HIPAA Compliance Guides for Dental Practices — 2026

Dallas, Texas

Avg fine: $35,000

Outdated NPP · Missing BAA with billing vendor

Miami, Florida

Avg fine: $42,000

Outdated NPP · Verbal PHI disclosure

Phoenix, Arizona

Avg fine: $28,000

Missing Risk Assessment · Outdated NPP

Chicago, Illinois

Avg fine: $31,000

Missing BAA with IT vendor · No sanction policy

Los Angeles, California

Avg fine: $47,000

CMIA violations · Missing NPP translation

Scottsdale, Arizona

Avg fine: $28,000

Missing BAA with cosmetic imaging vendor · Outdated NPP for concierge services

Cape Coral, Florida

Avg fine: $42,000

Billing errors on high-value procedures · Missing BAA with dental finance company

Raleigh, North Carolina

Avg fine: $32,000

Outdated NPP at newly opened locations · Missing BAA with practice management software

Houston, Texas

Avg fine: $35,000

Insurance pre-authorization PHI leaks · Missing BAA with insurance clearinghouse

Orlando, Florida

Avg fine: $42,000

Missing multilingual NPP · No translated patient authorization forms

Austin, Texas

Avg fine: $35,000

Missing BAA with DSO management platform · No multi-location sanction policy

Tampa, Florida

Avg fine: $42,000

Missing disaster recovery plan for ePHI · No encrypted offsite backup

San Diego, California

Avg fine: $47,000

Missing BAA for TRICARE PHI sharing · CMIA violations from military-adjacent billing

Charlotte, North Carolina

Avg fine: $32,000

Missing BAA with corporate HR dental plan administrator · No HIPAA policy for employer-sponsored plan PHI

Tucson, Arizona

Avg fine: $28,000

Missing NPP in Spanish for Spanish-speaking patient majority · No bilingual workforce HIPAA training

San Antonio, Texas

Avg fine: $35,000

Missing BAA with Medicaid managed care billing agent · No bilingual NPP for Spanish-speaking majority

Fort Worth, Texas

Avg fine: $35,000

Missing BAA with DSO regional management platform · No MFA on practice management software

Jacksonville, Florida

Avg fine: $42,000

Missing BAA with military insurance billing agent · No ePHI disaster recovery plan

Fort Lauderdale, Florida

Avg fine: $42,000

Missing BAA with dental tourism facilitator · No cross-border PHI protocol for international patients

San Francisco, California

Avg fine: $52,000

CCPA health data requests mishandled · Missing BAA with AI diagnostic tool vendor

San Jose, California

Avg fine: $47,000

Missing BAA with employer health portal integration · CCPA employee dependent data rights

Sacramento, California

Avg fine: $47,000

Missing BAA with state government employee dental plan administrator · CMIA violations from Covered California exchange data

New York, New York

Avg fine: $52,000

Missing SHIELD Act written security program · No MFA on all ePHI systems

Atlanta, Georgia

Avg fine: $29,000

Missing BAA with insurance clearinghouse · No MFA on cloud-based practice management software

Columbus, Ohio

Avg fine: $27,000

Missing BAA with OSU student health plan administrator · No MFA on insurance verification tools

Philadelphia, Pennsylvania

Avg fine: $34,000

Missing BAA with Penn Medicine or Jefferson Health referral system · No MFA on billing software

Seattle, Washington

Avg fine: $38,000

Missing MHMD Act consumer health data privacy notice · No geofencing prohibition policy

Denver, Colorado

Avg fine: $26,000

Missing Colorado Privacy Act consumer rights procedures · No MFA on cloud practice management software

Las Vegas, Nevada

Avg fine: $33,000

Missing BAA with dental tourism facilitator · No transient patient PHI protocol

Nashville, Tennessee

Avg fine: $24,000

Missing BAA with healthcare industry employer dental plan · No MFA on cloud-based billing software

Boston, Massachusetts

Avg fine: $48,000

Missing Written Information Security Plan (WISP) · No Massachusetts 201 CMR 17.00 compliance documentation

Minneapolis, Minnesota

Avg fine: $30,000

Missing BAA with Mayo Clinic Health System referral network · No MFA on practice management software

Portland, Oregon

Avg fine: $29,000

Missing Oregon Consumer Privacy Act compliance procedures · No MFA on cloud EHR

Baltimore, Maryland

Avg fine: $36,000

Missing BAA with Johns Hopkins Health System referral network · No MFA on cloud billing software

Detroit, Michigan

Avg fine: $25,000

Missing BAA with auto industry employer dental plan administrator · No MFA on insurance clearinghouse connections

