CBCTHubCBCTHub
PricingBlogHelp
 
 
Back to blog
hipaasecuritycompliancebaaephidental

HIPAA-compliant CBCT viewers: what to look for and what the acronyms mean

CBCTHub Team·April 17, 2026

"Is this HIPAA-compliant?" is the question every dental IT buyer asks and no vendor answers cleanly. HIPAA doesn't certify software. There is no HIPAA stamp. What exists is a set of technical and administrative safeguards that your vendor must either satisfy or allow you to satisfy.

This article is a plain-English breakdown of what HIPAA actually requires from a CBCT viewer in 2026, the acronyms you'll see on vendor pages, and a checklist you can run through before signing.

What HIPAA actually says

HIPAA — the Health Insurance Portability and Accountability Act — was passed in 1996. Relevant rules:

  • Privacy Rule: limits how protected health information (PHI) can be used and disclosed.
  • Security Rule: requires administrative, physical and technical safeguards for electronic PHI (ePHI).
  • Breach Notification Rule: if ePHI is exposed, patients and HHS must be notified.

A CBCT viewer that stores or transmits PHI is subject to the Security Rule. The dentist or radiology center is the "covered entity"; the viewer vendor is a "business associate".

BAA — Business Associate Agreement

If a vendor handles your patients' ePHI, they must sign a Business Associate Agreement with you. A BAA is a contract obligating the vendor to protect ePHI and report breaches.

No BAA = no HIPAA-compliant workflow. Period.

Check: does the vendor publish a BAA or mention one on their pricing page? If they don't, they're either not a business associate (which means they can't legally handle PHI), or they're not HIPAA-ready yet.

CBCTHub offers a BAA on Pro and Clinic plans — see our security page.

Encryption in transit

All ePHI moving between your browser and the vendor's servers must be encrypted. In 2026 that means TLS 1.3 with forward secrecy. TLS 1.2 is still acceptable but deprecated; TLS 1.0 and 1.1 are banned.

Check: does the vendor's domain support TLS 1.3? You can verify at SSL Labs. Look for an A or A+ grade and TLS 1.3 in the protocols list.

Encryption at rest

Stored ePHI on the vendor's servers should be encrypted. Standard: AES-256. Most cloud storage services (AWS S3 with SSE, GCS with CMEK, Supabase Storage) do this by default.

Check: does the vendor document their storage encryption? Generic language like "data is encrypted" is not enough. Look for "AES-256 at rest, TLS 1.3 in transit" or equivalent specifics.

Access controls and authentication

ePHI must be accessible only to authorized users. Practical requirements:

  • Unique user accounts (no shared logins)
  • Strong password policy or SSO
  • Optional MFA (multi-factor authentication)
  • Role-based access within the practice (admin vs reader vs viewer)
  • Automatic session timeout after inactivity

Any vendor with a "shared team account" feature and no individual logins is not HIPAA-ready.

Audit logs

The Security Rule requires the covered entity to produce audit logs on demand — who accessed which ePHI, when, from which device.

A HIPAA-ready viewer logs at minimum:

  • Every login attempt (successful and failed)
  • Every access to a patient's study
  • Every export or download
  • Every share link creation and access
  • Every administrative change (user add, role change, study delete)

Logs should be retained for at least 6 years (HIPAA minimum).

Check: does the vendor expose audit logs in the admin panel or as an export? If not, ask how they'd respond to a breach investigation.

Breach notification

If ePHI is exposed, the vendor must notify you quickly. HIPAA allows up to 60 days for patient notification but best practice is as fast as practically possible.

Check: does the BAA specify breach notification timelines? Does the vendor document their incident response process?

Data residency and cross-border transfer

HIPAA doesn't require US data residency. It does require the same level of protection wherever the data lives. If the vendor stores ePHI in another country, the BAA must extend to that location.

Many EU and UK customers have additional requirements under GDPR and the UK Data Protection Act 2018. Look for a Data Processing Agreement (DPA) in addition to the BAA.

Minimum necessary

HIPAA requires covered entities to disclose the minimum necessary PHI for a task. In a CBCT viewer, this means sharing links should show only the relevant study, not the whole patient chart.

Check: can you generate a share link for a single study without exposing the rest of the patient's records? Does the link expire?

Patient access

HIPAA gives patients the right to access their own records within 30 days of request, usually at no charge. A patient asking for their CBCT should get a viewer link or a DICOM download.

Check: does the viewer have a "send to patient" workflow? Can it generate a time-limited link? Does the patient need to create an account (ideally no)?

The 10-minute pre-signup checklist

  1. Vendor publishes a BAA and will sign it before you upload PHI.
  2. Their domain supports TLS 1.3 (check on SSL Labs).
  3. Storage is AES-256 encrypted at rest.
  4. Individual user accounts, not shared.
  5. MFA available (at least optional).
  6. Role-based access within the account.
  7. Automatic session timeout.
  8. Audit logs retained 6+ years, exportable.
  9. Breach notification SLA in the BAA (not vague "as soon as possible").
  10. Time-limited share links with revocation option.
  11. No shared logins by default.
  12. Patient-access workflow documented.

Vendors that hit 10+ of these are in good shape. Below 8, walk away.

What HIPAA does NOT require

Common misconceptions:

  • HIPAA does not require US-only servers.
  • HIPAA does not require FIPS 140-2 validated cryptography (though it's a plus for federal work).
  • HIPAA does not require HITRUST certification (though it's a strong signal).
  • HIPAA does not require the vendor to be FDA-cleared as a medical device. A viewer used for reference only can run without FDA clearance.

Summary

"HIPAA-compliant" is not a checkbox. It's a combination of a signed BAA, encryption in transit and at rest, individual logins, audit logs, breach notification, and a minimum-necessary-disclosure workflow.

Work through the 12-item checklist before signing. Any vendor that can answer all 12 with specifics is HIPAA-ready. Any vendor that gives vague marketing answers is not. Don't upload PHI until you've verified.

Try free viewerSee solutions

Try CBCTHub for free

Upload, view, and share DICOM scans in the cloud. Nothing to install.

Create free account

Related articles

CBCT vs medical CT: when each is the right tool in dentistry

How cone beam CT and multi-slice medical CT differ in dose, resolution and clinical use — and when to pick one over the other in a dental or maxillofacial context.

Reading CBCT artifacts: the 5 most common patterns and what causes them

A practical field guide to CBCT artifacts — beam hardening, motion, scatter, ring and aliasing — with how to recognize each and when to re-acquire.

The end of CDs in dentistry: how to share CBCT scans in 2026

Burning CBCT studies to CD is a 2010 workflow that still runs in 2026. Here is why it persists, why it costs you, and the three things to replace it with.

CBCTHubCBCTHub

Digital CBCT delivery. 100% local processing. No CDs, ever.

Solutions

Imaging centersDental radiologistsOnline CBCT viewer

Product

FeaturesPricingBlogAlternativesLearnDemo

Support

Help centerFAQContactsoporte@cbcthub.com

Company

AboutSecurityTerms of servicePrivacy policy

© 2026 CBCTHub. All rights reserved.

AppLab Software LLC · 1021 E Lincolnway, Cheyenne, WY 82001