Quick answer
An orthodontic practice in Houston is a HIPAA covered entity, and the compliance work is the same as for any medical office. Your x-rays, intraoral photos, 3D scans, and treatment records are protected health information. The walkthrough starts with a documented Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A), the document OCR asks for first. From there it runs through patient photos and marketing, vendor agreements, patient communication, and the extra layer Texas adds through HB 300. None of it is exotic. Most of it is paperwork and process that a small practice can put in place without a large budget.
Orthodontics feels different from a typical medical office. You see patients for years, the work is visual, and marketing leans heavily on smiles and before-and-after shots. That visual, long-term, marketing-driven nature is exactly what creates HIPAA risk that a general HIPAA checklist misses. Here is a walkthrough built for a Houston orthodontic practice, in the order you should actually work through it.
What makes an orthodontic practice a HIPAA covered entity?
If your practice sends claims, checks eligibility, or processes payment electronically, you are a covered entity under HIPAA. That covers nearly every orthodontic office. Once you are a covered entity, every piece of identifiable patient health information you hold is protected health information, or PHI.
In an orthodontic practice, PHI is unusually visual. It includes cephalometric and panoramic x-rays, CBCT scans, intraoral and facial photographs, digital impressions, treatment plans, and the appointment and billing records that tie them to a name. A photo of a patient’s teeth, linked to that patient, is PHI in the same way a lab result is. That single fact drives most of what follows.
Step one: the Risk Analysis
Before policies, before software, before training, you do a Risk Analysis. It is required under 45 CFR 164.308(a)(1)(ii)(A), and it is the foundation everything else sits on. A Risk Analysis is an accurate, thorough look at where PHI lives in your practice, how it moves, and what could compromise it.
This is not optional paperwork. Inadequate risk analysis appears in roughly 90% of OCR’s Security Rule enforcement actions, and it is the first document OCR requests when an investigation opens. The pattern holds in the newest cases. On June 18, 2026, OCR settled a ransomware investigation with an employer health plan for $450,000, and the violation it cited was the failure to conduct an accurate and thorough risk analysis before the breach. That was OCR’s 20th ransomware settlement and its 14th under the Risk Analysis Initiative, which has continued through 2026.
For an orthodontic office, the Risk Analysis maps the real systems you use: the practice management software, the imaging server, the laptops and tablets in operatories, the front-desk computers, the cloud backups, and the phones staff use to text patients. You cannot protect data you have not located.
Do orthodontic before-and-after photos count as PHI?
Yes, and this is the trap that catches dental and orthodontic offices specifically. A before-and-after photo that identifies a patient is PHI. Using it for marketing requires a valid HIPAA authorization from that patient under 45 CFR 164.508. A signed consent form for treatment is not the same as an authorization to use someone’s image in an ad or on Instagram.
The cautionary case is close to home. In 2019, Elite Dental Associates of Dallas paid $10,000 to OCR after a patient complained that the practice had responded to her social media review by disclosing her name, her treatment plan details, and her insurance and cost information. OCR found the practice had impermissibly disclosed PHI of multiple patients in Yelp responses, had no policies for releasing PHI on social media, and had gaps in its Notice of Privacy Practices. OCR noted it accepted a reduced amount given the practice’s size and finances, which means a similar slip at a small Houston office would land in the same place.
The practical rules for an orthodontic practice are simple. Get a written authorization before any patient image goes into marketing. Never include treatment or payment details when responding to an online review. Train every staff member who touches the practice’s social accounts on both.
Your vendors and business associate agreements
Orthodontic practices run on outside software, and each vendor that creates, receives, maintains, or transmits PHI on your behalf needs a signed business associate agreement before any data is shared. This is required under 45 CFR 164.502(e).
Walk your own vendor list. The practice management and imaging platform, the patient texting and appointment-reminder service, the aligner lab you send digital scans to, the cloud backup provider, and the billing service all handle PHI. Each one needs a current BAA on file. The common failure is not refusing to sign. It is never collecting the agreement in the first place, or signing one years ago and never confirming it still exists. If OCR asks, you need to produce a signed, current BAA for every vendor touching patient data.
Patient communication and minimum necessary
Orthodontic offices text and email patients constantly: appointment reminders, treatment updates, balance notices. HIPAA allows this, but the content matters. The minimum necessary standard means a reminder does not need to spell out clinical details. “You have an appointment Thursday at 3” is fine. A message listing a specific treatment or balance, sent to a number you have not confirmed, is where problems start. Confirm contact preferences, keep messages lean, and use the platform’s secure features rather than a staff member’s personal phone.
What does Texas law add on top of HIPAA?
Texas raises the bar above the federal floor through HB 300, the Texas Medical Records Privacy Act, found in Chapter 181 of the Health and Safety Code. Three differences matter for a Houston practice.
First, the access deadline is shorter. A practice using electronic records must provide a patient electronic access within 15 business days of a written request, faster than HIPAA’s general 30 day window. Second, the definition of covered entity is broader than HIPAA’s, reaching almost anyone who handles the PHI of Texas residents. Third, Texas requires documented, role-specific workforce privacy training. Texas enforces this through the Attorney General, which is a separate enforcement path from federal OCR. So a Houston orthodontic practice answers to both.
The rest of the program
Once the big items are handled, the remaining pieces are standard but still required. You need a current Notice of Privacy Practices that reflects how you actually use patient information, including social media. You need documented workforce training under 45 CFR 164.530(b), with attendance you can prove. And you need a breach response plan, because a breach of 500 or more individuals must be reported to OCR within 60 days under the Breach Notification Rule at 45 CFR 164.400-414. For a practice with thousands of patient records, 500 is not a high bar.
The cost of skipping this is not theoretical. Civil penalties in 2026 run from $145 to $2,190,294 per violation under Federal Register 2026-01688, and small-practice settlements almost always add a corrective action plan that runs for years.
What to do next
Work the list in order. Start with the Risk Analysis, because it tells you where your real gaps are instead of guessing. Fix the photo and social media practices next, since that is the orthodontic-specific risk most likely to draw a complaint. Then collect your BAAs and tighten patient communication.
If you want a clear starting point, our HIPAA Risk Analysis service produces the documented analysis OCR asks for first, and the $750 Privacy Exposure Review gives you your top three risks in 48 hours. For a wider view of what brings OCR to a small practice in the first place, we covered six things that trigger an OCR investigation.
A smile is the product. The patient data behind it is the liability. Handle both with the same care.
Last Updated: June 26, 2026