If you run a dental practice in Colorado — or anywhere in the United States — you are a HIPAA covered entity. That designation isn't about the size of your office or how many patients you see each week. It applies the moment you transmit patient health information electronically in connection with a covered transaction. For virtually every dental office, that moment comes dozens of times every business day.

What surprises many dental practice managers and owners is the scope of what HIPAA actually demands on the technical side. The HIPAA Security Rule, which governs electronic Protected Health Information (ePHI), contains a set of standards called Technical Safeguards. These aren't vague guidelines — they describe specific categories of controls your organization must implement or have a documented reason for not implementing.

This article walks through what the Technical Safeguards actually require, explains common gaps in dental office environments, and clarifies what it means to be "HIPAA-aligned" rather than "HIPAA certified."

First: What Does "Electronic PHI" Include in a Dental Office?

Before getting into the requirements, it's worth understanding what counts as ePHI in a dental context. Most dental office managers think immediately of their practice management software — Dentrix, Eaglesoft, Curve, or similar. But ePHI extends well beyond that:

  • Digital radiographs and intraoral images stored on imaging workstations or cloud platforms
  • Patient records in your practice management system, including appointment history, treatment plans, and financial data linked to identifiable patients
  • Email and text messages that contain patient names alongside health or scheduling information
  • Cloud backups of any system that holds the above data
  • Laptops and workstations that access or cache patient records
  • Shared network drives containing scanned EOBs, referral letters, or patient forms

If it identifies a patient and touches their health or payment information, and it lives on a device or travels over a network, it's ePHI. The Security Rule governs all of it.

The Four Technical Safeguard Standards

The HIPAA Security Rule organizes Technical Safeguards into four standards. Each standard contains both required and addressable implementation specifications. "Required" means you must implement it. "Addressable" means you must either implement it or document why an equivalent alternative is appropriate for your organization — it does not mean optional.

1. Access Control

You must implement technical policies and procedures that allow only authorized persons to access ePHI. The required specifications under this standard are:

  • Unique user identification — every person who accesses your systems must have their own login credentials, not a shared username
  • Emergency access procedures — a documented plan for obtaining ePHI in an emergency when normal access methods are unavailable

The addressable specifications include automatic logoff (locking workstations after a period of inactivity) and encryption and decryption of ePHI.

In practice, this means shared passwords are a direct HIPAA violation. If your front desk staff all log into Dentrix with the same username and password, that is a problem — both from a compliance standpoint and because you lose all ability to audit who accessed what.

2. Audit Controls

You must implement hardware, software, and procedural mechanisms that record and examine activity in systems that contain ePHI. This standard has no addressable specifications — it is entirely required.

What this means practically: your practice management software and network infrastructure should be generating logs that show who accessed patient records, when, and from which device. If a breach occurs, OCR (the HHS Office for Civil Rights) will ask to see these logs as part of any investigation. If you can't produce them, the absence of audit controls becomes its own compliance finding.

3. Integrity Controls

You must implement policies and procedures to protect ePHI from improper alteration or destruction. The addressable specification here is an electronic mechanism to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

Practically speaking, this connects directly to your backup strategy. Encrypted, verified backups that you can actually restore from are a core part of demonstrating integrity controls. It also applies to your imaging systems — if a patient's radiograph can be altered without any record of the change, that is an integrity gap.

4. Transmission Security

You must implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Encryption is listed as an addressable specification here — but given that unencrypted transmission of ePHI over the internet is an obvious risk, most practices should treat it as effectively required.

This means sending patient records, treatment plans, or radiographs via standard unencrypted email is a risk. It means your practice management software's connection to any cloud service should be over TLS. It means your staff's remote access to practice systems should use a VPN or equivalent secure channel.

A note on "addressable" specifications: The word "addressable" is widely misread as "optional." It is not. For every addressable specification you choose not to implement, the Security Rule requires you to document why the specification is not reasonable and appropriate, and to implement an equivalent alternative if one exists. For a dental office, the risk of non-implementation almost always outweighs the compliance documentation burden.

Where Dental Offices Most Commonly Fall Short

Based on what the HHS OCR has cited in breach investigations and resolution agreements, the most common Technical Safeguard gaps in smaller healthcare organizations — including dental practices — cluster around a few areas:

Shared credentials

It's common for small offices to have a single login for the front desk computer. Everyone knows the password. This violates the unique user identification requirement and eliminates any possibility of meaningful audit logs. It also means a terminated employee can still access records using credentials they memorized.

