Top 5 HIPAA Violations in Dental Practices (and How to Avoid Them)

1. Unencrypted Email Containing PHI (164.312(e)(2)(ii))

Sending patient appointment reminders, lab results, or billing statements over standard email without encryption is one of the most common violations. HIPAA requires that ePHI transmitted over open networks be encrypted. Use a HIPAA-compliant email service (e.g., Paubox, Virtru) or a patient portal.

**Citation:** 45 CFR 164.312(e)(2)(ii) — Encryption and Decryption

2. Missing or Unsigned Business Associate Agreements

Every vendor who touches PHI — your billing company, your IT support firm, your cloud storage provider — must sign a BAA before accessing any patient data. OCR has levied six-figure fines for missing BAAs alone.

**Citation:** 45 CFR 164.308(b)(1) — Business Associate Contracts

3. No Formal Risk Assessment

HIPAA requires covered entities to conduct a thorough, documented risk assessment of all systems that store, transmit, or process PHI. Many dental practices have never done one. This is the single most cited violation in OCR investigations.

**Citation:** 45 CFR 164.308(a)(1)(ii)(A) — Risk Analysis

4. Improper Disposal of PHI

Paper records, X-rays, and hard drives must be disposed of in a HIPAA-compliant manner. Throwing patient files in a regular trash bin — even in a back office — is a violation. Use a certified shredding service and document the destruction.

**Citation:** 45 CFR 164.310(d)(2)(i) — Disposal

5. Workforce Training Gaps

HIPAA requires all workforce members who handle PHI to receive regular training. A front desk employee who shares a login, posts about a patient on social media, or leaves a screen unlocked is a liability. Annual training with documented completion records is required.

**Citation:** 45 CFR 164.308(a)(5)(i) — Security Awareness and Training