TL;DR
Real HIPAA compliance requires AES 256-bit encryption (not just “encrypted”), Business Associate Agreements with 15+ vendors (not just 3), systematic risk assessments (not online checklists), ongoing security training (not annual videos), and understanding that small practices do get audited.
Download our free 25+-point checklist to identify gaps in your current protection.
The Hidden Complexities of HIPAA
Your dental practice files electronic insurance claims. Congratulations—you’re a HIPAA covered entity. But what most dental practices don’t realize is that basic HIPAA compliance goes far deeper than “we keep patient files secure.”
Walk into most dental practices and you’ll hear some version of these statements: “We use practice management software, so we’re compliant.” “HIPAA is just about patient privacy.” “Small practices don’t get audited.” Each one represents a dangerous misconception that could leave your practice vulnerable to data breaches, regulatory fines, and reputation damage.
The truth is that HIPAA compliance involves extensive technical requirements that go well beyond having the right software or signing a few forms. Real security means understanding advanced encryption standards, managing complex Business Associate Agreements (BAAs), conducting systematic risk assessments, and building a culture of ongoing vigilance.
Arakyta brings over 20 years of dental-specific HIPAA expertise to all our clients. We’ve seen what works, what fails, and where practices consistently fall short. This article explores what “beyond basics” really means for dental practice IT security.
Advanced Encryption: More Than Just “Encrypted”
What Encryption Standards Does HIPAA Actually Require?
HIPAA requires FIPS 140-2 validated encryption modules using AES 256-bit for data at rest and TLS 1.2 or higher for data in transit. Simply claiming your data is “encrypted” isn’t enough—the encryption must meet specific government standards that ensure your patient data is actually protected.
Encryption at Rest (Storage)
For data stored on your systems, you need AES 256-bit encryption with FIPS 140-2 validated cryptographic modules. This isn’t the same as password protection or basic BitLocker—those solutions may not meet the required standard.
This level of encryption applies to:
- Your practice management software database
- File servers storing patient records
- Workstation hard drives (requiring full disk encryption)
- Backup drives and tapes
- USB drives or external media containing PHI
- Mobile devices like tablets and laptops
To verify you have proper encryption, ask your IT provider: “Are we using FIPS 140-2 validated AES 256-bit encryption for all systems storing ePHI?” If they can’t answer that, give us a call – immediately.
Encryption in Transit (Transmission)
When data moves between locations, you need TLS 1.2 or higher. This protects information as it travels across the internet.
This applies to:
- Insurance claim submissions to clearinghouses
- Lab orders and results
- Patient portal access
- Email containing PHI
- Cloud backups uploading from your office
- Remote access to your practice systems
Many practices fail here by using outdated protocols or unencrypted email. Standard email is not secure enough for detailed patient information—you need encrypted email solutions or secure patient portals.
Common Encryption Failures We See
Unencrypted Laptops: Staff members take laptops home with patient data on unencrypted hard drives. If the laptop is stolen, you have a reportable breach affecting potentially hundreds of patients.
Cloud Storage Without Verification: Practices assume Dropbox or Google Drive are “HIPAA compliant” by default. They’re not unless you have a Business Associate Agreement and configure encryption settings properly.
Email Attachments: Sending patient records via standard Gmail or Outlook email is a violation. The data must be encrypted both in transit and at rest on email servers.
The solution is straightforward but requires active implementation: work with an IT provider who understands HIPAA encryption requirements and can verify compliance across all your systems.
Is Your Practice Using the Right Encryption?
Not sure if your current systems meet HIPAA’s encryption standards? Our free Dental IT Security Checklist walks you through 25 essential security points to help you identify potential gaps in your protection.
Download Free Checklist: 25+-Point Dental IT Security Assessment
This guide helps you get started with a preliminary evaluation. For a comprehensive professional assessment, contact our team.
Business Associate Agreements: The Details Most Practices Miss
Who Actually Needs a BAA?
A Business Associate Agreement is required for any vendor who creates, receives, maintains, or transmits protected health information on your behalf. The challenge is that “any vendor” covers far more services than most dental practices realize.
