Learn what you need to have and do to protect your patients and your practice

HIPAA requirements 2026

 

HIPAA compliance is a legal requirement for most dental offices, and it’s directly tied to how you protect patient privacy and secure health information. If your practice transmits health information electronically in connection with standard transactions like claims, you’re treated as a HIPAA covered entity, which means you’re expected to follow HIPAA’s rules, not just “best practices.”

In 2026, the basics remain the same, but expectations around security continue to rise as cyber risk does. HHS has also proposed updates to the HIPAA Security Rule (not final at the time of writing), so it’s smart to treat your compliance program as something you continuously maintain, not a one-time project.

Key Takeaways
  • Dental offices that submit HIPAA-standard electronic transactions (such as claims) are covered entities and must comply with HIPAA’s rules to protect patient health information.
  • HIPAA is usually framed around 3 core rule sets you’ll deal with day to day: the Privacy Rule, the Security Rule, and the Breach Notification requirements.
  • PHI includes identifiable patient information in any form, including dental charts, imaging, billing, and even verbal discussions, so your safeguards need to cover more than just your software.
  • If a vendor creates, receives, maintains, or transmits PHI for you (common examples include IT, billing, cloud services, and certain dental software), you generally need a written business associate agreement.
  • HIPAA penalties are tiered and can be substantial, and HHS adjusts civil monetary penalties for inflation, so it’s worth relying on current HHS publications when you cite numbers.

 

What is HIPAA for dental practices?

HIPAA sets national standards for protecting patient health information. For dental offices, HIPAA typically applies when you conduct standard financial or administrative transactions electronically, such as submitting claims, checking eligibility, or handling electronic payment and remittance activities through covered transactions. In practical terms, if you’re running a modern dental office with electronic claims and digital records, you should assume HIPAA applies and build your policies and safeguards accordingly.

HIPAA is not optional, and it’s not only about technology. It also covers how your team uses and discloses patient information, how you manage access, and how you respond if something goes wrong.

Talk to Pearl

 

The three core HIPAA rules

Privacy rule

The Privacy Rule focuses on when and how you can use or disclose protected health information (PHI). It allows use and disclosure for treatment, payment, and health care operations, but it also expects you to limit access to the “minimum necessary” information for many other uses. It’s also where your Notice of Privacy Practices and many patient rights originate.

Security rule

The Security Rule is specifically intended to safeguard electronic PHI (ePHI). It organizes safeguards into 3 buckets: administrative, physical, and technical, and it’s designed to be flexible so a small practice can scale controls appropriately. The key is to implement reasonable and appropriate safeguards based on your risks and environment, and to document what you’ve done.

Breach notification requirements

HIPAA breach notification rules require action if unsecured PHI is breached. If a breach affects 500 or more individuals, you must notify HHS without unreasonable delay and no later than 60 days from discovery. Other notification requirements may apply depending on the situation. From a workflow standpoint, this is why you want a written incident response plan and clear internal roles before you ever need them.

What is protected health information (PHI)?

Protected health information, or PHI, is any information that relates to a patient’s health, dental care, or payment for care and can be used to identify that individual. Under HIPAA, dental practices are required to safeguard PHI in all forms, not just electronic records.

If you can connect a piece of information to a specific patient and it relates to their care or billing, it is almost always considered PHI.

Individually identifiable health information

PHI includes health or payment information that directly or indirectly identifies a patient. This can include obvious identifiers, such as a patient’s name, address, date of birth, Social Security number, phone number, or email address. It also includes medical record numbers, account numbers, insurance subscriber information, photographs, and any other data that could reasonably be used to identify a patient.

Even partial information can qualify as PHI if it can be linked back to an individual.

Clinical information protected in dental offices

In a dental setting, PHI commonly includes clinical and administrative records such as treatment notes, dental charts, periodontal measurements, radiographs, intraoral photos, prescriptions, diagnoses, treatment plans, lab orders and results, billing records, insurance details, and appointment schedules when they are tied to a patient’s identity.

This applies whether the information is stored digitally, printed on paper, or shared verbally.

