Skip to main content
CoreFolioHIPAA
How-to

HIPAA risk analysis for dental practices: a specialty guide

Dental-specific considerations for HIPAA risk analysis: imaging systems, practice software, patient communication tools, and the unique threats dental practices face.

By CoreFolio

8-minute read

Dental practices often assume their HIPAA obligations are lighter than those of medical practices. The assumption is understandable — smaller patient volume, different clinical workflow, specialized software — but it is incorrect. Dental practices are covered entities. The Office for Civil Rights (OCR) has investigated and settled with dental practices for risk analysis failures. The requirement at 45 CFR § 164.308(a)(1)(ii)(A) applies to every covered entity, regardless of specialty or size.

What is different is the environment. Dental practices have distinct systems, vendor relationships, and threat profiles. A risk analysis that works for a family medicine clinic will miss critical elements in a dental practice. This article describes the dental-specific considerations for a defensible risk analysis.

The dental technology stack

Dental practices run a specialized software and hardware ecosystem. An accurate risk analysis must inventory it specifically.

Practice management and EHR systems

Dental practices typically use specialty-specific software rather than general medical electronic health records (EHRs):

Dentrix (Henry Schein)

  • Cloud and on-premise versions
  • Integrated imaging, billing, patient communication
  • Mobile app for provider access
  • Risk considerations: Cloud version shifts hosting security to vendor; on-premise version requires local server security assessment

Eaglesoft (Patterson Dental)

  • On-premise focus with cloud backup options
  • Strong integration with Patterson imaging hardware
  • Risk considerations: Server location, backup configuration, remote access setup

Open Dental

  • Open-source model with self-hosting
  • Highly customizable
  • Risk considerations: Self-managed security updates, custom configuration risks, potentially less vendor support for security

Curve Dental

  • Cloud-native, browser-based
  • No on-premise server required
  • Risk considerations: Internet dependency, browser security, cloud vendor business associate agreement (BAA) critical

Risk analysis requirement: Name the specific software, version, and hosting model. "Our dental software" is insufficient. The analysis must reflect whether the data is on a local server, in the vendor's cloud, or a hybrid.

Digital imaging systems

Dental imaging creates unique ePHI volumes and storage requirements:

Digital radiography (digital sensors)

  • Direct digital capture replaces film
  • Immediate storage in practice software
  • High-resolution files (larger than many medical images)
  • Risk considerations: Sensor connection (USB/wireless), storage encryption, backup verification

CBCT (Cone Beam CT)

  • 3D imaging with large file sizes (100MB+ per scan)
  • Used for implant planning, orthodontics, endodontics
  • Often stored separately from practice management software
  • Risk considerations: Separate storage location, retention policies, sharing with specialists (orthodontists, oral surgeons)

Intraoral scanners

  • Digital impressions replacing physical molds
  • Integration with CAD/CAM systems
  • Cloud transmission to labs
  • Risk considerations: Lab data transmission security, cloud storage location, retention

Panoramic and cephalometric units

  • Integrated with practice software or standalone
  • Digital export capabilities
  • Risk considerations: Export logging, unauthorized access prevention

Risk analysis requirement: Imaging represents a significant portion of dental ePHI. The analysis must cover capture, storage, backup, transmission to labs/specialists, and retention/destruction.

Patient communication systems

Dental practices rely heavily on automated communication:

Recall and reminder systems

  • Text message appointment reminders
  • Email recall notices
  • Automated phone calls
  • Risk considerations: Content of messages (ePHI exposure), vendor BAA, opt-out management

Two-way patient texting

  • Front desk communication with patients
  • Photo sharing ("Is this normal?" patient inquiries)
  • Risk considerations: Personal device security, message retention, ePHI in non-HIPAA-compliant platforms

Review and survey platforms

  • Post-appointment surveys
  • Review generation requests
  • Risk considerations: Integration with practice software, data shared with vendor

Risk analysis requirement: Patient communication often involves ePHI (appointment times, provider names, treatment confirmation). The analysis must assess whether communication vendors have BAAs and whether message content could expose PHI.

Integration and interoperability

Dental practices exchange data with multiple external entities:

Dental labs

  • Digital impressions sent for crown/bridge fabrication
  • CBCT scans for surgical guides
  • Risk considerations: Transmission method (email, portal, physical media), lab security practices, retention on lab systems

Specialists (orthodontists, oral surgeons, endodontists)

  • Referral records and images
  • Consultation reports
  • Risk considerations: Referral platform security, image sharing methods

Insurance and clearinghouses

  • Real-time eligibility verification
  • Electronic claims submission
  • ERA/EFT processing
  • Risk considerations: Transmission encryption, vendor security

Dental-specific threats and vulnerabilities

High-resolution imaging storage

Dental CBCT files are large and numerous. Practices may generate gigabytes of imaging data monthly. Storage constraints can push practices toward:

  • External hard drives (often unencrypted)
  • Consumer cloud storage (Dropbox, Google Drive) without BAAs
  • Long retention on local servers without backup verification

Vulnerability: Imaging data often exists in multiple locations (sensor, software database, backup, possible lab/cloud copy) with inconsistent security.

