happens If a Dental Practice Fails a HIPAA Audit? (2026)

In late 2021, an Oklahoma emergency medical provider was hit by ransomware that locked records for roughly 14,000 patients. The provider, Bryan County Ambulance Authority, reported the breach to OCR, as the law required. OCR opened an investigation and found one decisive thing: it had never conducted a risk analysis, the basic security review HIPAA requires of every covered practice. The matter settled for $90,000 and three years of federal oversight (HHS, October 2024). It is an ambulance service, not a dental office. But the failure OCR cited has nothing to do with ambulances, and everything to do with the most common gap it finds in small practices of every kind.

First, what a “HIPAA audit” really is (and isn’t)

Most dentists picture an audit as an official appearing unannounced to fine you for a missing box. That is not how the money usually changes hands. OCR runs a formal HIPAA Audit Program under the HITECH Act, but it is small and periodic: the 2016-2017 round reviewed about 200 organizations, and the current round, restarted in late 2024, covers just 50, focused on the risk analysis and risk management requirements of the Security Rule (HHS). Across hundreds of thousands of practices, the odds yours is randomly selected in a given year are low.

Here is the part that surprises people. OCR frames the audit program as a way to improve compliance, not to punish. When the HHS Office of Inspector General reviewed the 2016-2017 round in 2024, it found OCR had identified violations but imposed no penalties, and the audits did not even trigger follow-up investigations. The thing most owners fear, failing a surprise audit, has historically carried no fine at all.

What actually puts a practice at financial risk is an OCR investigation, a different process with a different trigger. It starts when:

• A patient or staff member files a complaint with OCR, or
• You report a breach of unsecured patient information, which the Breach Notification Rule requires (45 CFR §§164.400-414). Breaches affecting 500 or more people are also posted on OCR’s public portal, the “Wall of Shame.”

The resumed audit program adds one wrinkle: if an audit surfaces a serious problem, OCR can convert it into an investigation. But the dominant path to a penalty still runs through the breach you report or the complaint a patient files, not a random knock on the door.

What an OCR investigation actually looks like

The Bryan County case is a clean map of the process, and of the timeline.

Two things catch practices off guard. It is slow: Bryan County's 2021 breach did not settle until late 2024, and another 2024 case ran roughly six years from breach to resolution. And the corrective action plan, not the check, is what people underestimate. It is a multi-year commitment, supervised by the government, to fix what they found.

What “failing” actually costs

The honest numbers are smaller than the headlines and larger than most owners assume. In October 2024, OCR launched a Risk Analysis Initiative to focus investigations on this one requirement, and in its first year it announced more than a dozen settlements, from small physician groups to hospital systems. Nearly all shared Bryan County's gap: no accurate, thorough risk analysis. A few published outcomes for that single failure:

• A behavioral health provider: $225,000, plus a two-year corrective action plan, after ransomware.
• Another small provider: $10,000.
• Bryan County's emergency service: $90,000.
• A wellness-plan vendor: about $228,000.

For a solo or small dental practice, realistic exposure for a serious failure sits in the five-to-six-figure range, not the seven-figure range you may have seen quoted. The multimillion-dollar numbers attach to large organizations or the worst tier of violation. The statutory ceiling is real, the maximum annual penalty for willful neglect left uncorrected is $2,190,294 for 2026 (Federal Register, January 2026), but under OCR's longstanding approach that cap applies in practice only to that worst category. A small practice that reports a breach and shows good-faith effort is not the profile that draws it.

The costs that are not a dollar figure matter too. The corrective action plan means years of work under OCR supervision. If a breach crossed the 500-person line, your practice name sits on a public federal list. For a solo dentist whose reputation is the practice, that can outlast the check.

One dental-specific point is worth knowing, because it is the other common way a dentist ends up in front of OCR. In 2022, dental practices were a focus of OCR's Right of Access enforcement, the rule that requires giving patients a copy of their records, usually within 30 days. That September, OCR settled three dental cases at once, for $30,000, $80,000, and $25,000, each over a patient who waited months for records they were owed. So the two paths that most often end in a penalty for a dentist are a reported breach, where the risk analysis is the issue, and a records request the patient had to chase.