Electronic, paper, and verbal PHI

HIPAA protects PHI in all formats. Electronic PHI includes data in practice management systems, imaging software, emails, cloud storage, and backups. Paper PHI includes printed charts, schedules, referral forms, and insurance documents. Verbal PHI includes conversations with patients, phone calls, discussions at the front desk, and any spoken information that could be overheard.

Because HIPAA applies across formats, compliance requires safeguards for technology, physical spaces, and daily workflows.

De-identified information

Information that has been properly de-identified is not considered PHI under HIPAA. To qualify, specific identifiers must be removed in accordance with strict standards set by HHS, and the remaining data must not reasonably identify a patient.

De-identified data may be used for purposes such as internal analysis, training, or research, but practices should be careful. If de-identification is incomplete or identifiers can be reconstructed, the information may still be treated as PHI and subject to HIPAA requirements.

Administrative safeguards

Administrative safeguards are the policies, processes, and accountability structure that make the rest of HIPAA work. This is the part most practices underestimate, because it’s less visible than software security, but it’s what OCR (HHS’s Office for Civil Rights) expects you to have documented.

A practical starting point is a repeatable security management process: conduct a risk analysis, identify vulnerabilities, implement controls, and document both the decisions and the follow-through. Then assign security responsibility, even if the “officer” role is held by a single person at a smaller practice.

You’ll also want information access management that matches how your practice actually runs. That usually means role-based access, a process for granting access, a process for quickly terminating access when someone leaves, and periodic access reviews to prevent permissions from quietly expanding over time.

Physical safeguards

Physical safeguards protect your office, devices, and paper workflows so PHI is not exposed through the “real world” day-to-day.

This usually includes facility access controls (locking areas where records or systems are accessible), practical workstation security (screen positioning, automatic locking, not leaving charts or schedules where patients can see them), and a clean process for paper record handling and disposal. Even if most of your workflows are digital, paper still tends to show up during check-in, scheduling, referrals, and scanning.

Technical safeguards

Technical safeguards are your technology controls for ePHI. At a minimum, you want unique user accounts, strong authentication practices, and access controls that align with job roles. You also want audit capabilities to see who accessed what and when, especially when troubleshooting an incident.

Encryption is a common focus area because it reduces the risk of breaches when laptops, portable devices, or backups are lost or stolen. In 2026 planning, it’s also worth paying attention to proposed Security Rule changes that would increase specificity around controls such as encryption and multi-factor authentication, even though the proposed rules are not yet final requirements.

Patient rights under HIPAA

HIPAA is not only about what your practice must do, but it’s also about the rights your patients have over their health information. Understanding these rights helps you respond correctly to requests and avoid common compliance missteps.

Right to access records

Patients have the right to request copies of their dental records, including X-rays and clinical notes. In most cases, you must provide access within 30 days, with one additional 30-day extension allowed if you document the reason for the delay. You may charge a reasonable, cost-based fee for copies, but you cannot deny access simply because a patient owes money.

Right to request amendments

Patients can ask you to correct or amend their records if they believe information is inaccurate or incomplete. You must respond within 60 days. You can deny the request in certain situations, such as when the record was not created by your practice, but you must document the denial and explain the reason.

Right to an accounting of disclosures

Patients may request a list of disclosures of their PHI that were made outside of treatment, payment, or health care operations. This accounting can cover up to 6 years and must be provided within 60 days of the request.

Right to restrict uses and disclosures

Patients can request restrictions on how their PHI is used or shared. While you are not required to agree to most requests, you must honor a restriction if a patient pays for a service in full and asks that information not be shared with their health plan. Once accepted, these restrictions must be followed.

Right to confidential communications

Patients can request that communications be sent in a specific way or to a specific location, such as phone calls instead of mail. If the request is reasonable, you must accommodate it and have a process for documenting and honoring these preferences.

HIPAA compliance for dental technologies

Modern dental practices rely heavily on technology, which means HIPAA compliance must extend to your digital tools and vendors. The key principle is simple: if technology touches PHI, it must be properly secured and governed.

