...

Ekim IT Solutions

Schedule a Fit Call
Blog / The Most Common HIPAA Violations in Dental Offices
All Dental

The Most Common HIPAA Violations in Dental Offices

Featured header for a guide on the most common HIPAA violations in dental offices in 2026, featuring a HIPAA compliant shield and a warning alert.

Most HIPAA violations in dental practices do not start with a major cyberattack. They start with a missing document, an outdated agreement, or a staff member who responded to a patient review online. The Office for Civil Rights has been documenting these patterns for years. The violations are predictable. And the fines are real.

In 2022 alone, eight dental practices settled with HHS for a combined $305,500 in HIPAA fines. Here are the violations that show up most often, and what the IT mistakes behind them actually look like.

55%
of OCR penalties
In 2022, small dental and medical practices accounted for 55% of all OCR financial penalties.
OCR does not scale fines based on practice size or revenue. A solo dental practice faces the same penalty structure as a hospital. Fines range from $100 to $50,000 per violation, with annual maximums reaching $1.5 million.
Violation 1
No Security Risk Analysis
What it is
The Security Risk Analysis (SRA) is the foundation of HIPAA compliance. It requires every covered entity to conduct an accurate, thorough assessment of risks to patient data across all systems. That includes your practice management software, imaging software, email, backups, and any other system that touches protected health information.
Why dental practices get caught
Many practices complete one SRA and never update it. However, OCR treats an outdated SRA as an ongoing violation. If your practice added digital imaging, switched software vendors, or started using a new patient communication platform without updating the SRA, your risk analysis does not reflect your current environment. OCR has made this the centerpiece of its Risk Analysis Initiative, which produced 12 enforcement actions through early 2026.
What a fine looks like
In February 2026, a dental marketing software company agreed to a $10,000 settlement after a 2020 breach exposed 15 million patient records. OCR cited a failure to complete a proper Security Risk Analysis as a primary finding. The size of the breach did not determine the fine. The missing paperwork did.
SRA maintenance
What triggers an SRA update:
1
Adding new software or hardware to your network, including imaging equipment or patient communication tools.
2
Switching practice management systems or cloud storage providers. Any change to how ePHI is stored or transmitted is a triggering event.
3
Any staff change that affects who can access patient records, including new hires, departures, and role changes.
Ekim IT Solutions handles the technical safeguard layer for dental practices and provides a signed BAA as part of every engagement. Find out in 15 minutes if we are the right fit.
Schedule a Fit Call →
Violation 2
Failure to Provide Patient Record Access
What it is
HIPAA gives patients the right to request copies of their own medical records. Covered entities must respond within 30 days. Since OCR launched its Right of Access Initiative in 2019, it has settled more than 45 enforcement actions specifically targeting this violation.
Why dental practices get caught
Front desk staff often do not know how to process a formal records request. In many cases, the request sits unanswered, the patient files a complaint with OCR, and an investigation follows. The investigation frequently uncovers additional violations beyond the access issue itself.
What a fine looks like
OCR settled three separate cases with dental practices for right of access violations. One dental practice paid $30,000. Another paid $80,000. Neither was a large organization. Both paid because a patient’s records request went unanswered.
Violation 3
Missing or Expired Business Associate Agreements
What it is
A Business Associate Agreement (BAA) is a required contract between a dental practice and any vendor that handles patient data on its behalf. This includes IT providers, cloud backup services, billing companies, imaging vendors, and patient communication platforms. Without a signed BAA, sharing patient data with that vendor is a HIPAA violation.
Why dental practices get caught
BAAs expire, get overlooked when vendors change, or never get signed in the first place. Many practices assume their software vendor handles compliance automatically. That assumption is wrong. The practice, as the covered entity, remains responsible for confirming every vendor relationship includes a current, signed BAA.
The IT angle
Your managed IT provider accesses systems that contain patient data. That means Ekim IT Solutions, like any dental IT provider, must have a signed BAA with every practice we support. If your current IT provider has never mentioned a BAA, that gap needs attention immediately.
⚠️ A missing BAA with your IT provider is a HIPAA violation, even if no breach ever occurs.
OCR does not require a breach to impose penalties. The absence of a required agreement is itself a violation. Review your vendor agreements annually and confirm every vendor who accesses patient data has signed a current BAA. The HHS sample BAA provisions are a useful reference for what a compliant agreement must include.
Violation 4
Unencrypted Email and Unsecured Communications
What it is
Sending patient information over standard email, text message, or unencrypted fax creates a HIPAA risk. Standard Gmail, Outlook without configuration, and personal cell phones do not meet HIPAA technical safeguard requirements for transmitting protected health information.
Why dental practices get caught
Staff convenience drives this violation. Texting a patient their appointment details or emailing X-rays for a referral feels harmless. In practice, however, those transmissions can expose patient data and trigger a complaint. Unsecured fax machines and exposed website contact forms create the same risk.
What the fix looks like
HIPAA does not ban email. It requires that email containing patient data use encryption and that a BAA exists with the email provider. Google Workspace with a signed BAA and proper configuration is compliant. Standard Gmail is not. A dental IT provider can configure compliant communication tools without disrupting your workflow.
Violation 5
Responding to Patient Reviews Online
What it is
This is the violation that surprises most dental practice owners. Responding to a negative online review in a way that confirms, denies, or references a patient’s care is a HIPAA violation. Even a well-intentioned reply like “Sorry you had a bad experience, we hope to see you again” can be a violation if it confirms the reviewer is a patient.
What a fine looks like
In 2019, a single-practitioner dental office paid a $10,000 fine for responding to a patient’s Yelp review. A similar enforcement action occurred in 2023. OCR treats this as a Privacy Rule violation because it discloses the existence of a patient relationship without authorization.
The safe response
The safest response to any patient review is a generic thank you with no clinical reference, or no response at all. If your team manages online reviews, they need specific training on what can and cannot appear in a public reply. This is a staff policy issue, not a technology issue.

