HIPAA Security Rule for Dental Practices: A Plain-English Guide

There is a recurring conversation that happens in our office. A new dentist or an office manager calls about IT, we ask about HIPAA, and they tell us their old IT vendor said “we’re HIPAA compliant.” When we ask what specifically that means, the answer is some version of “they had us sign a Business Associate Agreement.”

A BAA is necessary. It is not even close to sufficient. This post walks through what the HIPAA Security Rule actually requires, in language that doesn’t assume a compliance background.

Three rules, not one

When people say “HIPAA,” they usually mean one of three rules under the larger HIPAA umbrella:

• The Privacy Rule. Governs what you can do with protected health information (PHI). Mostly about disclosure, authorizations, patient rights.
• The Security Rule. Governs how you protect electronic PHI (ePHI). This is the one IT actually implements.
• The Breach Notification Rule. Governs what you do when ePHI is exposed.

This post is about the Security Rule. Specifically the technical safeguards under 45 CFR § 164.312, because that’s the part where IT can pass or fail you.

The five technical safeguards

The Security Rule names five technical safeguards. The language in the regulation is dense; here it is in working English.

1. Access controls (164.312(a))

Every person who can see ePHI has their own login. No shared accounts. The system tracks who logs in and what they touch. When a hygienist leaves the practice on Friday, their access is gone by Monday.

The required pieces:

• Unique user IDs. No shared logins.
• Emergency access procedure. Documented way for the right people to get to ePHI in a real emergency.
• Automatic logoff. Idle workstations lock themselves.
• Encryption / decryption. Where addressable.

If your practice management software has one shared “Front Desk” login, you fail this control.

2. Audit controls (164.312(b))

The system records who looked at what and when. The phrase the regulation uses is “implement hardware, software, and/or procedural mechanisms that record and examine activity.” In practice, this means your PMS, your file server, and your endpoint protection are all generating logs, and someone is responsible for reviewing them.

If a staff member opens a chart on a celebrity patient just because they’re curious, audit controls are how you catch it.

3. Integrity controls (164.312(c))

ePHI cannot be improperly altered or destroyed. The plumbing here includes endpoint protection that detects ransomware, file integrity monitoring on shared resources, and backups you have actually tested restoring from.

We see practices that have nightly backups that have never been tested. The first time you find out the backup is corrupt is the first time you actually need it.

4. Person or entity authentication (164.312(d))

You have to verify that the person logging in is who they say they are. In 2026, that means multi-factor authentication on everything that touches ePHI. Username and password alone is not enough. The IRS, OCR, and the FTC all consider single-factor authentication to be a finding.

5. Transmission security (164.312(e))

ePHI in motion has to be protected. Email containing PHI gets encrypted. Remote access goes over a VPN or a Zero Trust gateway. Faxing happens over secure fax services, not consumer fax machines.

If your practice still emails attachments to referring providers in the clear, fix that this week.

The real-world map for a small practice

Here is what the technical safeguards actually look like as a checklist for a 5-to-25-person dental or medical practice:

• A real identity provider (Microsoft 365, Google Workspace) with MFA enforced for every user.
• Endpoint detection and response on every workstation and server, not consumer antivirus.
• Full-disk encryption on every laptop. Most practices think they have it. Most actually don’t on every device.
• A managed firewall with logging, configured by someone who knows the practice management vendor’s port requirements.
• Backups, with a documented restore test in the last 90 days.
• An email backup separate from the live mailbox (Microsoft does not back up your email; their service guarantees uptime, not recoverability of deleted items past 30 days).
• Phishing simulations on a regular cadence. The 2024 Verizon DBIR has stalkerware-style and credential-phishing as the leading initial-access vectors, and small healthcare practices are over-represented.
• Documented policies and procedures, including a written security plan, an incident response plan, and a sanction policy for staff violations.
• Annual risk assessment, signed and filed.

That last point is the one most practices skip. The Security Rule’s first administrative safeguard (164.308(a)(1)) is “conduct an accurate and thorough risk assessment.” Without one on file, every other control you have is hard to defend.

What auditors actually ask for

When a HIPAA audit happens — whether it’s OCR after a breach, a payer requesting documentation, or a malpractice carrier — the asks are predictable:

• Your Security Risk Assessment, dated within the last year.
• Your Policies and Procedures document.
• Your training records (which staff completed what training, when).
• Your incident log.
• Your Business Associate Agreements.
• Evidence that the controls in your policies are actually in place (screenshots, configuration exports).

A surprising number of practices have all the controls in place but have not documented them. That is technically a finding. Documentation is the cheap part. Get it done.

The stakes

OCR penalties for HIPAA violations scale. The 2024 caps run from about $137 per violation up to roughly $2.1M per violation per year for willful neglect. In practice, settlements for small healthcare practices land between $50,000 and $500,000, plus a corrective action plan that costs more in time and consulting.

The bigger cost is reputational. If your practice is named in an OCR breach notification, your patient acquisition takes a measurable hit for years.

A free starting point

If you want to see exactly where your practice stands without paying for a formal assessment, run our free HIPAA Gap Check. It maps your current state against the nine technical-safeguard areas above and emails you a written report. We don’t share it with anyone, and you don’t end up on a list.

The list of practices that should have done it earlier is long. The list that wishes they hadn’t is empty.