Dental Laboratories

HIPAA Business Associate Agreement for Dental Labs

Q: Is a dental lab a HIPAA covered entity or business associate?

A dental lab is typically a HIPAA business associate, not a covered entity. Dental labs do not directly provide care to patients — they manufacture dental restorations (crowns, bridges, dentures) on behalf of dental practices. Because dental labs receive protected health information (patient names, prescriptions, treatment records) from dental practices (covered entities) in order to perform this service, they are business associates. The dental practice must provide a BAA to the dental lab before sharing any patient-identifiable case information.

Q: What information shared with a dental lab constitutes PHI?

Protected health information shared with dental labs includes: patient name combined with prescription details (shade, material specifications, tooth numbers for specific patients), patient date of birth or other identifiers linked to a case, treatment records or clinical notes sent with the case, and digital impressions or scans that include patient identifiers. A prescription sent without any patient-identifying information (e.g., no name, no DOB, no unique case identifier that could be linked back to a patient) would not be PHI — but in practice, almost all lab cases include patient-identifying information.

Q: Do digital impression platforms (3Shape Communicate, Exocad) require BAAs for dental labs?

Yes, if those platforms receive and store patient-identified case data. Digital impression platforms like 3Shape Communicate that transmit scan data with patient identifiers from dental practices to dental labs handle PHI as part of their service. The dental lab using such a platform must ensure a BAA is in place with the platform vendor, as the lab is a business associate and the platform is a sub-business associate. Dental practices sending cases through these platforms should also confirm BAA coverage with their own platform agreements.

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Need a BAA right now?

Generate my BAA → See pricing →

Key Takeaways

✓ Dental labs are HIPAA business associates — not covered entities — because they serve dental practices, not patients directly
✓ Dental practices (covered entities) must provide BAAs to dental labs before sharing patient case information
✓ Digital impression platforms (3Shape Communicate) that receive patient-identified case data require BAAs from labs
✓ As a business associate, dental labs are directly subject to HIPAA's Security Rule and Breach Notification Rule

Direct answer: Dental labs are HIPAA business associates, not covered entities. The dental practice must execute a BAA with your lab before sharing patient-identified case information. As a business associate, your lab is directly subject to HIPAA and must also sign BAAs with your own sub-vendors (digital impression platforms, cloud storage) that access patient case data under 45 CFR § 164.504(e).

Dental labs occupy a distinctive position in the HIPAA framework. Unlike dental practices — which are covered entities that directly provide care to patients — dental labs are business associates: they receive PHI from dental practices and use it to manufacture dental restorations, but they never directly provide healthcare services to patients. This means dental labs are on the receiving end of BAA obligations (dental practices must give them a BAA), but they also have outgoing BAA obligations to their own sub-vendors.

The Dental Lab's Position in the HIPAA Structure

Here is how the BAA chain works in dental:

Dental practice (covered entity) → receives patients, creates PHI, transmits claims electronically
Dental lab (business associate) → receives patient-identified case information (prescriptions, impressions, photos) from the dental practice
Digital platform vendor (sub-business associate) → receives case data through platforms like 3Shape Communicate or Exocad

The dental practice has the obligation to provide a BAA to the dental lab under 45 CFR § 164.504(e) before sharing any patient-identifiable case information. The dental lab, as a business associate, is directly subject to HIPAA's Security Rule and Breach Notification Rule, and must execute BAAs with its own sub-vendors.

What Information Shared with a Dental Lab Is PHI?

A lab case that contains any of the following constitutes PHI under HIPAA:

Patient name combined with a prescription or restoration specification
Patient date of birth linked to a case
Digital scan or impression file linked to a patient's identity
Clinical notes, photographs, or bite records sent with a case that include patient identifiers
Any combination of restoration specifications and patient identifiers that could identify the individual

A prescription with no patient name or unique identifier is technically not PHI — but in practice, almost all dental lab cases include some patient-identifying element, making the BAA requirement the norm rather than the exception.