Frequently Asked Questions

Most enforcement actions start with a patient complaint. A single complaint triggers an investigation. During that investigation, OCR frequently uncovers additional violations beyond the original complaint. That is how a missing records request becomes a $30,000 fine with a corrective action plan attached.
Yes. OCR does not require a breach to impose a penalty. Missing a BAA, failing to complete an SRA, or not responding to a records request are all violations regardless of whether any data was exposed. The violation is the missing compliance step, not the outcome.
No. IT support addresses the technical safeguards HIPAA requires, but compliance also requires administrative safeguards like policies, training, and documented procedures, as well as physical safeguards for your office space. A dental IT provider can handle the technical layer. The administrative layer requires additional steps your practice must take.
OCR expects the SRA to reflect your current environment at all times. In practice, that means reviewing and updating it whenever you add new technology, change vendors, hire or lose staff with system access, or experience any security incident. An annual review at minimum keeps you from falling into the pattern OCR targets most.
Recognized any of those violations in your own practice?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We handle the technical safeguards your practice needs, encrypted communications, secure backups, access controls, and signed BAAs, so you meet OCR requirements without the guesswork.

Most violations are not intentional. They are just unaddressed. Find out which ones your practice is still carrying.
Check your compliance gaps →

Related Posts

Branded featured image for the blog post "What Is Endpoint Detection and Response for Dentists" with illustrated security shield and magnifying glass imagery
All Dental

What Is Endpoint Detection and Response for Dentists

Featured image for the network segmentation explainer blog post showing a dental office building with separated Wi-Fi and clinical network icons on a dark background representing a guide to what network segmentation is and why HIPAA requires it for dental practices
All Dental

What Is Network Segmentation for Dental Practices

Featured image for the DSO practice management software selection guide showing dental software platform icons with a decision arrow on a dark background representing a guide to choosing the right practice management software for a multi-location dental group or dental service organization
All Dental

How to Choose Practice Management Software for a DSO