HIPAA Business Associate Agreement for Dental Labs
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ Dental labs are HIPAA business associates — not covered entities — because they serve dental practices, not patients directly
- ✓ Dental practices (covered entities) must provide BAAs to dental labs before sharing patient case information
- ✓ Digital impression platforms (3Shape Communicate) that receive patient-identified case data require BAAs from labs
- ✓ As a business associate, dental labs are directly subject to HIPAA's Security Rule and Breach Notification Rule
Dental labs occupy a distinctive position in the HIPAA framework. Unlike dental practices — which are covered entities that directly provide care to patients — dental labs are business associates: they receive PHI from dental practices and use it to manufacture dental restorations, but they never directly provide healthcare services to patients. This means dental labs are on the receiving end of BAA obligations (dental practices must give them a BAA), but they also have outgoing BAA obligations to their own sub-vendors.
The Dental Lab's Position in the HIPAA Structure
Here is how the BAA chain works in dental:
- Dental practice (covered entity) → receives patients, creates PHI, transmits claims electronically
- Dental lab (business associate) → receives patient-identified case information (prescriptions, impressions, photos) from the dental practice
- Digital platform vendor (sub-business associate) → receives case data through platforms like 3Shape Communicate or Exocad
The dental practice has the obligation to provide a BAA to the dental lab under 45 CFR § 164.504(e) before sharing any patient-identifiable case information. The dental lab, as a business associate, is directly subject to HIPAA's Security Rule and Breach Notification Rule, and must execute BAAs with its own sub-vendors.
What Information Shared with a Dental Lab Is PHI?
A lab case that contains any of the following constitutes PHI under HIPAA:
- Patient name combined with a prescription or restoration specification
- Patient date of birth linked to a case
- Digital scan or impression file linked to a patient's identity
- Clinical notes, photographs, or bite records sent with a case that include patient identifiers
- Any combination of restoration specifications and patient identifiers that could identify the individual
A prescription with no patient name or unique identifier is technically not PHI — but in practice, almost all dental lab cases include some patient-identifying element, making the BAA requirement the norm rather than the exception.
Incoming BAA Obligations: What Dental Practices Owe the Lab
If you operate a dental lab, your dental practice clients (covered entities) are required to execute BAAs with your lab before sending patient case data. If a dental practice sends you cases without having executed a BAA, that practice is potentially in HIPAA violation, and your lab is also operating outside the proper compliance framework.
Proactively providing a standard BAA to new dental practice clients — as part of your lab's onboarding process — reduces friction and ensures compliance. Your BAA template should define the permitted uses of PHI (manufacturing the restoration) and require the lab to safeguard the PHI appropriately. See our guide on when a HIPAA BAA is required for the full framework.
Outgoing BAA Obligations: Your Lab's Sub-Vendors
Digital Impression Platforms
3Shape Communicate, Exocad, and similar digital case delivery platforms transmit scan files with patient identifiers between dental practices and labs. As a dental lab using these platforms, you must confirm that a BAA is in place with the platform vendor, as the platform processes PHI on your behalf as a sub-business associate. Check with your platform vendor's compliance team for their BAA status and documentation. See our checklist on whether your vendor signs BAAs.
Lab Management Software
Dental lab management software (work order tracking, case management, production workflow) that links patient names to cases is handling PHI. The lab management software vendor is a sub-business associate requiring a BAA.
Cloud Storage and Backup
Cloud services used to store case files, scan data, or digital models linked to patient identities require BAAs. Business-tier accounts for Google Workspace, Microsoft 365, and similar platforms offer BAAs; personal or consumer accounts do not.
Shipping and Logistics
Physical case shipping (FedEx, UPS) typically does not require a BAA because the carrier does not access the PHI inside the package — the patient information is on the enclosed prescription, not on the shipping label. However, if a logistics vendor's system stores order records that link patient names to shipments, that relationship may require a BAA. Review with your shipping vendor.
| Relationship | BAA Direction | Notes |
|---|---|---|
| Dental practice → Dental lab | Practice provides BAA to lab (incoming) | Dental practice is covered entity; lab is BA |
| Dental lab → Digital impression platform | Lab gets BAA from platform (outgoing) | Platform is sub-BA of lab |
| Dental lab → Lab management software | Lab gets BAA from software vendor (outgoing) | Software vendor is sub-BA |
| Dental lab → Cloud storage | Lab gets BAA from cloud provider (outgoing) | Business-tier only |
Generate a BAA for your dental lab
Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.
Generate BAA for Free →Frequently Asked Questions
Is a dental lab a HIPAA covered entity or business associate?
A dental lab is a business associate. Dental labs receive PHI from dental practices (covered entities) in order to manufacture restorations, but they don't directly provide healthcare to patients. This makes them business associates under HIPAA — they must sign BAAs provided by dental practices, and must also sign BAAs with their own sub-vendors (digital platforms, cloud storage) that access patient case data.
Does a dental lab need to sign a BAA?
Yes. Dental labs must sign BAAs provided by the dental practices that send them cases. The dental practice (covered entity) has the obligation to provide the BAA to the lab. Dental labs should also proactively provide their own BAA template to dental practice clients as part of their onboarding process to ensure compliance on both sides of the relationship.
What information shared with a dental lab constitutes PHI?
Any case information that links a restoration specification to an identifiable patient — name, date of birth, or any unique identifier — is PHI. This includes digital impressions with patient identifiers, prescriptions with patient names, and clinical photos linked to patient records. Effectively all standard dental lab cases include PHI.
Do digital impression platforms (3Shape Communicate, Exocad) require BAAs for dental labs?
Yes. Digital impression platforms that receive and transmit patient-identified scan data between dental practices and labs are handling PHI and are sub-business associates of the dental lab. Labs using these platforms must confirm that BAAs are in place with the platform vendors.