HIPAA for dental practices

Your X-rays are patient records. So is everything around them.

A dental practice runs on patient data in more places than most owners realize. Images, charts, insurance details, text reminders, the outside billing service. Each one is protected health information (PHI), and each vendor that touches it is supposed to be covered by a signed agreement. I help dental practices in the Springfield area see where they actually stand before a regulator or a breach asks the question for them.

30 minutes·No sales pitch·Red, yellow, green summary you keep

Six places a dental practice keeps protected health information.

Most owners picture one system. In practice the data is spread across all of these, and every one is a vendor relationship that HIPAA expects you to manage.

Imaging

Intraoral cameras, panoramic images, and cone beam computed tomography (CBCT) scans. The image files are patient records, and the imaging software often syncs them to the cloud.

Practice management software

Dentrix, Eaglesoft, or Open Dental hold charts, treatment plans, Social Security numbers, and insurance details. Whoever hosts it touches your PHI.

Patient communication

Appointment reminders and two-way texting move names and visit details through a third-party service every single day.

Billing and claims

An outside billing service and a claims clearinghouse see patient and payer data on your behalf. Both are vendors under HIPAA.

Referrals

Images and records sent to oral surgeons, periodontists, and orthodontists. How that data leaves your office is part of your risk picture.

IT and backups

The contractor who manages your network and the service that backs all of it up have standing access to everything above.

Three answers a regulator expects you to have.

None of these require a big budget. They require knowing the answer before someone else asks.

01
Can you produce every Business Associate Agreement?

A Business Associate Agreement (BAA) is the signed contract that holds a vendor to HIPAA. With six or more vendors touching patient data, most practices cannot say how many they should have, let alone find them all in a folder today.

02
When was your last risk assessment?

A Security Risk Assessment (SRA) is supposed to reflect how the practice handles PHI right now. One done five years ago, or never done at all, reads the same way in an investigation.

03
What would you hand the Office for Civil Rights?

If the Office for Civil Rights (OCR) opens a review, the first request is almost always your risk analysis. What you can put on the table that day shapes everything that follows.

The newest OCR case is a dental case.

OCR's Risk Analysis Initiative reached its 12th enforcement action in February 2026. The 12th was a software company that served dental practices. This one is worth two minutes of your time.

OCR enforcement, announced February 2026
MMG Fusion, LLC

MMG Fusion made practice management and marketing software for dental practices. An unauthorized actor got into its network in December 2020. The breach went unreported, patient information later surfaced on the dark web, and OCR found the company had never conducted a risk analysis.

15 million
People whose information was exposed. Names, contact details, birth dates, appointment records.
$10,000
The penalty. Scaled to what was left of the company by the time OCR closed the case.
5 years
From the 2020 breach to the 2026 settlement. The company no longer exists in its original form. A successor firm signed.

The dental practices that used MMG Fusion did nothing wrong in their own operations. Their patients' data still ended up on the dark web because a vendor failed. That is exactly what a signed Business Associate Agreement, a vendor inventory, and a current risk analysis are for. Your software vendors are part of your risk picture whether you look at them or not.

Source: U.S. Department of Health and Human Services, Office for Civil Rights press release and resolution agreement, February 2026. Figures verified against the primary source.

Start with a snapshot. Decide from there.

01
Free risk snapshot

A 30-minute call across the six areas OCR cares about most. You leave with a red, yellow, green summary you can keep. No pitch.

02
Full Security Risk Assessment

An OCR-defensible SRA. A PHI flow inventory, a BAA inventory, the full risk register, a policy gap analysis, and a 30, 60, 90 day remediation roadmap. Signed and dated.

03
Ongoing support, if you want it

Some practices want a fractional security lead on call for vendor reviews, staff questions, and the next year's assessment. Optional, never required.

A clear read on your practice, in 30 minutes.

If any of the three questions above gave you pause, that is reason enough for a conversation. No cost, no pressure, and you keep the summary either way.

Book your risk snapshot

Or email tony@seqorasecurity.com