HIPAA Compliance
The 5 HIPAA Violations Dental Practices Get Fined For Most (2026)
OCR enforcement data reveals which HIPAA violations hit dental practices hardest. Five recurring patterns — with real cases, dollar amounts, and what to do if your practice has any of them right now.
The 5 HIPAA Violations Dental Practices Get Fined For Most (2026)
Most HIPAA violations at dental practices do not start with a dramatic cyberattack. They start with a missing document, an expired agreement, a staff member who texted a patient from their iPhone, a risk assessment that got filed and never revisited.
The Office for Civil Rights has been telling this story through its public enforcement record for more than a decade. The patterns are consistent. The violations are predictable. And the practices that face enforcement are not outliers — they are practices that believed their compliance situation was "probably fine" right up until OCR sent a data request.
This post covers the five HIPAA violations that OCR enforcement data shows are most common and most costly for dental practices — with real cases, real dollar amounts, and what to do if your practice has any of them right now.
The Enforcement Landscape for Dental Practices
Before the specific violations: a note on who OCR actually goes after.
The assumption many dental practice owners carry is that HIPAA enforcement is primarily focused on hospitals and large health systems — the kinds of organizations that make national news when breached. This assumption is wrong, and the enforcement record proves it.
In 2022, small medical and dental practices accounted for 55% of OCR financial penalties. The Risk Analysis Initiative — a dedicated OCR enforcement program targeting organizations that fail to conduct adequate Security Risk Analyses — has produced enforcement actions across practice sizes from solo providers to large group practices. In every case, the penalty structure is the same. The fine schedule does not adjust for practice revenue or patient volume.
The four enforcement tiers:
| Tier | Knowledge Level | Per Violation | Annual Cap |
|---|---|---|---|
| 1 | Did not know | $137–$68,928 | $2.1M |
| 2 | Reasonable cause | $1,379–$68,928 | $2.1M |
| 3 | Willful neglect, corrected | $13,785–$68,928 | $2.1M |
| 4 | Willful neglect, not corrected | $68,928–$2,067,813 | $2.1M |
"Willful neglect" does not require intentional malice. It means the organization knew or should have known about the obligation and failed to act. A dental practice that uses the free HHS risk assessment tool and files it without addressing findings is demonstrating awareness of the obligation — which elevates any subsequent violation from Tier 1 toward Tier 3.
Violation 1: Missing or Inadequate Security Risk Analysis
Citation: §164.308(a)(1)(ii)(A)
The Security Risk Analysis is the most commonly cited deficiency in OCR enforcement actions — across all practice types, all sizes, all years. For dental practices specifically, it is the foundational gap that makes every other violation possible: without a current SRA, the practice has no documented understanding of its own risk surface.
The SRA requirement is specific. It requires an "accurate and thorough assessment" of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI the practice holds. "All ePHI" includes imaging files, PMS data, insurance records, email communications containing patient information, and backup copies of any of the above.
What dental practices get wrong:
The most common mistake is treating the SRA as a one-time completion event. A risk analysis conducted in 2021 that has never been updated does not reflect a practice that added digital CBCT imaging in 2023, switched PMS vendors in 2024, or started using a new patient communication platform last year. HIPAA requires the SRA to be updated when "significant changes" occur — and most dental practices experience multiple significant changes annually without triggering a review.
The second most common mistake is conflating the SRA with the HHS free Security Risk Assessment tool. The tool is a questionnaire. Completing the questionnaire and filing the output satisfies nothing unless the identified risks are addressed and documented.
Real enforcement action:
In its Risk Analysis Initiative enforcement actions, OCR has consistently pursued practices that conducted an initial SRA but never implemented a Risk Management Plan addressing the identified findings. In several cases, OCR specifically noted that the covered entity's own documentation showed awareness of gaps — which elevated the violation from a lower tier to willful neglect.
What to do if your practice has this gap:
Conduct a current, documented Security Risk Analysis that covers your actual systems — PMS, imaging, email, cloud backup, mobile devices used for patient communication. Document the identified risks. Create a Risk Management Plan with specific remediation steps, owners, and timelines. Implement the controls. Update the SRA when changes occur.
Patient Protect includes a guided SRA wizard mapped to NIST CSF that covers dental-specific workflows — not a generic healthcare questionnaire. The output is documented, timestamped, and auditor-ready.