Dallas, Texas

Avg fine: $35,000

Minor patient authorization gaps · Missing parental consent documentation

Miami, Florida

Avg fine: $42,000

Parental record request mishandling · Missing BAA with school health systems

Phoenix, Arizona

Avg fine: $28,000

Missing minor consent forms · No policy for divorced parent access

Chicago, Illinois

Avg fine: $31,000

Emancipated minor record confusion · Missing BAA with Medicaid billing agent

Los Angeles, California

Avg fine: $47,000

CMIA minor provisions · Missing multilingual NPP

Scottsdale, Arizona

Avg fine: $28,000

Missing parental portal BAA · No custody access policy

Cape Coral, Florida

Avg fine: $42,000

Missing parental consent for high-value procedures · No billing BAA with insurance coordinator

Raleigh, North Carolina

Avg fine: $32,000

Missing parental consent updates after staff turnover · No HIPAA training for newly hired pediatric staff

Houston, Texas

Avg fine: $35,000

Medicaid pre-authorization PHI exposure · Missing BAA with state Medicaid billing agent

Orlando, Florida

Avg fine: $42,000

No translated parental consent forms · Missing NPP in Spanish and Portuguese

Austin, Texas

Avg fine: $35,000

PHI sharing with Austin ISD school programs · Missing BAA with school health data platform

Tampa, Florida

Avg fine: $42,000

Missing ePHI backup policy for pediatric records · No hurricane contingency plan for patient data

San Diego, California

Avg fine: $47,000

CMIA minor provisions for military dependent children · Missing bilingual NPP for Spanish-speaking military families

Charlotte, North Carolina

Avg fine: $32,000

Missing BAA with employer-sponsored pediatric benefit administrator · No policy for separated corporate parent record access

Tucson, Arizona

Avg fine: $28,000

Missing parental consent in Spanish · No bilingual authorization forms for pediatric procedures

San Antonio, Texas

Avg fine: $35,000

Missing bilingual parental consent forms · No BAA with CHIP billing administrator

Fort Worth, Texas

Avg fine: $35,000

PHI access gaps after DSO staff turnover · Missing parental consent updates during ownership transition

Jacksonville, Florida

Avg fine: $42,000

Missing BAA with military dependent child health system · No disaster recovery plan for pediatric records

Fort Lauderdale, Florida

Avg fine: $42,000

Missing multilingual parental consent for international families · No cross-border record transfer protocol

San Francisco, California

Avg fine: $52,000

CCPA minor data rights requests · Missing CMIA consent for wellness apps used by pediatric patients

San Jose, California

Avg fine: $47,000

Missing BAA with employer dependent benefit platform · CCPA requests for children's dental records from tech employer HR systems

Sacramento, California

Avg fine: $47,000

Missing BAA with Medi-Cal billing intermediary · CMIA minor provisions for Medi-Cal patients

New York, New York

Avg fine: $52,000

Missing SHIELD Act security program covering minor records · No emancipated minor policy under New York law

Atlanta, Georgia

Avg fine: $29,000

Missing BAA with Atlanta Public Schools health program · No policy for minor patient Medicaid billing compliance

Columbus, Ohio

Avg fine: $27,000

Missing BAA with Nationwide Children's Hospital referral system · No Medicaid billing BAA for pediatric patients

Philadelphia, Pennsylvania

Avg fine: $34,000

Missing BAA with CHOP referral system · No Medicaid billing BAA for pediatric patients

Seattle, Washington

Avg fine: $38,000

Missing MHMD Act minor consumer health data rights policy · No geofencing near pediatric dental offices

Denver, Colorado

Avg fine: $26,000

Missing Colorado Privacy Act minor rights procedures · No MFA for pediatric EHR access

Las Vegas, Nevada

Avg fine: $33,000

Missing BAA with casino resort employee pediatric benefit plan · No protocol for emergency minor patient treatment without parental presence

Nashville, Tennessee

Avg fine: $24,000

Missing BAA with HCA or Ascension pediatric referral system · No Medicaid TennCare billing BAA

Boston, Massachusetts

Avg fine: $48,000

Missing WISP covering pediatric patient data · No Massachusetts 201 CMR 17.00 third-party vendor due diligence

Minneapolis, Minnesota

Avg fine: $30,000

Missing bilingual parental consent for immigrant families · No BAA with Minneapolis Public Schools health program

Portland, Oregon

Avg fine: $29,000

Missing Oregon Consumer Privacy Act minor rights procedures · No MFA for pediatric EHR access

Baltimore, Maryland

Avg fine: $36,000

Missing BAA with Kennedy Krieger Institute referral system · No MPIPA-compliant breach notification timeline policy

Detroit, Michigan

Avg fine: $25,000

Missing BAA with Medicaid managed care billing agent · No MCPA breach notification timeline policy