Unencrypted laptops

A laptop that stores or caches ePHI — even temporarily — and is not encrypted is a breach waiting to happen. Under HIPAA's Breach Notification Rule, a lost or stolen encrypted device is not a reportable breach. An unencrypted one is. BitLocker (built into Windows) is free and available on essentially every device a dental office would use. There is no justification for running an unencrypted laptop that touches patient data.

No workstation lock policy

Workstations that don't lock after a period of inactivity leave patient records visible to anyone who walks into the operatory or front desk area. Automatic screen lock after 10–15 minutes is a simple control with no meaningful cost. Its absence in a physical environment where patients and visitors move through the space is a significant risk.

Imaging systems on the same network as everything else

Dental imaging systems — sensors, cone beam CT, intraoral cameras — often run older software on Windows systems that haven't been updated since they were installed. Placing these on the same network segment as your front desk workstations and internet connection creates lateral movement risk: if one system is compromised, the attacker has a path to everything else. Network segmentation (putting imaging devices on their own VLAN) addresses this.

Backup without verification

Many practices have backup systems that are technically running but have never been tested. A backup that hasn't been verified by actually restoring data from it is not a backup for practical purposes — it's a belief. Tested, verified, encrypted backups stored off-site or in the cloud are what the integrity standard actually requires.

What "HIPAA-Aligned" Means — and Why No One Can Call Themselves "HIPAA Certified"

You may notice that Front Range Health IT — and most responsible IT providers in the healthcare space — use the phrase "HIPAA-aligned" rather than "HIPAA compliant" or "HIPAA certified." This isn't hedging. It reflects how the regulation actually works.

There is no government certification for HIPAA compliance. HHS does not issue certificates to covered entities or their IT vendors confirming they have passed an audit. HIPAA compliance is an ongoing operational state, not a one-time achievement. An organization is compliant when it has implemented the required safeguards, documented its risk analysis and treatment decisions, and maintained evidence of that work over time.

An IT vendor who says they will make your practice "HIPAA certified" is either misinformed or deliberately misleading you. What a good healthcare IT partner can do is implement the technical controls that address the Security Rule's Technical Safeguards, help you document your risk analysis, and maintain the systems in a state that reflects the standard.

"HIPAA-aligned" means the technical architecture has been built around what the Security Rule requires — encryption, access controls, audit logging, verified backup, transmission security. Whether your practice is compliant ultimately also depends on your administrative and physical safeguards, your staff training, and your documentation — areas that go beyond IT infrastructure.

The Business Associate Relationship

One more area that dental offices sometimes misunderstand: when you hire an IT provider who will have access to systems containing ePHI, they become a Business Associate under HIPAA. A Business Associate Agreement (BAA) is required before they can touch those systems.

This applies to your IT provider, your cloud backup vendor, your practice management software company, and potentially others. If you're using Microsoft 365 for email and any of those emails might contain patient information, Microsoft is a Business Associate and a BAA is required — Microsoft does offer a signed BAA for qualifying plans.

A BAA doesn't transfer your compliance obligations to the vendor. It establishes that both parties understand their roles regarding ePHI and that the vendor is also subject to HIPAA requirements. It's a contractual safeguard, not an absolution.

Practical Next Steps for Dental Practices

If you're not sure where your practice stands, the most useful first step is a basic risk assessment. You don't need a consultant or a lengthy engagement to start — HHS publishes a Security Risk Assessment tool that walks through the relevant domains. The exercise of going through it will surface your most obvious gaps.

The controls with the highest return on investment for most dental offices are:

  • Enabling BitLocker on every laptop and workstation that touches patient data
  • Eliminating shared credentials and moving to per-user logins with strong passwords or MFA
  • Configuring automatic screen lock on all workstations
  • Verifying your backup is actually working by doing a test restore
  • Signing BAAs with your IT provider, your cloud backup vendor, and Microsoft if you use M365

These aren't expensive. Most can be implemented without purchasing new software. What they require is someone who knows what to configure and takes the time to do it properly.

Disclaimer: This article is for general informational purposes only and does not constitute legal or compliance advice. HIPAA requirements are complex and fact-specific. Consult a qualified healthcare attorney or compliance professional for guidance specific to your practice.