OCR's audits are built to improve compliance, not to fine. The money comes from the investigation that follows a breach.

The one document OCR checks first

Step back, and the pattern is hard to miss: the expensive failure is almost never exotic. After a breach, the risk analysis is the first thing OCR asks to see, because it shows whether you were watching your own vulnerabilities before something went wrong. A current, honest one does not make you breach-proof, but it changes the conversation, and the factors OCR weighs when setting a penalty include your compliance history and your good-faith effort to fix problems (45 CFR §160.408).

This is also where most practices quietly fall short. The risk analysis is required of every covered practice, but it is not a twenty-minute form. HHS offers a free Security Risk Assessment Tool, a reasonable place to start, but not a finished assessment that would satisfy an investigator: it gives you the questions, not which answers are wrong in your office. If you have never run one, our guide to the dental HIPAA risk assessment covers what it has to include.

That is the gap the HIPAA Risk Scorecard is built to surface. It checks the controls OCR looks at first, scores your practice, and follows with a short review and an intro to a vetted specialist if you want help. A few minutes, and you see where you stand before a breach or a complaint forces the question. Check your practice now.

How to get ahead of an investigation

The work is not mysterious. It mirrors what OCR puts in nearly every corrective action plan, which is a fair description of what “good” looks like to them.

• Do a real risk analysis. Map where patient data lives and what could expose it. Write it down and date it. This is the highest-value step, and the one OCR checks first.
• Build a risk management plan. An analysis that finds problems and fixes nothing is worse than none. List each gap and how you will close it.
• Sign real business associate agreements. Every vendor that touches patient data, your practice-management software, IT company, billing service, needs one (45 CFR §164.504(e)). Missing BAAs are a recurring finding, and AI tools are the newest place they go missing; here is which AI tools will sign a BAA for a dental practice, and the five-question test to run on any AI scribe vendor.
• Write your policies, and follow them. “We know what to do” is not a policy. OCR expects documents you can produce.
• Train your team, and keep the records. A front-desk mistake is the practice's liability. Documented annual training is both a requirement and a defense.
• Have a breach response plan. Knowing how to report on time keeps a manageable incident from becoming a Breach Notification Rule violation on top of the breach, and we walk through the first 60 days after a dental data breach step by step.

None of these is expensive alone, and what a dental HIPAA risk assessment actually costs ranges from free with the federal tool to a specialist's fee. What makes them feel impossible is not knowing which you are missing, which is the whole reason the risk analysis comes first.

The catch: a few things that are easy to get wrong

“We’re too small to be on OCR’s radar.” The Risk Analysis Initiative reached small physician groups, and one settlement for this failure was $10,000, a number that only makes sense for a very small organization. OCR’s position is that no entity is too small for the requirement.

“Reporting my own breach just invites a fine.” Not reporting is far worse. A failure to notify is its own violation, and hiding a breach is the kind of conduct that pushes a case toward willful neglect. The practices that fare best report promptly and show they had done the groundwork.

“A clean audit means I’m fine.” The audit and an investigation test different things. The audit is a documentation review of a handful of practices. The investigation is what happens after a real breach or complaint, and that is where the money is.

This is general information, not legal advice. Hipsana is not a law firm, a compliance officer, or a healthcare provider. Verify current requirements with HHS or qualified counsel before acting.

About the author

Dolev Arama is the founder of Hipsana, where he runs the HIPAA Risk Scorecard and the short practice risk reviews behind it. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. Its compliance writing starts from primary regulators (HHS, OCR, NIST) and is checked against their current text before anything goes live. More about Hipsana →

Sources

• HHS Office for Civil Rights, settlement with Bryan County Ambulance Authority (October 2024).
• HHS Office for Civil Rights, HIPAA Audit Program.
• HHS Office of Inspector General, review of OCR's HIPAA Audit Program (2024).
• 45 CFR §§ 164.308, 164.400-414, 164.504(e), and 160.404-160.408.
• Federal Register, HHS civil monetary penalty inflation adjustment, effective January 28, 2026.
• Federal Register, HIPAA Security Rule NPRM, January 6, 2025.
• HHS Office for Civil Rights, Right of Access enforcement actions (2022).