Violation 2: Missing Business Associate Agreements
Citation: §164.308(b)(1)
Every vendor that creates, receives, maintains, or transmits ePHI on a dental practice's behalf is a Business Associate. Every Business Associate requires a signed BAA before any ePHI is shared. There are no exceptions for small vendors, long-standing relationships, or situations where "everyone knows" the vendor handles patient data.
For dental practices, the BAA gap is particularly common because the vendor ecosystem is larger than most practice owners realize. The PMS vendor is obvious. Less obvious: the digital imaging software vendor, the dental lab receiving digital impressions and CBCT files, the clearinghouse processing insurance claims, the IT company with remote access to the server, the cloud backup service, and the appointment reminder platform.
What dental practices get wrong:
The most dangerous assumption is that a BAA from the PMS vendor covers the practice's entire vendor relationship. It does not. The BAA between Dentrix and a practice covers Henry Schein One's handling of ePHI — not the handling of ePHI by Dentrix's sub-processors, the clearinghouse the practice uses separately, or the IT company that has remote access to the server where Dentrix is installed.
The second common mistake is maintaining unsigned BAA templates on file. A template is not a BAA. An unsigned document protects no one. OCR requires an executed agreement — signed by both parties — before ePHI is transmitted.
Real enforcement action:
The Raleigh Orthopaedic Clinic case established a clear enforcement precedent: OCR levied a $750,000 settlement against a practice that provided PHI to a vendor without a signed BAA. The violation did not require a breach. The missing BAA itself was the basis for the enforcement action. OCR has repeated this enforcement posture in multiple subsequent cases.
What to do if your practice has this gap:
Conduct a vendor inventory. List every vendor that handles patient data in any form. Verify BAA status for each. Execute agreements before any further ePHI is shared with vendors that lack them. Establish a process for evaluating new vendors for BAA requirements before they are onboarded.
The full dental vendor BAA checklist is in our companion guide: HIPAA Compliance for Dental Practices: The Complete 2026 Guide.
Violation 3: Unsecured Patient Communication
Citation: §164.312(e)(2)(ii) and §164.530(c)
This is the most pervasive daily HIPAA violation in dental practices — and the one most often dismissed as "not really a compliance issue" until OCR says otherwise.
The violation occurs every time a staff member sends patient information through an insecure channel: a personal iPhone text message, a standard Gmail or Outlook email without encryption, a WhatsApp message, a Facebook message. Each transmission of ePHI through an unencrypted channel is a separate violation.
The Security Rule requires that ePHI transmitted over open networks be encrypted (§164.312(e)(2)(ii)). Standard SMS is not encrypted end-to-end in a way that satisfies HIPAA. Consumer email services do not encrypt content in a HIPAA-compliant manner without additional configuration and a BAA from the email provider. WhatsApp, Facebook Messenger, and similar platforms have no HIPAA relationship with healthcare practices at all.
What dental practices get wrong:
The most common justification is that texting patients is convenient and patients prefer it. This is true — and irrelevant to the HIPAA analysis. Patient preference does not authorize a covered entity to transmit ePHI through an insecure channel. HIPAA does not have a "patients like it" exception.
The second justification is that the texts "don't really contain PHI" — just appointment reminders. This is sometimes true for generic reminders ("Your appointment is tomorrow at 2pm") but fails the moment any clinical information enters the message: a procedure name, an insurance update, a clinical question from the patient. Any combination of information that identifies a patient and relates to their care is PHI.
What happens when a staff member's personal phone is lost or stolen:
A personal phone used for patient communication contains a record of every patient the practice has communicated with. If that phone is not encrypted, not remotely wipeable, and not covered by a mobile device policy — the loss of that phone is a reportable breach for every patient whose information appears in the messaging history.
Real enforcement actions:
OCR has cited unsecured patient communication in multiple enforcement actions, including actions against small practices. The consistent finding: the practice had no policy governing staff use of personal devices for patient communication, no secure messaging alternative, and no documentation that staff had been trained on communication security.
What to do if your practice has this gap:
Implement a secure, HIPAA-compliant patient messaging platform with a signed BAA. Train staff that personal device texting for clinical communication is prohibited. Document the policy and obtain staff acknowledgment. Patient Protect Pro includes BAA-gated secure messaging that replaces personal device communication with a compliant alternative.
Violation 4: No Documented Risk Assessment Update After System Changes
Citation: §164.308(a)(1)(ii)(A) and §164.308(a)(1)(ii)(B)
This is the subtler version of Violation 1 — and the one that catches practices that believe they are compliant because they completed a risk analysis years ago.