Dallas, Texas

Avg fine: $35,000

Before/after photo sharing without consent · Missing BAA with imaging lab

Miami, Florida

Avg fine: $42,000

Instagram patient photos · Missing imaging lab BAA

Phoenix, Arizona

Avg fine: $28,000

Digital scan sharing without BAA · Missing retention record policy

Chicago, Illinois

Avg fine: $31,000

Multi-location record access gaps · Missing BAA with remote monitoring platform

Los Angeles, California

Avg fine: $47,000

CMIA image provisions · Influencer partnership PHI exposure

Scottsdale, Arizona

Avg fine: $28,000

3D scan sharing with premium aligner labs · Missing BAA with virtual monitoring platform

Cape Coral, Florida

Avg fine: $42,000

Missing BAA with premium aligner brand · Outdated NPP for financing patients

Raleigh, North Carolina

Avg fine: $32,000

Missing BAA with remote monitoring platform · Outdated NPP after software migration

Houston, Texas

Avg fine: $35,000

Missing BAA with insurance verification service · Before/after photo sharing without consent

Orlando, Florida

Avg fine: $42,000

Patient photo social media posts without multilingual consent · Missing BAA with international aligner lab

Austin, Texas

Avg fine: $35,000

Missing BAA with virtual monitoring app · Before/after photos shared via Slack or Teams

Tampa, Florida

Avg fine: $42,000

No hurricane contingency plan for patient imaging data · Missing BAA with cloud backup provider

San Diego, California

Avg fine: $47,000

CMIA image provisions for TRICARE patient photos · Missing BAA with military-adjacent imaging lab

Charlotte, North Carolina

Avg fine: $32,000

Missing BAA with corporate flex spending account administrator · Before/after photos shared internally via email

Tucson, Arizona

Avg fine: $28,000

Missing BAA with university research program using patient data · No Spanish-language before/after photo authorization

San Antonio, Texas

Avg fine: $35,000

Missing BAA with military base dental referral network · No bilingual photo authorization forms

Fort Worth, Texas

Avg fine: $35,000

Missing BAA with DSO central imaging platform · No MFA for shared orthodontic software across locations

Jacksonville, Florida

Avg fine: $42,000

Missing BAA with remote monitoring platform for mobile patients · No protocol for treatment continuation PHI transfers

Fort Lauderdale, Florida

Avg fine: $42,000

Missing BAA with international aligner lab · No multilingual photo authorization form

San Francisco, California

Avg fine: $52,000

CCPA data access requests for treatment photos · CMIA commercial use restrictions on patient imagery

San Jose, California

Avg fine: $47,000

Missing BAA with digital treatment tracking app · CCPA deletion requests for treatment timeline data

Sacramento, California

Avg fine: $47,000

Missing BAA with state legislative employee benefit plan · CMIA photo provisions for state government patient imagery

New York, New York

Avg fine: $52,000

Missing SHIELD Act vendor oversight documentation · Before/after photos on social media without NY-compliant authorization

Atlanta, Georgia

Avg fine: $29,000

Missing BAA with remote monitoring platform · Before/after photos shared on Instagram without authorization

Columbus, Ohio

Avg fine: $27,000

Missing BAA with OSU Athletics dental program · No MFA for cloud treatment tracking

Philadelphia, Pennsylvania

Avg fine: $34,000

Missing BAA with dental school clinic partner · Before/after photos shared without explicit consent

Seattle, Washington

Avg fine: $38,000

Missing MHMD Act consent for remote monitoring data · No consumer health data privacy notice on website

Denver, Colorado

Avg fine: $26,000

Missing Colorado Privacy Act data rights request procedures · Before/after photos on social media without authorization

Las Vegas, Nevada

Avg fine: $33,000

Missing BAA with casino resort employee wellness benefit platform · No protocol for transient adult orthodontic patients

Nashville, Tennessee

Avg fine: $24,000

Missing BAA with remote monitoring platform · Before/after photos used in country music industry marketing

Boston, Massachusetts

Avg fine: $48,000

Missing WISP covering orthodontic imaging data · No 201 CMR 17.00 portable device encryption documentation

Minneapolis, Minnesota

Avg fine: $30,000

Missing BAA with remote monitoring platform · Before/after photos on social media without authorization

Portland, Oregon

Avg fine: $29,000

Missing Oregon Consumer Privacy Act data subject rights procedures · Before/after photos on social media without HIPAA authorization

Baltimore, Maryland

Avg fine: $36,000

Missing BAA with dental school partner at UMD or UB · Before/after photos used without authorization

Detroit, Michigan

Avg fine: $25,000

Missing BAA with remote monitoring platform · Before/after photos on social media without authorization

