Your Website Is a HIPAA Liability

If your dental practice has a website — and it almost certainly does — it's subject to HIPAA regulations. Most dentists don't think of their website as part of their HIPAA compliance program, but the Department of Health and Human Services (HHS) disagrees.

Any system that collects, stores, or transmits protected health information (PHI) must meet HIPAA security requirements. That includes your website if it has:

• Contact forms where patients describe symptoms or conditions
• Online appointment request forms
• Patient portals
• Online bill payment
• New patient intake forms
• Live chat features

If patients can submit any health-related information through your website, HIPAA applies to that website. And the penalties for non-compliance are severe.

HIPAA Fines: What's Actually at Stake

HIPAA violations are categorized into four tiers:

• Tier 1 (Unaware): $100–$50,000 per violation
• Tier 2 (Reasonable Cause): $1,000–$50,000 per violation
• Tier 3 (Willful Neglect, Corrected): $10,000–$50,000 per violation
• Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation

The annual maximum is $1.5 million per violation category. And HHS has been increasing enforcement — HIPAA enforcement actions generated over $4.4 million in fines in 2024 alone, with dental practices specifically targeted in several cases.

"I didn't know my website needed to be HIPAA compliant" is a Tier 1 defense at best. It doesn't eliminate the fine — it just sets the floor at $100 per violation instead of $10,000.

The 6 Website Requirements for HIPAA Compliance

1. SSL/TLS Encryption (HTTPS)

Requirement: All data transmitted between a patient's browser and your website must be encrypted.

This means your entire site — not just the contact form page — must use HTTPS with a properly configured SSL certificate. Mixed content (HTTP resources loaded on HTTPS pages) creates vulnerabilities that violate the encryption requirement.

What we see: 41% of Austin healthcare businesses have SSL misconfigurations. Common issues include expired certificates, weak cipher suites, and pages that load some content over insecure HTTP.

2. Secure Contact and Intake Forms

Requirement: Any form that could collect PHI must transmit data over encrypted connections and store it securely.

This goes beyond SSL. Your form submissions need to be stored in a HIPAA-compliant system, not emailed to a Gmail account in plain text. If your contact form sends patient information as an unencrypted email, that's a violation — even if the form itself uses HTTPS.

Best practices:

• Use a HIPAA-compliant form provider or ensure your form backend is compliant
• Never send form submissions via unencrypted email
• Include a notice that patients should not include sensitive information in general contact forms
• Use a Business Associate Agreement (BAA) with any third-party form or email service

3. Security Headers

Requirement: HIPAA's Technical Safeguards require "access controls" and "transmission security" — security headers implement these for web traffic.

Key headers for HIPAA compliance:

• Content-Security-Policy — Prevents malicious script injection that could steal patient data
• Strict-Transport-Security (HSTS) — Ensures browsers always connect securely
• X-Frame-Options — Prevents clickjacking attacks on patient portals
• X-Content-Type-Options — Prevents MIME-type attacks

71% of small business websites are missing critical security headers. For dental practices, this isn't just a security issue — it's a compliance gap.

4. Access Controls for Patient Portals

Requirement: Patient portals must implement proper authentication, session management, and access logging.

If your website includes a patient portal, it needs:

• Strong password requirements
• Session timeouts (automatic logout after inactivity)
• Audit logging of who accessed what and when
• Encrypted data at rest, not just in transit
• Multi-factor authentication (increasingly expected by HHS)

5. Business Associate Agreements (BAAs)

Requirement: Any third-party service that handles PHI on your website requires a BAA.

This includes:

• Your web hosting provider
• Your form/email service provider
• Analytics tools that might capture PHI (yes, Google Analytics can be a HIPAA issue)
• Chat widgets and chatbot services
• Payment processors
• Any SaaS tool connected to your site

Common mistake: Using standard Google Analytics without a BAA. If a patient visits a page with a URL that contains identifiable information, Google Analytics captures it — and without a BAA, that's a violation.

6. Privacy Policy and Notice of Privacy Practices

Requirement: Your website must clearly communicate how patient information is collected, used, and protected.

Your privacy policy should specifically address:

• What information is collected through the website
• How form submissions are handled and stored
• Which third parties have access to data
• Patient rights regarding their information
• How to request data deletion
• Your breach notification procedures

The Dental Practice Checklist

Use this checklist to evaluate your practice's website compliance:

• ☐ SSL certificate is valid and properly configured (no mixed content, no expired certs)
• ☐ HSTS header is set (forces HTTPS connections)
• ☐ Content-Security-Policy header is configured (prevents script injection)
• ☐ Contact forms use encrypted submission (not plain-text email)
• ☐ Form data is stored in a HIPAA-compliant system
• ☐ BAAs are in place with hosting provider, form service, analytics, and all third-party tools
• ☐ Privacy policy is current and addresses website-specific data collection
• ☐ Patient portal (if applicable) has proper authentication and session management
• ☐ Website CMS is updated (WordPress, etc. — outdated versions have known exploits)
• ☐ Admin login is secured (non-default URL, IP restriction, strong credentials)

What Happens When You're Not Compliant

Beyond fines, HIPAA violations create cascading consequences:

State attorney general actions. State AGs can bring their own HIPAA enforcement actions, with separate penalties. Texas, California, and New York have been particularly active.

Class action lawsuits. Patients affected by a breach can sue. Dental practices have paid settlements exceeding $500,000 for breaches involving fewer than 1,000 patients.

Reputation damage. HHS publishes all breaches affecting 500+ individuals on its "Wall of Shame." Even smaller breaches require individual patient notification, which often leads to local media coverage.

Mandatory corrective action plans. HHS can impose multi-year monitoring and mandatory security improvements that cost far more than fixing the issues proactively.

How to Assess Your Risk — Right Now

The first step is understanding your current security posture. TridentScan provides a free, instant security assessment that evaluates your SSL configuration, security headers, email authentication, and technology stack in 60 seconds.

It won't replace a full HIPAA compliance audit, but it will immediately show you the technical gaps that put your practice at risk. Our scan of 48 Austin dental practices found that nearly half had security gaps that would be flagged in a HIPAA audit.

Don't wait for a breach or an audit to find out where you stand.

→ Scan your dental practice website free at TridentScan.com