Incoming BAA Obligations: What Dental Practices Owe the Lab

If you operate a dental lab, your dental practice clients (covered entities) are required to execute BAAs with your lab before sending patient case data. If a dental practice sends you cases without having executed a BAA, that practice is potentially in HIPAA violation, and your lab is also operating outside the proper compliance framework.

Proactively providing a standard BAA to new dental practice clients — as part of your lab's onboarding process — reduces friction and ensures compliance. Your BAA template should define the permitted uses of PHI (manufacturing the restoration) and require the lab to safeguard the PHI appropriately. See our guide on when a HIPAA BAA is required for the full framework.

Outgoing BAA Obligations: Your Lab's Sub-Vendors

Digital Impression Platforms

3Shape Communicate, Exocad, and similar digital case delivery platforms transmit scan files with patient identifiers between dental practices and labs. As a dental lab using these platforms, you must confirm that a BAA is in place with the platform vendor, as the platform processes PHI on your behalf as a sub-business associate. Check with your platform vendor's compliance team for their BAA status and documentation. See our checklist on whether your vendor signs BAAs.

Lab Management Software

Dental lab management software (work order tracking, case management, production workflow) that links patient names to cases is handling PHI. The lab management software vendor is a sub-business associate requiring a BAA.

Cloud Storage and Backup

Cloud services used to store case files, scan data, or digital models linked to patient identities require BAAs. Business-tier accounts for Google Workspace, Microsoft 365, and similar platforms offer BAAs; personal or consumer accounts do not.

Shipping and Logistics

Physical case shipping (FedEx, UPS) typically does not require a BAA because the carrier does not access the PHI inside the package — the patient information is on the enclosed prescription, not on the shipping label. However, if a logistics vendor's system stores order records that link patient names to shipments, that relationship may require a BAA. Review with your shipping vendor.

Relationship	BAA Direction	Notes
Dental practice → Dental lab	Practice provides BAA to lab (incoming)	Dental practice is covered entity; lab is BA
Dental lab → Digital impression platform	Lab gets BAA from platform (outgoing)	Platform is sub-BA of lab
Dental lab → Lab management software	Lab gets BAA from software vendor (outgoing)	Software vendor is sub-BA
Dental lab → Cloud storage	Lab gets BAA from cloud provider (outgoing)	Business-tier only

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Frequently Asked Questions

Is a dental lab a HIPAA covered entity or business associate?

A dental lab is a business associate. Dental labs receive PHI from dental practices (covered entities) in order to manufacture restorations, but they don't directly provide healthcare to patients. This makes them business associates under HIPAA — they must sign BAAs provided by dental practices, and must also sign BAAs with their own sub-vendors (digital platforms, cloud storage) that access patient case data.

Does a dental lab need to sign a BAA?

Yes. Dental labs must sign BAAs provided by the dental practices that send them cases. The dental practice (covered entity) has the obligation to provide the BAA to the lab. Dental labs should also proactively provide their own BAA template to dental practice clients as part of their onboarding process to ensure compliance on both sides of the relationship.

What information shared with a dental lab constitutes PHI?

Any case information that links a restoration specification to an identifiable patient — name, date of birth, or any unique identifier — is PHI. This includes digital impressions with patient identifiers, prescriptions with patient names, and clinical photos linked to patient records. Effectively all standard dental lab cases include PHI.

Do digital impression platforms (3Shape Communicate, Exocad) require BAAs for dental labs?

Yes. Digital impression platforms that receive and transmit patient-identified scan data between dental practices and labs are handling PHI and are sub-business associates of the dental lab. Labs using these platforms must confirm that BAAs are in place with the platform vendors.

More Specialty BAA Guides

Addiction Treatment Ambulance Services Behavioral Health Chiropractors Clinical Labs Concierge Medicine Dental Digital Health DSOs FQHCs Group Practices Health Plans Healthcare Staffing Healthtech Agencies Healthtech Startups Home Health Hospice Imaging Centers Medical Billing Medical Transcription Mental Health Apps Nurse Practitioners Nursing Homes Occupational Therapy Optometry Pharmacy Physical Therapy Remote Patient Monitoring Revenue Cycle Management SaaS Companies Speech-Language Pathology Telehealth Therapists Urgent Care