Is my dental practice actually HIPAA-compliant?

Many practices believe so but have gaps. HIPAA is an ongoing set of safeguards, agreements, and evidence - not a one-time certificate. Common shortfalls include no signed BAA with the IT vendor, no documented risk analysis, untested backups, and missing MFA. Compliance means you can show the controls exist, not just claim them.

Does my IT company need a BAA?

Almost certainly. If your IT company can access systems that hold protected health information - the server, the practice-management database, or email - they are a business associate, and HIPAA expects a signed Business Associate Agreement. If a breach traces to a vendor with no BAA in place, the practice is exposed.

How do I know if my practice has HIPAA gaps?

Check the basics: a current signed BAA with every vendor that touches PHI, a recent documented security risk analysis, a tested backup restore, MFA on email and remote access, and the ability to audit what your IT vendor accesses. If you cannot answer those clearly, you likely have gaps to close.

Are dental practices really HIPAA-compliant? The vendor BAA gap

7 min read · Published 2026-06-29 

hipaacompliancebaavendor riskdental

Are dental practices really HIPAA-compliant?

Many dental practices believe they are HIPAA-compliant when they have real gaps - and one of the most common is the vendor BAA gap: the IT company that can access systems holding patient data, without a signed Business Associate Agreement in place. HIPAA compliance is not a certificate you earn once; it is an ongoing set of safeguards, agreements, and evidence. This page covers where dental practices commonly fall short, with a focus on the vendor gap. (General information, not legal advice.)

What HIPAA actually expects of a practice

At a high level: a documented security risk analysis, administrative/physical/technical safeguards for protected health information (PHI), workforce training, and signed Business Associate Agreements with any vendor that creates, receives, maintains, or transmits PHI on your behalf. "We are a small office" does not exempt a practice from any of this.

The vendor BAA gap

Your IT company can almost certainly reach systems that contain PHI - the server, the practice-management database, email. That makes them a business associate, and a signed BAA is expected. Yet plenty of practices have never signed one with their IT provider, or signed an old one that no longer reflects how the vendor actually operates. If a breach traces back to that vendor and there is no BAA, the practice is exposed. (See what is a BAA, and does your IT company have one?)

The other common gaps

No documented risk analysis - the foundational HIPAA requirement many skip.
Untested backups - "we have backups" with no proven restore. (See do my dental backups actually work?)
No multi-factor authentication on email and remote access.
Unaudited vendor remote access - broad, shared, always-on. (See is my IT vendor my biggest security risk?)
No evidence - even good controls fail an audit if you cannot show they exist.

How to check your own practice

Do you have a signed, current BAA with your IT company - and with every vendor that touches PHI?
When was your last documented security risk analysis?
Has anyone tested a restore of your practice-management database recently?
Is MFA on for email, remote access, and admin accounts?
Can you see and audit what your IT vendor accesses?

BAA-by-default is the right posture

A dental-fluent IT provider should sign a BAA by default and treat it as table stakes, not an upsell. (See Security & Compliance.) Closing the vendor gap, documenting a risk analysis, and proving your backups restore covers most of what separates "we think we are compliant" from "we can show we are."

This is general information about HIPAA expectations, not legal advice. A qualified compliance professional or attorney can advise on your specific obligations.