Obvious Vendors (Most Practices Get These Right):
- Practice management software providers
- Dental insurance clearinghouses
- Billing companies
- IT support providers with system access
- Email hosting services handling PHI
Frequently Missed Vendors:
- Cloud backup providers (even automated backups)
- Appointment reminder services (if they include patient names)
- Website hosting companies (contact forms capture PHI)
- Video conferencing platforms for telehealth
- Shredding companies handling paper records
- Email marketing platforms if segmenting by patient data
We’ve audited practices that had 15+ vendors requiring BAAs but had only collected three. Each missing BAA represents a compliance violation that could be identified during an Office for Civil Rights investigation.
For a complete list of business associate requirements, see the HHS guidance on business associates.
What Makes a BAA Valid?
Not all Business Associate Agreements are created equal. A valid BAA must contain specific provisions outlined in the HIPAA Omnibus Rule, including how the vendor will safeguard PHI, report breaches, and return or destroy data upon contract termination.
Key red flags that indicate a problematic BAA situation:
- A vendor says “we’re HIPAA compliant” but refuses to sign a BAA
- The vendor doesn’t understand what a BAA is
- You’re using free consumer services that cannot be HIPAA compliant
- The BAA is overly vague about security measures
If a vendor refuses to sign a BAA and they have access to PHI, you need to find a different vendor. There’s no workaround—HIPAA requires the agreement.
The Documentation Challenge
Beyond collecting BAAs, you must maintain them as part of your HIPAA documentation. This means keeping current signed copies, tracking renewal dates, and updating agreements when vendor services change.
Many practices collect BAAs initially but fail to maintain them. When a vendor updates their terms of service or you add new features, you may need a new or amended BAA. This ongoing management is where practices often fall short.
Risk Assessment: A Systematic Process That Requires Professional Guidance
Why Most Risk Assessments Fall Short
HIPAA requires covered entities to conduct regular risk assessments, but many dental practices treat this as a checkbox exercise rather than a genuine security evaluation. We’ve seen practices use 10-question online forms and consider themselves compliant. Real risk assessment is far more comprehensive.
A proper HIPAA risk assessment must be systematic and thorough, covering administrative safeguards, physical safeguards, technical safeguards, and organizational requirements. It should identify where PHI exists in your practice, what threats could compromise it, current security measures, and vulnerabilities that need addressing.
The Real Risk Assessment Process
An effective risk assessment for a dental practice should take several hours and involve multiple staff members. While a preliminary self-assessment can help you identify obvious gaps, a complete professional audit provides the depth required for true HIPAA compliance.
The process includes:
- Identifying all locations where PHI exists (servers, workstations, paper files, mobile devices, cloud services, vendor systems)
- Cataloging all ePHI workflows (how data moves through your practice)
- Evaluating current security measures for each location and workflow
- Identifying potential threats (ransomware, employee error, physical theft, unauthorized access)
- Calculating risk levels based on likelihood and potential impact
- Prioritizing remediation based on risk levels and available resources
This isn’t a one-time activity. HIPAA requires risk assessments whenever there are changes to your practice operations, technology infrastructure, or regulatory requirements. At minimum, conducting an annual comprehensive assessment is standard practice.
Common Gaps Risk Assessments Reveal
When we conduct risk assessments for dental practices, certain vulnerabilities appear repeatedly:
- Shared passwords across staff members
- No multi-factor authentication on critical systems
- Unencrypted portable devices leaving the office
- Missing Business Associate Agreements
- Inadequate staff training on security protocols
- No process for deactivating access when employees leave
- Backup systems that haven’t been tested for recovery
The value of a proper risk assessment isn’t just regulatory compliance—it’s identifying these vulnerabilities before they lead to a costly breach.
Security Training: Beyond the Annual Video
Why Once-a-Year Training Doesn’t Work
Most dental practices satisfy the HIPAA training requirement by having staff watch a 30-minute video annually and sign an acknowledgment form. This approach checks the compliance box but does little to change actual behavior or reduce security risks.