USB and portable media

Dental imaging has a legacy of physical media transfer:

  • USB drives for lab transmission
  • Patient-requested image exports
  • Specialist consultation sharing

Vulnerability: USB drives are easily lost, rarely encrypted, and difficult to track. The risk analysis must address both authorized use (policies, encryption) and unauthorized use (personal USB drives plugged into clinical computers).

Personal device photography

Clinical staff commonly use personal phones to:

  • Photograph CBCT screens for specialist consultation
  • Capture intraoral images for lab communication
  • Document cases for continuing education

Vulnerability: These images may auto-backup to personal iCloud, Google Photos, or similar consumer services without BAAs. The practice may not even know they exist.

Vendor diversity

Dental practices often work with more vendors than similarly-sized medical practices:

  • Practice software vendor
  • Imaging hardware vendor
  • IT support (often non-healthcare-specialized)
  • Managed services for backup/security
  • Patient communication platform
  • Lab services
  • Specialty referral platforms

Vulnerability: Each vendor with ePHI access requires a BAA. Dental practices often have BAAs with the practice software vendor but not with the IT consultant, the backup service, or the imaging lab.

Dental-specific BAA gaps

OCR settlements involving dental practices frequently cite missing business associate agreements. Common gaps:

IT service providers Many dental practices use local IT shops without healthcare expertise. These vendors often have administrative access to servers containing ePHI without a BAA in place.

Imaging equipment vendors Vendors who service digital sensors or CBCT units may access stored images during maintenance. If they have ePHI access, they need a BAA.

Dental labs Digital labs receive identifiable patient data (digital impressions with patient names, CBCT scans). Lab services are business associates; BAAs are required.

Practice management software consultants Consultants who access the software for training, configuration, or troubleshooting may see patient data. If they do, they are business associates.

Patient communication vendors Text reminder services, email platforms, and recall systems process patient data. BAAs are required even if the vendor claims they "just send the messages."

The dental risk analysis: additional sections

A dental practice risk analysis should include all standard HIPAA sections plus these specialty-specific elements:

Imaging system inventory

  • List every imaging device (sensors, CBCT, pano, intraoral scanner)
  • Note connection type (USB, network, wireless)
  • Document storage location and encryption status
  • Identify all transmission paths (to labs, specialists, patients)

Lab and specialist data flow

  • Map every external entity receiving patient data
  • Document transmission methods for each
  • Verify BAAs for all
  • Assess lab/specialist security practices where known

Patient communication assessment

  • Inventory all communication platforms (text, email, portal)
  • Review message content for ePHI exposure
  • Verify BAAs for vendors
  • Assess opt-out and retention policies

Personal device policy

  • Document policy on personal devices for clinical photography
  • Assess actual practice (policy vs. behavior)
  • Address cloud backup of clinical images

Vendor BAA audit

  • Complete list of all vendors with ePHI access
  • BAA status for each
  • Gap list for BAAs needing execution

Special considerations by practice type

General dentistry

Broader scope of services means diverse ePHI types and more extensive imaging. Focus on:

  • Multiple imaging modalities (intraoral, pano, possible CBCT)
  • Referral relationships with multiple specialists
  • Diverse patient communication needs

Orthodontic practice

High imaging volume (cephalometric, CBCT, digital photos) and long treatment relationships:

  • Long-term retention of imaging (7+ years post-treatment)
  • High volume of patient communication (appointments over 1–3 years)
  • Integration with orthodontic-specific systems (Invisalign, etc.)

Oral surgery

Complex referrals, hospital affiliations, high-stakes imaging:

  • Hospital integration (EHR interfaces, shared imaging)
  • Complex referral flows (multiple referring dentists)
  • Implant planning software and surgical guide vendors

Pediatric dentistry

Parent/guardian communication adds complexity:

  • Communication with parents (custody issues, split families)
  • Child assent/parent consent documentation
  • School or third-party communication (emergency contacts)

Documenting the dental risk analysis

The output should follow the standard HIPAA structure with dental-specific content:

  1. Scope: Name the practice, locations, and specifically identify the dental software and imaging systems in use.

  2. Inventory: Include devices, imaging systems, lab relationships, and patient communication platforms.

  3. Threats: Address dental-specific threats (USB loss, personal device photography, lab transmission interception).

  4. Controls: Assess encryption on imaging storage, BAA coverage for all vendors, personal device policies.

  5. Risk register: Prioritize risks specific to your imaging volume, vendor complexity, and practice type.

  6. Risk Management Plan: Include specific actions for dental BAA gaps, imaging encryption, and lab security assessment.

The CoreFolio HIPAA assessment includes dental-specific prompts for imaging systems, practice software, lab relationships, and patient communication platforms. The guided assessment ensures dental-specific elements are not missed while producing the structured documentation OCR expects.

Sources