Practice management software

Your practice management system should support role-based access, audit logs, and secure data storage. If the vendor can access PHI, you generally need a business associate agreement (BAA) in place. Cloud-based systems should also provide encryption and documented security controls.

Digital radiography and imaging

Digital X-ray systems store and transmit PHI, so they require access controls, secure image storage, and protected transmission when sharing with specialists or labs. Backup procedures should also be in place to protect against data loss.

Patient communication platforms

Email, text messaging, and patient portals must be handled carefully. Standard, unencrypted email is generally not appropriate for PHI unless specific conditions are met. Secure messaging platforms, patient consent, and clear communication policies help reduce risk.

Telehealth and virtual consultations

If you offer virtual visits, the platforms you use must be HIPAA-compliant. This includes encryption, access controls, and vendor-provided BAAs. You’re also responsible for maintaining patient privacy during the visit and documenting care in secure systems.

Cloud storage and backup

Any cloud provider that stores or backs up PHI must meet HIPAA requirements and provide a BAA. Encryption, access controls, physical data center security, and regular backup testing are all important elements of compliance.

Common HIPAA violations in dental offices

Many HIPAA violations stem from everyday operational gaps rather than malicious intent. Knowing where practices commonly fail helps you prevent issues before they happen.

Lack of business associate agreements

A frequent mistake is using vendors that access PHI without a signed BAA. This can include IT support, billing services, cloud storage, or dental software providers. The fix is to review every vendor relationship and ensure BAAs are in place where required.

Insufficient access controls

Shared logins, excessive permissions, and delayed access termination for former staff create a serious risk. Unique user IDs, role-based access, and prompt access removal are foundational safeguards.

Inadequate staff training

HIPAA training that happens once and is never refreshed is a common problem. HIPAA requires ongoing training and documentation demonstrating that staff understand their responsibilities. Annual refreshers are a practical baseline.

Unencrypted portable devices

Lost or stolen laptops, tablets, or portable drives remain a leading cause of reportable breaches. Encrypting portable devices significantly reduces exposure and may prevent a loss from being classified as a breach.

Building a HIPAA compliance program

HIPAA compliance works best when it’s treated as a program, not a checklist. Start by assigning a Privacy Officer and Security Officer, even if those roles are combined in a smaller practice. Leadership support matters because compliance requires time, authority, and follow-through.

An annual risk assessment is a strong foundation. This involves identifying where PHI lives, evaluating threats and vulnerabilities, and documenting remediation steps. From there, you can update policies, train staff, review vendor agreements, and test your incident response process. Documentation is critical because HIPAA enforcement often focuses on what you can prove you did, not just what you intended to do.

Conclusion

HIPAA compliance for dental offices in 2026 requires a comprehensive, ongoing approach. You’re expected to comply with the Privacy Rule governing how PHI is used and disclosed, the Security Rule requiring administrative, physical, and technical safeguards for electronic PHI, and breach notification requirements that mandate prompt action when incidents occur.

In practice, compliance means regular risk assessments, documented policies and procedures, continuous staff training, strong access controls, encryption where appropriate, and business associate agreements with vendors, including technology providers. With penalties that can reach thousands of dollars per violation and potential criminal consequences for serious breaches, maintaining HIPAA compliance is both a legal obligation and a key part of protecting patient trust.

FAQs

What is HIPAA, and why does it apply to dental offices?

HIPAA is a federal law that sets national standards for protecting health information. Dental offices that conduct electronic transactions, such as insurance claims, are generally covered entities and must comply.

What are the penalties for HIPAA violations?

HIPAA penalties are tiered based on the level of negligence and can range from hundreds to tens of thousands of dollars per violation, with annual caps that HHS adjusts for inflation.

Do I need a business associate agreement with Pearl AI?

If a vendor creates, receives, maintains, or transmits PHI on your behalf, a BAA is generally required. You should review Pearl’s role in your workflow and confirm a BAA is in place if PHI is involved.

How often should dental staff receive HIPAA training?

HIPAA does not specify an exact schedule, but annual training and documented refreshers are widely considered best practice and align with regulatory expectations.