The problem is that security threats evolve constantly. Phishing attacks become more sophisticated. New ransomware variants emerge. Staff members develop workarounds that create vulnerabilities. Once-a-year training can’t keep pace with these changes.
What Effective Security Training Looks Like
Real security training is ongoing, relevant to daily workflows, and reinforced through practice. It should help your team recognize actual threats they’ll encounter and know exactly how to respond.
Scenario-Based Training: Rather than abstract principles, effective training uses real scenarios: “You receive an email that appears to be from your dental supply company asking you to verify your account by clicking a link. What do you do?”
Staff members learn to recognize phishing attempts, suspicious attachments, and social engineering tactics through examples that mirror what they’ll actually see.
Role-Specific Training: Front desk staff face different security challenges than clinical staff. Your training should address the specific PHI access and security responsibilities of each role.
Phishing Simulations: Periodic simulated phishing emails help staff practice recognizing threats in a safe environment. When someone clicks a simulated phishing link, it becomes a teaching moment with immediate feedback.
Ongoing Reinforcement: Brief monthly security reminders are more effective than annual marathons. A five-minute discussion at a staff meeting about a recent threat keeps security top of mind.
For comprehensive training guidance, review the ADA’s HIPAA training resources.
Measuring Training Effectiveness
You can’t improve what you don’t measure. Effective training programs track pre-test and post-test scores, monitor phishing simulation click rates, and track whether security incidents decrease following training sessions.
The goal isn’t perfect test scores—it’s changing behavior. If staff members start reporting suspicious emails instead of clicking them, your training is working.
Common HIPAA Compliance Myths Debunked
Myth #1: “Small Practices Don’t Get Audited”
The Office for Civil Rights doesn’t exempt practices based on size. While large healthcare systems attract more attention due to the scale of potential breaches, small dental practices are still subject to random audits and complaint-based investigations.
In fact, some compliance experts argue that small practices face higher relative risk because they often have fewer resources dedicated to compliance and may make more assumptions about being “too small to notice.”
Myth #2: “HIPAA-Compliant Software Makes Us Compliant”
Your practice management software might be HIPAA compliant, but that doesn’t make your practice compliant. Software is just one component of a comprehensive compliance program.
You still need proper policies and procedures, staff training, Business Associate Agreements, risk assessments, physical security measures, and incident response plans. The software provides capabilities—you must configure and use them correctly.
Myth #3: “We Can Share PHI If It’s for Treatment”
HIPAA does include a treatment exception that allows disclosure of PHI for treatment purposes, but this doesn’t eliminate security requirements. You must still follow the minimum necessary standard and use appropriate security protocols.
You cannot email unencrypted patient records to a specialist “because it’s for treatment.” The treatment exception addresses when you can share information, not how you must protect it during transmission.
Myth #4: “HIPAA Requires 90-Day Password Changes”
This is one of the most persistent myths in healthcare IT. HIPAA does not specify password rotation frequency. If your practice uses multi-factor authentication, longer password validity periods are perfectly acceptable.
The security rule requires passwords but focuses on password strength, uniqueness, and proper management—not arbitrary rotation schedules that often lead to weaker passwords.
Myth #5: “Texting Patients Is Always a HIPAA Violation”
Text messaging can be HIPAA compliant with proper patient consent and a secure messaging platform designed for healthcare communications. What’s not compliant is using standard SMS text messages for detailed PHI.
Your appointment reminders can include basic information like “You have an appointment tomorrow at 2 PM” with proper consent. Detailed treatment information requires secure messaging platforms with encryption and access controls.
Myth #6: “We Don’t Need to Report a Breach If No Harm Occurred”
If an unauthorized disclosure of PHI occurred, you must evaluate it under HIPAA’s breach notification rule regardless of whether harm resulted. “No harm, no foul” is not a HIPAA principle.
Even if you determine through proper risk assessment that notification isn’t required, you must document that assessment process. You can’t simply decide not to report because nothing bad happened.
Real Dental IT Security: Putting It All Together
HIPAA compliance isn’t about perfection—it’s about demonstrating good faith efforts to protect patient information through reasonable safeguards. Real security comes from understanding that compliance is ongoing work, not a destination you reach once and forget about.