HIPAA requires the Security Risk Analysis to be reviewed and updated "periodically and when environmental or operational changes occur." For most dental practices, the following events each constitute a "significant change" that triggers a required SRA review:
- Adding new digital imaging equipment
- Switching or upgrading the practice management system
- Adding a new patient communication or scheduling platform
- Onboarding a new IT provider or managed services company
- Adding telehealth or remote consultation capabilities
- Opening an additional location
- Significant staff turnover affecting ePHI access roles
A dental practice that installed CBCT imaging in 2023, switched from Eaglesoft to Open Dental in 2024, and started using a new patient communication platform in 2025 — without updating its SRA after each change — is operating with a risk analysis that does not reflect its current environment. Under OCR's enforcement framework, this constitutes an ongoing failure, not a one-time oversight.
Real enforcement pattern:
The Risk Analysis Initiative enforcement actions repeatedly cite the same pattern: a practice conducted an initial SRA in a prior year and filed it. Subsequent investigations revealed that the practice had undergone multiple operational changes without updating the analysis. OCR treats the filed SRA as evidence that the practice knew about the obligation — elevating the violation from "did not know" to "reasonable cause" or higher.
What to do:
Establish a policy for SRA review triggers. Any significant system change, vendor change, or operational change should generate a documented SRA review. Even if the conclusion is that the change does not materially alter your risk profile, that conclusion should be documented with a date and rationale.
Violation 5: Terminated Employee Access Not Revoked
Citation: §164.308(a)(3)(ii)(C)
This is operationally the most common violation in dental practices — and the most preventable. HIPAA requires that access to ePHI be revoked when an employee's relationship with the practice ends. The revocation must be immediate: on the day of termination, not the following week, not when the IT company gets around to it.
The specific vulnerabilities for dental practices:
PMS access: Former front desk staff, hygienists, and treatment coordinators retain login credentials to Dentrix, Eaglesoft, or Open Dental until someone explicitly removes their account. In practices that manage this manually, it frequently falls through the cracks — especially in the chaos of an unexpected departure.
Email access: Former staff with access to the practice's email system can access patient communications, appointment histories, and any ePHI that passed through email until the account is deactivated.
Imaging software: Practices where imaging software uses shared credentials — or where former staff credentials were never individually created — have no reliable way to audit post-termination access.
Cloud backup and file storage: If the practice uses cloud storage accessible via staff credentials, former employees may retain access to archived patient files until that access is explicitly revoked.
Real enforcement action:
A covered entity paid $4.3 million to resolve OCR findings that included lack of unique user identification and failure to terminate a former workforce member's access. While that case involved a larger organization, OCR has applied the same standard to small practices — and the enforcement posture has become more aggressive with each passing year of the Risk Analysis Initiative.
What to do:
Implement a formal termination checklist that includes immediate revocation of all system access as a required step. Use role-based access controls that tie individual credentials to access permissions — so removing a user's account removes all their access simultaneously. Document each revocation with a date and the name of the person who completed it.
Patient Protect enforces this architecturally: access controls are managed at the platform level, role-based access is assigned individually, and account termination automatically removes associated permissions. No manual checklist required.
The Common Thread Across All Five Violations
Every violation on this list has the same underlying cause: the practice treated compliance as something that was completed rather than something that is maintained.
OCR's enforcement posture is built on this observation. The practices that face the most severe penalties are not those that never tried to comply. They are practices that completed the initial work — a risk analysis, a training session, a BAA template — and stopped. Six months later, a staff member texts a patient from her iPhone. A year later, the dental lab has been receiving digital files without a signed BAA. Two years later, a former employee still has PMS credentials and OCR wants to know why.
The compliance binder sits on the shelf. The violations accumulate daily.
What to Do Right Now
If your dental practice has any of the gaps described in this post, the most important step is also the fastest one: run a free compliance assessment to see exactly where you stand before OCR does.
For practices ready to close the gaps: Patient Protect for dental practices starts at $39/month, with no contracts and setup in under two hours.
See how Patient Protect addresses each of these violations →
Track breach intelligence in your area →
See real enforcement cases and fine amounts →
Related: HIPAA Compliance for Dental Practices: The Complete 2026 Guide →
This post is based on publicly available data from the HHS Office for Civil Rights enforcement database, OCR breach portal, and HHS guidance documents, as of April 2026. Penalty figures reflect current OCR schedules. This document is provided for informational purposes and does not constitute legal advice.