A dental practice runs on patient data in more places than most owners realize. Images, charts, insurance details, text reminders, the outside billing service. Each one is protected health information (PHI), and each vendor that touches it is supposed to be covered by a signed agreement. I help dental practices in the Springfield area see where they actually stand before a regulator or a breach asks the question for them.
30 minutes·No sales pitch·Red, yellow, green summary you keep
Most owners picture one system. In practice the data is spread across all of these, and every one is a vendor relationship that HIPAA expects you to manage.
Intraoral cameras, panoramic images, and cone beam computed tomography (CBCT) scans. The image files are patient records, and the imaging software often syncs them to the cloud.
Dentrix, Eaglesoft, or Open Dental hold charts, treatment plans, Social Security numbers, and insurance details. Whoever hosts it touches your PHI.
Appointment reminders and two-way texting move names and visit details through a third-party service every single day.
An outside billing service and a claims clearinghouse see patient and payer data on your behalf. Both are vendors under HIPAA.
Images and records sent to oral surgeons, periodontists, and orthodontists. How that data leaves your office is part of your risk picture.
The contractor who manages your network and the service that backs all of it up have standing access to everything above.
None of these require a big budget. They require knowing the answer before someone else asks.
A Business Associate Agreement (BAA) is the signed contract that holds a vendor to HIPAA. With six or more vendors touching patient data, most practices cannot say how many they should have, let alone find them all in a folder today.
A Security Risk Assessment (SRA) is supposed to reflect how the practice handles PHI right now. One done five years ago, or never done at all, reads the same way in an investigation.
If the Office for Civil Rights (OCR) opens a review, the first request is almost always your risk analysis. What you can put on the table that day shapes everything that follows.
OCR's Risk Analysis Initiative reached its 12th enforcement action in February 2026. The 12th was a software company that served dental practices. This one is worth two minutes of your time.
MMG Fusion made practice management and marketing software for dental practices. An unauthorized actor got into its network in December 2020. The breach went unreported, patient information later surfaced on the dark web, and OCR found the company had never conducted a risk analysis.
The dental practices that used MMG Fusion did nothing wrong in their own operations. Their patients' data still ended up on the dark web because a vendor failed. That is exactly what a signed Business Associate Agreement, a vendor inventory, and a current risk analysis are for. Your software vendors are part of your risk picture whether you look at them or not.
Source: U.S. Department of Health and Human Services, Office for Civil Rights press release and resolution agreement, February 2026. Figures verified against the primary source.
A 30-minute call across the six areas OCR cares about most. You leave with a red, yellow, green summary you can keep. No pitch.
An OCR-defensible SRA. A PHI flow inventory, a BAA inventory, the full risk register, a policy gap analysis, and a 30, 60, 90 day remediation roadmap. Signed and dated.
Some practices want a fractional security lead on call for vendor reviews, staff questions, and the next year's assessment. Optional, never required.
If any of the three questions above gave you pause, that is reason enough for a conversation. No cost, no pressure, and you keep the summary either way.
Book your risk snapshotOr email tony@seqorasecurity.com