Encryption is one of the most important technical safeguards required under HIPAA. It is also one of the most misunderstood. Many dental practices assume their software vendor handles it. Some do. Many do not.
Here is what encryption actually means for your practice and what you are required to protect.
$75KHIPAA settlement 2022
A laptop containing unencrypted patient records was stolen from a dental office in 2022, resulting in a $75,000 HIPAA settlement.
Encryption would have made that data unreadable to anyone without the decryption key. The fine was not for the theft. It was for the missing encryption.
What Encryption Means in Plain Language
Encryption converts readable data into a scrambled format that can only be decoded with the correct key. If someone steals an encrypted hard drive or intercepts an encrypted email, they see meaningless characters. Without the key, the data is useless.
For dental practices, this matters because patient records including X-rays, treatment notes, and insurance information are protected health information. Exposing that data, even accidentally, is a HIPAA violation.
Without encryption
A stolen laptop contains readable patient records. The thief or anyone who buys the device can open and read every patient file. The practice faces a HIPAA breach notification requirement and potential fine regardless of whether data was misused.
With encryption
A stolen laptop contains scrambled data that is unreadable without the decryption key. The physical theft is reported to police but HIPAA’s breach notification requirement may not apply because the data was not accessible. The fine does not happen.
Not sure if your practice is fully encrypted? Find out in 15 minutes if we are the right fit.
2026 HIPAA Security Rule update: encryption moves from an addressable specification to a mandatory requirement. All electronic protected health information must be encrypted both at rest and in transit.
Check each encryption requirement your IT provider has confirmed is in place at your practice.
Encryption requirements confirmed0 / 3
All three encryption requirements confirmed.
Your practice has confirmed encryption coverage across all three required categories. Ask your IT provider to produce written documentation of each configuration for your HIPAA compliance records. Documentation is required separately from the encryption itself.
Encryption gaps remain.
The unchecked categories represent active HIPAA exposure. Under the 2026 mandatory rule, missing encryption in any of these areas is a direct violation. Portable device encryption is the fastest to implement and closes the most common breach scenario.
Your practice is missing most required encryption coverage.
None or very little of the required encryption is confirmed in place. Any device theft, email interception, or OCR audit at this point results in a HIPAA violation finding. A dental-specific IT provider can audit your environment, configure encryption where it is missing, and document the configuration for compliance purposes.
Many dental practices assume that because they use a major software platform like Dentrix, Eaglesoft, or Open Dental, their data is encrypted. That assumption is incorrect.
Your software vendor may encrypt data within their platform. But the server or workstation that data lives on must also be encrypted separately. If a workstation is stolen and its hard drive is not encrypted, that data is exposed regardless of what the software does.
Common encryption assumptions that create compliance gaps:
"Our practice management software is HIPAA-compliant so our data is encrypted." The software may be compliant. The machine it runs on may not have drive encryption enabled.
"Our cloud backup service handles encryption." Cloud backup may encrypt during transfer but not at rest on local backup drives. Both must be confirmed.
"We use Gmail for patient communication so it is encrypted." Standard Gmail is not HIPAA-compliant for PHI. A Google Workspace account with a signed BAA and appropriate settings is required.
How Encryption Is Set Up in a Dental Practice
Encryption requires configuration at each layer. Check each one your IT provider has confirmed is configured and documented at your practice.
Configuration steps confirmed0 / 4
All four encryption configurations confirmed.
Your practice has confirmed encryption at every required layer. Ask your IT provider to produce written documentation of each configuration for your HIPAA compliance file. Documentation of the encryption setup is a separate requirement from the encryption itself.
Encryption configuration gaps remain.
The unchecked layers represent current HIPAA exposure. Each unencrypted layer is an independent violation if a breach occurs at that layer. A dental-specific IT provider can audit your environment, configure encryption where it is missing, and document the full configuration.
Most encryption configuration is unconfirmed at your practice.
Without confirmed encryption at the server, workstation, email, and backup layers, any device loss or data interception is a reportable HIPAA breach. Under the 2026 mandatory rule, missing encryption in any of these areas is a direct violation regardless of whether a breach has occurred.
Under the proposed 2026 HIPAA Security Rule updates, encryption becomes a mandatory requirement for all electronic protected health information at rest and in transit. Previously it was addressable, meaning practices could document an alternative. That flexibility is being removed.
Partially. Software like Dentrix and Eaglesoft may encrypt data within the application. But your server hardware, individual workstations, and backup drives require separate encryption configuration that is the responsibility of your IT provider, not your software vendor.
An unencrypted device containing patient records triggers a HIPAA breach notification requirement. Your practice must notify affected patients and report the incident to OCR. Fines are determined by the number of records exposed and whether the practice had encryption in place.
Your IT provider should be able to confirm encryption status on every server, workstation, and backup system in your office. If they cannot, that is a gap worth addressing before your next risk assessment.
Not sure if your practice actually has encryption enabled or just assumes it does?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We configure and verify encryption across your workstations, servers, and data transmissions so your practice is not relying on a vendor assumption to stay HIPAA compliant.
Assuming your vendor handles encryption is how practices fail audits. Find out what is actually enabled on your end.
Ezra Angelo
