HIPAA documentation for dental practices. Built in 30 days.
A complete HIPAA-aligned documentation package for general dentists, specialists, and multi-location dental groups, scoped to your practice management software, imaging systems, and dental lab relationships. ComplianceArmor delivers 33 policy templates, the Security Risk Analysis at 45 CFR § 164.308(a)(1)(ii)(A), BAA register, breach plan, and OCR-ready evidence library.
A practice with 5 to 30 people, not a hospital. The package matches.
Most dental offices are small businesses with operational realities a hospital-grade HIPAA program ignores. ComplianceArmor for dental practices is sized to that reality without cutting corners on the safeguards OCR actually checks.
This page is for general dental practices, pediatric dentists, orthodontists, oral surgeons, periodontists, prosthodontists, endodontists, and the multi-location dental groups (DSOs and small chains) that have grown beyond a single front desk. If your practice management software is Dentrix, Eaglesoft, Open Dental, Curve Dental, or Carestream, your imaging stack runs on Dexis, Romexis, Sirona, or Carestream CS Imaging, and you send cases to outside labs and milling centers, this is the right scope.
Dental practices have a different HIPAA story than physician offices. The patient roster is smaller per provider, the encounter is more procedural, the imaging volume per visit is higher, and a meaningful share of clinical communication happens with vendors that are technically business associates: dental labs, milling centers, sleep apnea labs, oral pathology services, and increasingly AI-assisted radiograph reviewers. Every one of those needs a Business Associate Agreement.
The smaller operational profile (often 5 to 30 employees) means HIPAA needs to be done well without being done by a 40-hour-a-week compliance officer the practice cannot afford. The ComplianceArmor package is built for the office manager who already wears five hats, with a binder a hygienist or front desk lead can actually use during a state board inspection or an OCR complaint response.
Where OCR finds dental practices coming up short.
OCR opens HIPAA investigations against dental practices regularly. The pattern is consistent and avoidable.
Imaging systems with no Risk Analysis
Cone beam CT, panoramic, and intraoral camera systems store identifiable images. Many practices have no Risk Analysis covering the imaging server, no backup encryption, and no documented retention rule for the image library separate from the practice management system.
Dental lab BAAs missing or stale
Labs that fabricate crowns, dentures, aligners, and retainers receive PHI with the prescription. They are business associates by definition. OCR resolution agreements have specifically cited dental practices for missing lab BAAs.
Patient access requests handled informally
Patients asking for radiographs to take to a specialist is a HIPAA right of access matter under 45 CFR § 164.524. OCR's Right of Access Initiative has taken enforcement actions against multiple dental practices for delays, denials, and excessive fees on records requests.
Workforce training that did not happen
HIPAA training is required for every workforce member, with documentation. The smaller the practice, the more often training is informal: a five-minute team huddle that never gets written down. OCR's first ask is the training register.
Disgruntled-employee data exfiltration
The biggest practical breach risk in dentistry is a departing employee taking the patient list to a competing practice. Without an access-revocation procedure, an offboarding checklist, and a workforce confidentiality agreement, the practice is exposed to both HIPAA and state trade-secret claims.
Multi-location data flow with no boundary
DSOs and small chains share servers, schedules, and clinicians across locations. If your ePHI flows between offices over a VPN you set up once and never reviewed, you have a transmission security gap that needs documentation, not just plumbing.
Recent OCR enforcement against dental practices has averaged $30,000 to $80,000 in resolution fees plus a multi-year corrective action plan. Several have come from former-employee complaints rather than breaches. The package includes the workforce policies, BAA templates, and right-of-access procedure that close the failure paths OCR actually pursues. See our dental HIPAA compliance overview for additional context.
Dental-scoped HIPAA documentation. In one package.
The full ComplianceArmor HIPAA library, with dental-specific scoping written into every artifact. Branded, editable, yours forever, no subscription.
33 HIPAA Policy Templates
Administrative, Physical, Technical, and Organizational safeguards, scoped to a dental practice.
Security Risk Analysis
Required at 45 CFR § 164.308(a)(1)(ii)(A), scored for practice management and imaging.
Imaging System Inventory
Cone beam, panoramic, intraoral, and 3D scanner systems with retention and encryption rules.
Dental Lab BAA Register
BAA tracker for crown, denture, aligner, sleep apnea, and oral pathology lab relationships.
Breach Notification Plan
Four-factor risk assessment, individual and HHS notification, plus state attorney general clocks.
Patient Right of Access Procedure
30-day clock, fee-cap rules, and the workflow OCR's Right of Access Initiative is enforcing.
Workforce Training Program
Annual training, sign-in roster, refresher schedule, and onboarding training for new hires.
Offboarding & Access Revocation
Departing-employee checklist, account deactivation rule, and confidentiality agreement template.
Multi-Location Boundary
Inter-office data flow, VPN security, shared schedules, and cross-location access controls.
Notice of Privacy Practices
The Privacy Rule notice patients sign, branded for the practice and ready for the operatory.
Risk Management Plan
Remediation roadmap, owners, target dates, and the cadence to retire each finding.
OCR Interview Prep Guide
The questions investigators ask dental practices, with confident, plain-English answers.
