Do dental practices need a HIPAA Business Associate Agreement?

Yes — dental practices are covered entities under HIPAA. Any vendor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of your practice must sign a BAA with you before accessing patient data. This includes dental practice management software, billing companies, digital imaging services, and IT support providers.

What vendors does a dental practice need a BAA with?

Dental practices typically need BAAs with: practice management software (Dentrix, Eaglesoft, Open Dental), dental billing companies and clearinghouses, digital imaging and X-ray storage vendors, IT managed service providers with system access, cloud backup services used for patient records, patient communication platforms (recall reminders, appointment confirmations), and any other vendor whose service involves access to patient names, treatment records, or insurance data.

Does a solo dentist need a HIPAA BAA?

Yes. HIPAA applies to all dental providers who transmit health information electronically in connection with standard transactions — including solo practices. Practice size does not create an exemption. A solo dentist using a billing company, cloud-based practice management software, or digital imaging system must have BAAs in place with each of those vendors.

What happens if a dental practice operates without a BAA?

Operating without a required BAA is a direct HIPAA violation under 45 CFR § 164.504(e). The HHS Office for Civil Rights has pursued enforcement actions against dental practices specifically for missing BAAs. Civil monetary penalties range from $141 to $68,928 per violation. The OCR identified missing BAAs as one of the most common HIPAA compliance failures in its audit program.

Dental Practices

HIPAA Business Associate Agreement for Dental Practices

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Key Takeaways

✓ All dental practices — solo or group — are HIPAA covered entities and must execute BAAs
✓ Practice management software, billing companies, and imaging systems all require BAAs
✓ Missing a BAA is a direct HIPAA violation — OCR has specifically cited dental practices
✓ Most dental software vendors (Dentrix, Eaglesoft) provide BAAs — but you must sign them
✓ IT support providers with remote access to your systems are business associates

Direct answer: Yes — dental practices are HIPAA covered entities. Any vendor that accesses, stores, or transmits patient PHI on behalf of your practice must sign a Business Associate Agreement before handling that data. This includes your practice management system, billing company, digital imaging service, and IT support provider.

Dental practices are one of the most commonly cited healthcare settings in HHS enforcement actions related to missing Business Associate Agreements. The reason is straightforward: dental offices use many vendors — billing companies, imaging systems, practice management platforms, IT support — and each one of them touches patient records. Without a BAA in place with every vendor, each missing agreement is a separate HIPAA violation.

Why Dental Practices Are Covered Entities

HIPAA's covered entity definition includes healthcare providers who transmit health information electronically in connection with standard HIPAA transactions. Dental practices that submit claims electronically — directly or through a clearinghouse — are covered entities, regardless of size.

This includes:

General dentists and family dental practices
Orthodontists
Oral and maxillofacial surgeons
Periodontists, endodontists, and prosthodontists
Pediatric dentists
Multi-location dental service organizations (DSOs)

If your office uses a billing service that submits claims electronically, you are a covered entity even if you never personally handle the electronic submission yourself.

What PHI Does a Dental Practice Handle?

PHI in a dental context includes more than just clinical records. The following all qualify as protected health information if they can be linked to an identifiable patient:

Patient names, addresses, dates of birth, and contact information
Dental records, X-rays, CBCT scans, and intraoral images
Treatment plans, procedure codes (CDT codes), and clinical notes
Insurance information and insurance claim records
Appointment scheduling data that links a person to your practice
Payment records associated with dental procedures

Any vendor whose system stores, processes, or transmits any of the above data requires a BAA.

Vendors Dental Practices Typically Need BAAs With

Practice Management Software

Dentrix, Eaglesoft, Open Dental, Curve Dental, and similar platforms store your patient records, clinical notes, X-rays, and billing data. All major platforms offer BAAs. You should have received or been prompted to sign a BAA when you set up the software — if you haven't, contact your vendor's compliance or legal team and request one immediately.

Dental Billing Companies and Clearinghouses

If you outsource billing or use a clearinghouse (DentalXChange, Availity, etc.) to submit claims, that company handles patient names, CDT codes, insurance IDs, and dates of service. A BAA is required before any patient data is shared. Many billing companies will proactively provide their standard BAA; if yours doesn't, send them a BAA using BAA Generator before transmitting any claims.

Digital Imaging and Radiography Systems

Cloud-connected digital X-ray systems, CBCT scanners, and intraoral cameras that store images remotely are business associates if the storage involves PHI. Vendors like Planmeca, Carestream, and Dexis all offer BAAs for their cloud or remote-access components. On-premise-only systems that never transmit data outside your network may not require a BAA for the software vendor, but verify before assuming.

IT Support and Managed Service Providers

If an IT company can remotely access your systems — even just for routine maintenance — and those systems contain patient records, the IT company is a business associate. This is one of the most frequently missed BAA requirements in dental practices. Even if the IT vendor claims they "don't look at patient data," their access to systems containing PHI makes them a business associate under HIPAA.

Cloud Backup and Storage

Google Workspace, Microsoft 365, Dropbox Business, and similar cloud platforms offer BAAs on paid plans. Personal cloud accounts (personal Gmail, personal Dropbox, iCloud) do not qualify. If your dental records backup goes to any cloud service, that service must have a signed BAA with your practice.

Patient Communication Platforms

Recall reminder services, appointment confirmation systems, and patient portal platforms that link a person's identity to your practice's name are handling PHI. Lighthouse 360, Solutionreach, and similar recall platforms offer BAAs. Confirm BAA availability before deploying any patient communication system.

How to Get a BAA for Your Dental Practice

You have two options for each vendor:

Request the vendor's BAA — most compliant dental software and billing vendors have a standard BAA they'll provide on request. Sign it and retain a copy in your compliance records.
Provide your own BAA — generate a HIPAA-compliant BAA and send it to the vendor for countersignature. This is often faster with smaller vendors who don't have their own BAA template ready.

Document all executed BAAs in a vendor compliance log. Maintain copies for at least six years, as HIPAA requires covered entities to retain documentation of policies and procedures for that period.

Generate a BAA for your dental practice

Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.

Generate BAA for Free →

Frequently Asked Questions

Does a solo dentist really need a BAA?

Yes. HIPAA applies to all covered entities regardless of practice size. A solo dentist using a cloud-based practice management system or an outside billing company has the same BAA obligations as a large DSO. The OCR has pursued enforcement actions against solo dental practices for missing BAAs.

My practice management software says it's HIPAA compliant — do I still need a BAA?

Yes. "HIPAA compliant" infrastructure describes the vendor's security posture, not the existence of a contract between you and the vendor. The BAA is the legal agreement that governs how the vendor handles your patient data. Without a signed BAA, there is no enforceable obligation — even if the platform is technically secure.

What if a vendor refuses to sign a BAA?

You cannot use that vendor for any PHI-handling function. Under HIPAA, there is no workaround for a vendor who refuses to execute a BAA. You must either find an alternative vendor who will sign one, or restructure the engagement so the vendor never accesses any PHI.