Operator-honest answers from a working SEO/AI shop in Encinitas to the questions dentists & orthodontists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. Dental Board of California (DBC) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.
Short answer: yes, in 2026, almost certainly.
You are a HIPAA Covered Entity the moment any one of these is true:
Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only dental & orthodontic practice in 2026, you're inside HIPAA scope.
Dentists & Orthodontists-specific risk: Dental imaging (panoramic x-rays, CBCT 3D scans, intraoral photos, iTero / 3Shape scan files) are PHI in DICOM/JPG/STL formats. The #1 dental HIPAA gap: storing imaging on the office NAS or chairside workstation without unique user logins · fails Security Rule §164.312(a). Aligner case photos uploaded to non-BAA aligner-manufacturer portals (some Invisalign workflows) are a quiet compliance gray zone.
Dental-specific HIPAA practice management with BAAs: Dentrix, Eaglesoft (Patterson), Open Dental (open-source with self-hosted BAA responsibility), Curve Dental, Carestream WinOMS, MOGO Practice Management. For imaging: DEXIS, Carestream, Planmeca, iTero (BAA varies by deployment). For aligner workflows: Invisalign Vital BAA + 3Shape / iTero cloud BAA varies.
This is the stack most solo and 2-3 clinician dental & orthodontic practices in 2026 actually run:
| Layer | Vendor (one of) | Cost / mo | BAA included? |
|---|---|---|---|
| EHR + Notes + Billing | See vendor cheatsheet below | $49-$99 | Yes (auto on signup for paid plans) |
| HIPAA Email | Paubox · Hushmail · Google Workspace + BAA | $10-$25 | Yes (Google requires active BAA sign) |
| Telehealth (if used) | EHR-integrated · Doxy.me · Zoom for Healthcare | $0-$25 | Yes — NOT consumer Zoom |
| Texting / SMS | Spruce · OhMD · EHR portal | $15-$30 | Yes |
| Cloud backup (optional) | Google Workspace · Box for Healthcare | $0-$15 | Yes (active BAA required) |
| Total · solo practice | — | $80-$150/mo | — |
30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.
45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.
20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.
20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.
10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).
45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.
| Pattern | Typical fine range | How to avoid |
|---|---|---|
| 1. Texting clients from a personal phone | $25K-$100K | Spruce, OhMD, or EHR portal |
| 2. Sending PHI from Gmail (not Workspace + BAA) | $50K-$250K | Workspace + BAA, Paubox, or Hushmail |
| 3. Consumer Zoom or FaceTime for telehealth | $50K-$150K | Zoom for Healthcare or Doxy.me or EHR telehealth |
| 4. No Notice of Privacy Practices on file | $10K-$50K | HHS template + EHR intake flow |
| 5. Lost / stolen unencrypted laptop with PHI | $50K-$300K | FileVault / BitLocker · 10 min one-time |
Dental-specific HIPAA practice management with BAAs: Dentrix, Eaglesoft (Patterson), Open Dental (open-source with self-hosted BAA responsibility), Curve Dental, Carestream WinOMS, MOGO Practice Management. For imaging: DEXIS, Carestream, Planmeca, iTero (BAA varies by deployment). For aligner workflows: Invisalign Vital BAA + 3Shape / iTero cloud BAA varies.
| Category | Vendor | BAA process |
|---|---|---|
| Google Workspace | Self-serve in admin console · MUST sign actively | |
| Paubox | Auto with subscription · encrypts outbound by default | |
| Hushmail for Healthcare | Auto with subscription · cheap solo tier | |
| Telehealth | Doxy.me | Auto with any tier · including free |
| Telehealth | Zoom for Healthcare | Active BAA setup required · consumer Zoom is NOT compliant |
| Texting | Spruce | Auto with subscription · HIPAA-eligible 2-way SMS |
| Cloud storage | Google Workspace Drive | Auto if Workspace BAA signed · personal Drive is NOT |
| Cloud storage | Dropbox HIPAA | Auto with Business plan + BAA · sign actively |
SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice dentists & orthodontists:
| Tier | Price | What |
|---|---|---|
| SideGuy Hour | $150 one-time | One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list |
| Operator Audit | $250 one-time | 3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough |
| Practice Compliance Sprint | $2,000 one-time | 10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA |
Yes if you bill insurance electronically, use any dental practice management software, store digital imaging (panoramic, CBCT, intraoral photos, iTero/3Shape scans), use a patient portal, email patients appointment confirmations, or use cloud-connected aligner workflows. Dental practices are particularly exposed via imaging storage · the office NAS or chairside workstation needs unique user logins, audit-log, and encrypted backup per Security Rule §164.312.
~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.
Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.
Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.
A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.
Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.
Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and Dental Board of California (DBC) record-keeping rules. Dental Board of California requires 7-year minimum record retention (longer for restorative work with implant warranties). CA Health and Safety Code §123100-123149.5 (Patient Access to Medical Records) applies to dentistry. CA SB-1419 (minor confidentiality) applies to pediatric dental in certain contexts.
Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.
Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.