Dental HIPAA done-for-you. Fixed price.
No hourly billing. No surprise invoices. No external auditor required to attest to HIPAA. You own every document forever.
Delivered in 30 days, scoped to your practice management software, imaging systems, dental lab relationships, and locations. Self-attested under HHS rules: there is no HHS-recognized HIPAA certification.
Where the price moves: A single-location general practice with one imaging system and one practice management platform sits at the $7,997 base. Multi-location DSOs, practices with 4+ specialty modalities, organizations with active OCR matters, and groups with 50+ employees add scoping time. We tell you the number before you sign, in writing. Bundles available with SOC 2 ($18,997) for groups going through M&A or third-party risk reviews.
If we missed something, we fix it free.
Every ComplianceArmor HIPAA engagement carries the Petronella Technology Group Audit-Ready Promise. If any artifact has a gap, we fix it at no charge within 30 days. If your package fails an OCR review or audit because of our work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Dental HIPAA questions buyers ask.
Are dental practices subject to HIPAA the same way medical practices are?
Yes, with one nuance. A dental practice is a covered entity under HIPAA if it transmits any health information electronically in connection with a HIPAA-covered transaction (electronic claims, eligibility checks, electronic remittance advice). Almost every modern dental practice does at least one of these, which puts the practice in scope. The Privacy Rule, the Security Rule, and the Breach Notification Rule all apply, and OCR investigates dental practices on the same complaint and audit pathways as physician offices.
Do we need a Business Associate Agreement with our dental lab?
Yes. A dental lab that receives a prescription with patient identifiers (name, date of birth, case number tied to a chart) is creating, receiving, or transmitting PHI on your behalf, which makes the lab a business associate under 45 CFR § 160.103. The same is true for milling centers, oral pathology labs, sleep apnea labs, and AI-assisted radiograph review services. The package includes a BAA register, a model BAA, and a workflow for executing and renewing each agreement.
How does HIPAA interact with our state dental board's record-keeping rules?
HIPAA preempts less protective state law and is preempted by more protective state law. State dental boards typically set retention periods (often 6 to 10 years past the patient's last visit, longer for minors), which override HIPAA's silent default. The package includes a Records Retention Policy that reflects your state's specific dental board rule, and a hand-off to your malpractice insurer's record-keeping requirements where they exceed state law.
State dental boards also impose record-release rules that overlap with HIPAA's right of access. The package documents the practice's procedure so OCR's Right of Access Initiative and the state board's parallel rule are both satisfied with the same workflow.
What about cone beam CT and 3D scanner systems?
Cone beam CT (CBCT) systems and 3D intraoral scanners produce identifiable patient images that are PHI. They typically run on a dedicated workstation with their own database, separate from the practice management system. The Imaging System Inventory in the package documents the scanner, the workstation, the storage location, the encryption posture, the access list, and the retention rule. Practices that ignore the imaging server in their Risk Analysis are the most common dental finding in OCR investigations.
We are a 6-location DSO. Does the package handle that?
Yes. Multi-location practice groups have additional scope: shared servers, inter-office VPN, cross-location clinician schedules, and patient charts visible from any office. The Multi-Location Boundary documentation maps the data flow between offices, defines the network controls, and writes a workforce access policy that tracks who can see which patients across the group. Pricing is scoped to total employees and locations rather than charging per-location, so a 6-office group is materially less expensive than buying six single-location programs.
How does this handle the front-desk reality of a dental office?
HIPAA-aligned does not mean unrealistic. Sign-in sheets at the front desk, casual confirmation of next visit by name, and an open operatory are all things OCR has accepted with the right minimum-necessary controls and patient acknowledgment. The package writes down the practice's actual workflow, the controls that make it HIPAA-aligned, and the documentation a state inspector or OCR investigator can read in five minutes without you needing to re-engineer your office.
What happens with departing employees?
The Offboarding and Access Revocation procedure is one of the most-used pieces of the package because dental staff turnover is real. It walks through account deactivation in the practice management system, imaging system, email, cloud backup, building access, and any cloud apps the employee touched, with a sign-off form that protects the practice if the former employee later complains they could not get their pay records, or if they later attempt to access data after termination. The accompanying confidentiality agreement is a one-page document new hires sign on day one.
Can we keep our paper sign-in sheet at the front desk?
Yes, with a documented minimum-necessary control. OCR has not banned sign-in sheets, but unidentified information beyond name and arrival time triggers a privacy issue. The package's Front Desk Privacy Standard documents what the sign-in sheet may include, the chart-pickup procedure, the operatory privacy practice, and how the practice handles the patient who calls a partner or family member to discuss treatment in the lobby. The intention is to make routine practice operations defensibly compliant without rewriting the office.
Stop authoring HIPAA policies. Start the program.
Schedule a 30-minute demo. We will walk through your practice management software, imaging systems, dental lab relationships, and location footprint, scope your HIPAA package live, and show the deliverables an OCR investigator would expect to see for a dental practice.
Related: HIPAA software hub · ComplianceArmor · HIPAA compliance services · Dental HIPAA overview · HIPAA for medical billing · HIPAA for mental health