Dallas, Texas

Avg fine: $35,000

Missing BAA with anesthesia provider · Prescription record gaps

Miami, Florida

Avg fine: $42,000

Surgical consent documentation gaps · Missing anesthesia BAA

Phoenix, Arizona

Avg fine: $28,000

Missing pathology lab BAA · Outdated NPP

Chicago, Illinois

Avg fine: $31,000

Hospital privilege PHI gaps · Missing BAA with surgical center

Los Angeles, California

Avg fine: $47,000

CMIA surgical record provisions · Missing IV sedation consent documentation

Scottsdale, Arizona

Avg fine: $28,000

Missing BAA with premium anesthesia group · No implant lab data sharing protocol

Cape Coral, Florida

Avg fine: $42,000

Missing BAA with implant manufacturer portal · No high-value case PHI retention policy

Raleigh, North Carolina

Avg fine: $32,000

Missing BAA with CBCT imaging service · No post-surgical PHI retention schedule

Houston, Texas

Avg fine: $35,000

Pre-authorization PHI sent via unsecured fax · Missing BAA with hospital system

Orlando, Florida

Avg fine: $42,000

Missing translated surgical consent forms · No multilingual post-op PHI protocol

Austin, Texas

Avg fine: $35,000

Missing BAA with DSO anesthesia management company · No PHI policy for multi-site surgical records

Tampa, Florida

Avg fine: $42,000

No ePHI disaster recovery plan covering surgical imaging · Missing BAA with CBCT cloud storage vendor

San Diego, California

Avg fine: $47,000

Missing BAA for TRICARE surgical billing · CMIA surgical record provisions

Charlotte, North Carolina

Avg fine: $32,000

Missing BAA with corporate anesthesia billing group · No PHI policy for executive patient records

Tucson, Arizona

Avg fine: $28,000

Missing BAA with UA Medical Center referral network · No bilingual surgical consent in Spanish

San Antonio, Texas

Avg fine: $35,000

Missing BAA with military hospital surgical referral system · No bilingual surgical consent in Spanish

Fort Worth, Texas

Avg fine: $35,000

Missing BAA with DSO anesthesia management company · No per-location surgical record access controls

Jacksonville, Florida

Avg fine: $42,000

Missing BAA with naval hospital referral system · No encrypted hurricane backup for surgical records

Fort Lauderdale, Florida

Avg fine: $42,000

Missing cross-border surgical record transfer protocol · No multilingual surgical consent

San Francisco, California

Avg fine: $52,000

Missing BAA with robotic surgery system vendor · CCPA deletion requests conflicting with surgical record retention

San Jose, California

Avg fine: $47,000

Missing BAA with employer-provided surgical benefit platform · CCPA requests for surgical records from HR systems

Sacramento, California

Avg fine: $47,000

Missing BAA with UC Davis Medical Center referral system · CMIA surgical record provisions for academic health system patients

New York, New York

Avg fine: $52,000

Missing SHIELD Act written security program covering surgical records · NYDFS cybersecurity regulation for practices with financing

Atlanta, Georgia

Avg fine: $29,000

Missing BAA with Emory or Grady Hospital referral systems · No MFA on surgical EHR

Columbus, Ohio

Avg fine: $27,000

Missing BAA with OhioHealth or OSU Wexner Medical Center · No MFA on surgical EHR system

Philadelphia, Pennsylvania

Avg fine: $34,000

Missing BAA with Penn or Jefferson hospital surgical credentialing system · No MFA on surgical EHR

Seattle, Washington

Avg fine: $38,000

Missing MHMD Act compliance for surgical data apps · No Washington consumer health data privacy notice

Denver, Colorado

Avg fine: $26,000

Missing Colorado Privacy Act data processing records for surgical data · No MFA on surgical EHR

Las Vegas, Nevada

Avg fine: $33,000

Missing BAA with emergency trauma center referral system · No protocol for unidentified or uncommunicative surgical patients

Nashville, Tennessee

Avg fine: $24,000

Missing BAA with Vanderbilt Medical Center referral system · No MFA on surgical EHR

Boston, Massachusetts

Avg fine: $48,000

Missing WISP covering surgical records · No 201 CMR 17.00 compliance for Mass General or BWH referral systems

Minneapolis, Minnesota

Avg fine: $30,000

Missing BAA with University of Minnesota Medical Center referral system · No MFA on surgical EHR

Portland, Oregon

Avg fine: $29,000

Missing Oregon Consumer Privacy Act data processing records for surgical data · No MFA on surgical EHR

Baltimore, Maryland

Avg fine: $36,000

Missing BAA with Johns Hopkins or University of Maryland Medical System · No MPIPA-compliant breach response plan

Detroit, Michigan

Avg fine: $25,000

Missing BAA with Henry Ford Health or DMC referral system · No MCPA breach notification plan for surgical data