The dental practices we work with successfully understand several key principles:
Encryption must meet specific technical standards, not just marketing claims. AES 256-bit for storage, TLS 1.2 or higher for transmission, with FIPS 140-2 validation where required.
Business Associate Agreements are required for far more vendors than most practices realize, and collecting them is an active process requiring ongoing management.
Risk assessment requires professional guidance to be truly comprehensive. While self-assessment tools can help identify obvious gaps, a complete audit ensures nothing is overlooked.
Security training must be ongoing, relevant, and measurable to actually change staff behavior and reduce risk.
Common compliance myths create dangerous gaps in security that could be exploited by attackers or identified during investigations.
Through our RenTech acquisition, Arakyta brings over 20 years of dental-specific HIPAA expertise to all our clients. We understand dental workflows, common compliance challenges, and cost-effective solutions that work for practices of all sizes.
Start Your Security Assessment Today
Use our comprehensive Dental IT Security Checklist as a starting point to evaluate your current compliance posture. This 25-point guide covers encryption, Business Associate Agreements, access controls, training requirements, and more.
Download Your Free Dental IT Security Checklist
While this checklist helps you identify immediate concerns, a full professional audit ensures nothing is overlooked.
Get Help With Your HIPAA Compliance
If you’re unsure whether your practice has adequate security measures in place, we offer complimentary HIPAA gap assessments that evaluate your current posture and identify areas for improvement. This includes reviewing your encryption implementation, auditing your Business Associate Agreement collection, evaluating your risk assessment process, and providing budget-appropriate recommendations.
Real security means going beyond the basics to implement protections that actually work. Your patients trust you with their health information—make sure your IT security reflects that responsibility.
Contact Arakyta:
Phone: 419-740-7150
Schedule a free HIPAA assessment
Frequently Asked Questions About Dental HIPAA Compliance
Q: What encryption standard does HIPAA require?
A: HIPAA requires FIPS 140-2 validated AES 256-bit encryption for data at rest and TLS 1.2 or higher for data in transit.
Q: Do small dental practices really get audited?
A: Yes. The Office for Civil Rights doesn’t exempt practices based on size. Small practices face random audits and complaint-based investigations just like larger organizations.
Q: Which vendors need Business Associate Agreements?
A: Any vendor who creates, receives, maintains, or transmits PHI on your behalf needs a BAA. This includes obvious vendors like practice management software, plus frequently missed vendors like cloud backup providers, appointment reminder services, website hosts, shredding companies, and email marketing platforms.
Q: How often should we conduct HIPAA risk assessments?
A: HIPAA requires risk assessments whenever there are changes to practice operations, technology infrastructure, or regulatory requirements. Best practice is an annual comprehensive assessment at minimum.
Q: Is texting patients a HIPAA violation?
A: Text messaging can be HIPAA compliant with proper patient consent and a secure messaging platform. Standard SMS is not secure enough for detailed PHI, but basic appointment reminders can be compliant with proper consent.
Q: What makes a Business Associate Agreement valid?
A: A valid BAA must contain specific provisions outlined in the HIPAA Omnibus Rule, including how the vendor will safeguard PHI, report breaches, and return or destroy data upon contract termination.
Q: Does HIPAA require password changes every 90 days?
A: No. HIPAA does not specify password rotation frequency. If using multi-factor authentication, longer password validity periods are acceptable. The focus should be on password strength and uniqueness.
Q: What happens if we can’t get a BAA from a vendor?
A: If a vendor refuses to sign a BAA and they have access to PHI, you must find a different vendor. There’s no workaround—HIPAA requires the agreement.
About Arakyta
Through our October 2025 acquisition of RenTech, Arakyta now serves 120+ dental practices across Northwest Ohio and Southeast Michigan with specialized IT security and compliance services. We combine 20+ years of dental IT expertise with enterprise-grade security solutions tailored for practices of all sizes.
References & Resources
U.S. Department of Health & Human Services – HIPAA Security Rule
American Dental Association – HIPAA Compliance Resources
NIST – FIPS 140-2 Standards
