The Most Common HIPAA Violations in Dental Offices

• Ezra Angelo
• • February 22, 2026
Share:

Most HIPAA violations in dental practices do not start with a major cyberattack. They start with a missing document, an outdated agreement, or a staff member who responded to a patient review online. The Office for Civil Rights has been documenting these patterns for years. The violations are predictable. And the fines are real.

In 2022 alone, eight dental practices settled with HHS for a combined $305,500 in HIPAA fines. Here are the violations that show up most often, and what the IT mistakes behind them actually look like.

Violation 1: No Security Risk Analysis

What it is

The Security Risk Analysis (SRA) is the foundation of HIPAA compliance. It requires every covered entity to conduct an accurate, thorough assessment of risks to patient data across all systems. That includes your practice management software, imaging software, email, backups, and any other system that touches protected health information.

Why dental practices get caught

Many practices complete one SRA and never update it. However, OCR treats an outdated SRA as an ongoing violation. If your practice added digital imaging, switched software vendors, or started using a new patient communication platform without updating the SRA, your risk analysis does not reflect your current environment. OCR has made this the centerpiece of its Risk Analysis Initiative, which produced 12 enforcement actions through early 2026.

What a fine looks like

In February 2026, a dental marketing software company agreed to a $10,000 settlement after a 2020 breach exposed 15 million patient records. OCR cited a failure to complete a proper Security Risk Analysis as a primary finding. The size of the breach did not determine the fine. The missing paperwork did.

Violation 2: Failure to Provide Patient Record Access

What it is

HIPAA gives patients the right to request copies of their own medical records. Covered entities must respond within 30 days. Since OCR launched its Right of Access Initiative in 2019, it has settled more than 45 enforcement actions specifically targeting this violation.

Why dental practices get caught

Front desk staff often do not know how to process a formal records request. In many cases, the request sits unanswered, the patient files a complaint with OCR, and an investigation follows. The investigation frequently uncovers additional violations beyond the access issue itself.

What a fine looks like

OCR settled three separate cases with dental practices for right of access violations. One dental practice paid $30,000. Another paid $80,000. Neither was a large organization. Both paid because a patient’s records request went unanswered.

Violation 3: Missing or Expired Business Associate Agreements

What it is

A Business Associate Agreement (BAA) is a required contract between a dental practice and any vendor that handles patient data on its behalf. This includes IT providers, cloud backup services, billing companies, imaging vendors, and patient communication platforms. Without a signed BAA, sharing patient data with that vendor is a HIPAA violation.

Why dental practices get caught

BAAs expire, get overlooked when vendors change, or never get signed in the first place. Many practices assume their software vendor handles compliance automatically. That assumption is wrong. The practice, as the covered entity, remains responsible for confirming every vendor relationship includes a current, signed BAA.

The IT angle

Your managed IT provider accesses systems that contain patient data. That means Ekim IT Solutions, like any dental IT provider, must have a signed BAA with every practice we support. If your current IT provider has never mentioned a BAA, that gap needs attention immediately.

Violation 4: Unencrypted Email and Unsecured Communications

What it is

Sending patient information over standard email, text message, or unencrypted fax creates a HIPAA risk. Standard Gmail, Outlook without configuration, and personal cell phones do not meet HIPAA technical safeguard requirements for transmitting protected health information.

Why dental practices get caught

Staff convenience drives this violation. Texting a patient their appointment details or emailing X-rays for a referral feels harmless. In practice, however, those transmissions can expose patient data and trigger a complaint. Unsecured fax machines and exposed website contact forms create the same risk.

What the fix looks like

HIPAA does not ban email. It requires that email containing patient data use encryption and that a BAA exists with the email provider. Google Workspace with a signed BAA and proper configuration is compliant. Standard Gmail is not. A dental IT provider can configure compliant communication tools without disrupting your workflow.

Violation 5: Responding to Patient Reviews Online

What it is

This is the violation that surprises most dental practice owners. Responding to a negative online review in a way that confirms, denies, or references a patient’s care is a HIPAA violation. Even a well-intentioned reply like ‘Sorry you had a bad experience, we hope to see you again’ can be a violation if it confirms the reviewer is a patient.

What a fine looks like

In 2019, a single-practitioner dental office paid a $10,000 fine for responding to a patient’s Yelp review. A similar enforcement action occurred in 2023. OCR treats this as a Privacy Rule violation because it discloses the existence of a patient relationship without authorization.

The safe response

The safest response to any patient review is a generic thank you with no clinical reference, or no response at all. If your team manages online reviews, they need specific training on what can and cannot appear in a public reply.

Frequently Asked Questions

How does OCR find out about HIPAA violations at a dental practice?

Most enforcement actions start with a patient complaint. A single complaint triggers an investigation. During that investigation, OCR frequently uncovers additional violations beyond the original complaint. That is how a missing records request becomes a $30,000 fine with a corrective action plan attached.

Can a dental practice get fined even if no patient data was actually stolen?

Yes. OCR does not require a breach to impose a penalty. Missing a BAA, failing to complete an SRA, or not responding to a records request are all violations regardless of whether any data was exposed. The violation is the missing compliance step, not the outcome.

Does having an IT provider make our practice HIPAA compliant?

No. IT support addresses the technical safeguards HIPAA requires, but compliance also requires administrative safeguards like policies, training, and documented procedures, as well as physical safeguards for your office space. A dental IT provider can handle the technical layer. The administrative layer requires additional steps your practice must take.

How often should we update our Security Risk Analysis?

OCR expects the SRA to reflect your current environment at all times. In practice, that means reviewing and updating it whenever you add new technology, change vendors, hire or lose staff with system access, or experience any security incident. An annual review at minimum keeps you from falling into the pattern OCR targets most.

Are You Exposed to Any of These Violations?

Ekim IT Solutions provides HIPAA compliance support for dental practices across New England and New York. We handle the technical safeguards encrypted communications, secure backups, access controls, and BAA documentation for all IT vendor relationships, so your practice meets OCR requirements without the guesswork.

Download our free guide: Hidden HIPAA Risks Inside Your Dental Software

• Ezra Angelo
• • February 22, 2026
Share: