DTC

About

Get to Know DTC Meet the Team Careers

Services

Cloud-Based Solutions Disaster Recovery On-Premise Support Industry Regulations Team Collaboration Startups Enterprise Solutions

Resources

News & Blog
Contact Client Portal
7 HIPAA Myths Dental Practices Actually Believe (And the Ones That Could Cost You $50,000)

7 HIPAA Myths Dental Practices Actually Believe (And the Ones That Could Cost You $50,000)

DTC Inc.
HIPAA Compliance Dental Practices

7 HIPAA Myths Dental Practices Actually Believe (And the Ones That Could Cost You $50,000)

There’s a lot of HIPAA misinformation floating around dental offices, and much of it gets dental practice HIPAA compliance flat wrong. Some of it is harmless misunderstanding, and some of it is the kind of thing that lands you a six-figure fine plus a corrective action plan that follows your practice for years.

We’ve worked with dental practices for 25+ years, so we’ve heard every one of these. Let’s sort out which is which.

Myth #1: “We’re too small to get audited.”

This is the most common one, and it’s the most dangerous.

HHS’s Office for Civil Rights conducts audits of covered entities of all sizes. Small practices aren’t exempt. In fact, they get investigated all the time, because a patient complaint can trigger an investigation no matter how big or small the practice is. One complaint from one patient about how their information was handled is enough to kick off an OCR inquiry.

The other way audits happen? Breaches. If patient data is compromised and you report it (which you’re required to do), that report kicks off an investigation into whether you had adequate safeguards in place.

Being small doesn’t protect you. If anything, it leaves you with fewer resources to deal with the aftermath.

Myth #2: “Our software is HIPAA-compliant, so we’re covered.”

This one is technically almost true, which makes it more dangerous than being completely wrong.

Your practice management software vendor may well be HIPAA-compliant. They’ve signed a Business Associate Agreement with you. Their systems are built to handle ePHI securely.

But for your practice, HIPAA compliance comes down to how you actually use that software: how you manage it and who you let access it. Compliant software won’t save you if your staff shares login credentials, if you have no automatic logoff policies, if you skip regular risk assessments, or if you’ve never documented an incident response procedure.

HIPAA compliance is a program, not a product.

Myth #3: “We did HIPAA training when we opened. We’re good.”

HIPAA’s Security Rule requires periodic security awareness training, not a one-time onboarding session your staff sat through seven years ago and have long since forgotten.

The threats themselves also look nothing like they did when most practices did their initial training. Ransomware targeting dental offices barely existed in 2015. The phishing techniques attackers use today are significantly more sophisticated than they were even two years ago.

“We did training once” won’t hold up. What protects you is being able to say, “We run regular, documented security training,” and prove it.

Myth #4: “HIPAA is just about keeping paper records private.”

HIPAA’s Privacy Rule covers paper records. HIPAA’s Security Rule, which is where most violations and fines come from, covers electronic protected health information (ePHI). That means every patient record in your practice management software, every X-ray in your imaging system, every appointment in your scheduling software, and every email that contains patient information.

For a modern dental practice, that’s just about everything. The Security Rule’s requirements are technical, administrative, and physical, and they’re specific about what “adequate safeguards” actually look like.

Myth #5: “If we haven’t had a breach, we’re compliant.”

HIPAA compliance comes down to whether you have the right safeguards in place, and that has very little to do with whether you’ve had an incident yet. A practice can be wildly non-compliant and never have a breach. A well-run practice can do everything right and still get hit.

OCR doesn’t only investigate breaches. They investigate whether practices have put the required safeguards in place. A practice that has never had a breach but has no risk assessment, no documented policies, no access controls, and no training program is non-compliant, and could face significant fines if it ever gets investigated.

What counts is the program you’ve built, not your luck in dodging incidents so far.

Myth #6: “Our IT company handles all of that.”

Partly true, maybe. Your IT company should be handling the technical safeguards side of HIPAA: encryption, access controls, audit logging, patch management, and backup procedures. If they’re good, they are.

But HIPAA also requires administrative safeguards: documented policies, risk assessments, workforce training, a designated security officer, and Business Associate Agreement management. Your IT company isn’t responsible for any of that unless you’ve specifically contracted for it.

The question to ask your IT provider: “Can you show me the documentation of our HIPAA compliance program?” If the answer is vague, you have a gap.

Myth #7: “HIPAA fines only happen to hospitals and big health systems.”

Fines against small dental practices are well-documented in public HHS enforcement records. A few real examples from HHS’s public database:

One small dental practice paid $10,000 after a patient complained that their PHI showed up on the practice’s social media page. Another paid $25,000 following an investigation triggered by a breach affecting fewer than 500 patients. And the investigation itself, before any fine is even assessed, eats up legal counsel, document production, and staff time that often costs a practice far more than the fine does.

Size is not protection. Patient complaints and small breaches trigger the same investigation process as large ones.

What Actual Dental Practice HIPAA Compliance Looks Like

A real HIPAA compliance program has six components that are documented and maintained:

A current risk assessment that identifies where ePHI is stored and transmitted and what the risks to that information are. Documented policies and procedures covering how your practice handles PHI. Workforce training records showing that all staff have received security awareness training. Technical safeguards including access controls, encryption, and audit logging. A designated security officer responsible for compliance. Business Associate Agreements with every vendor that touches PHI.

None of this is insurmountably complex. All of it requires intentional implementation and ongoing maintenance.

And all of it is far cheaper than the alternative.

Want to know where your practice actually stands on HIPAA compliance? We’ll assess your current posture across all three safeguard categories and give you a straight answer.

Back to Blog Get in Touch