Why dental offices are specifically targeted

Dental practices are high-value targets for two reasons: they store complete patient records including financial information, insurance data, and health history; and they typically have smaller security budgets and less IT oversight than medical facilities. OCR data shows dental practices among the most frequently investigated small healthcare providers.

The HIPAA compliance checklist for dental offices

Documentation (Administrative Safeguards)

  • Completed and documented annual Security Risk Assessment
  • Written HIPAA Security Policies and Procedures
  • Designated HIPAA Privacy Officer and Security Officer
  • Signed Business Associate Agreements (BAAs) with every vendor who touches patient data — including your practice management software, dental imaging system, billing service, and IT provider
  • Documented workforce security training with completion records
  • Written sanctions policy for staff who violate HIPAA
  • Documented incident response plan

Technical Controls (Technical Safeguards)

  • Unique login credentials for every staff member — no shared passwords
  • Automatic workstation lockout after inactivity
  • Encrypted hard drives on all computers and laptops
  • Encrypted email for any communications containing patient data
  • Secure, encrypted backup of all patient records — tested regularly
  • Audit logs enabled on your practice management system
  • Secure Wi-Fi — patient and staff networks separated from guest networks

Physical Controls (Physical Safeguards)

  • Computer screens not visible to waiting room or public areas
  • Locked server room or secure storage for hardware
  • Visitor log for non-staff access to areas with patient data
  • Documented device disposal procedure — hard drives wiped or destroyed before disposal
  • Workstation use policy covering who can access which computers

Digital X-rays and imaging

Digital dental imaging systems are a specific HIPAA consideration most practices overlook. Your imaging software, X-ray files, and the servers or cloud services that store them are all subject to HIPAA. Confirm your imaging vendor has a signed BAA with you and that image files are encrypted both at rest and in transit.

Maryland-specific note: Maryland's Personal Information Protection Act (PIPA) adds state-level data breach notification requirements on top of federal HIPAA requirements. Practices operating in Maryland must notify affected individuals within 45 days of discovering a breach — stricter than the federal 60-day requirement.

The most common gaps we find in Maryland dental offices

In our assessments of Maryland dental practices, the gaps we find most consistently are: missing or outdated Security Risk Assessment documentation, absent or incomplete BAAs with vendors, shared staff login credentials, and no formal staff security training program. All four are straightforward to remediate once identified.

Not sure if your dental office is covered?

Book a free consult. We'll walk through your current setup and identify any gaps — in plain English, in 20 minutes.

Book free dental HIPAA consult