Compliance Reference · Dental · BC

Dental Compliance in British Columbia: Privacy, Records, and IT Security Requirements

Q: Does Hexafusion provide legal advice?

No. Hexafusion is an IT services provider, not a law firm or compliance advisory firm. We implement and document the technical controls that support your regulatory obligations. Consult qualified legal counsel and your regulator for compliance advice.

Q: How do IT controls map to dental compliance rules?

Record retention, encryption at rest and in transit, access logging, role-based access control, tested backups, documented breach response, and endpoint security all provide the technical evidence that regulators and privacy commissioners look for when assessing PIPEDA, BC PIPA, and College of Oral Health Professionals record-keeping obligations.

Q: How does dental compliance overlap with cyber insurance?

Cyber insurance underwriters increasingly require multi-factor authentication, endpoint detection and response, tested backups, phishing training, an incident response plan, and vulnerability patching. These controls also support PIPEDA and BC PIPA obligations, so compliance investment and insurance underwriting requirements overlap heavily.

Q: Does PIPEDA or BC PIPA apply to my dental office?

Both can apply depending on the activity. BC PIPA generally governs personal information handled by BC private-sector organisations in the course of provincial commercial activity. PIPEDA applies to federally regulated activities and to cross-border data handling. Dental practices typically operate under BC PIPA for day-to-day patient records, with PIPEDA relevant to specific interprovincial or federal touchpoints.

This is a reference guide for BC dental practices summarising the federal, provincial, and professional regulatory frameworks that shape how patient information is collected, stored, and protected. Hexafusion is an IT services partner, not a legal advisor. Confirm current obligations with the BC College of Oral Health Professionals, the Office of the Information and Privacy Commissioner for BC, and qualified counsel.

Federal regulatory framework

BC dental practices operate inside a layered federal regulatory environment. The most commonly cited federal instruments are summarised below.

Area	Statute or Regulator	IT relevance
Privacy (federal)	PIPEDA, Office of the Privacy Commissioner of Canada	Safeguards (s. 4.7 Schedule 1), breach reporting (ss. 10.1), accountability, retention.
Cybercrime	Criminal Code, ss. 342.1 and 430(1.1)	Unauthorised computer access and mischief to data; informs incident response and evidence preservation.
Anti-spam	CASL (CRTC, OPC, Competition Bureau)	Consent and unsubscribe controls for recall reminders and marketing.
Tax records	Income Tax Act, s. 230, CRA	Retention of books and records for six years, with readable backup.
Medical devices	Medical Devices Regulations, Health Canada	Imaging and clinical device lifecycle records.
Radiation emitting devices	Radiation Emitting Devices Act, Health Canada	Registration and maintenance logs for X-ray and panoramic equipment.

BC provincial framework

British Columbia adds a set of provincial statutes that every dental practice needs to consider alongside the federal layer.

Area	Statute or Regulator	IT relevance
Privacy (provincial)	BC Personal Information Protection Act (PIPA), OIPC BC	Provincial privacy regime for BC private-sector organisations.
Employment	BC Employment Standards Act	Payroll record retention, time tracking, wage statements.
Workplace safety	Workers Compensation Act, WorkSafeBC	Incident reporting, ergonomic records for operatories and front desks.
Human rights	BC Human Rights Code	Accommodation records, complaint handling confidentiality.
Corporate	BC Business Corporations Act	Minute books, registers, and corporate filings.
Consumer protection	Business Practices and Consumer Protection Act	Treatment plan quoting, deposit handling, refund records.
Premises liability	Occupiers Liability Act	Physical access control, video surveillance retention.

Dental-specific regulators and statutes

The core regulator for BC dentistry is the BC College of Oral Health Professionals, which consolidated the former College of Dental Surgeons of BC and related colleges in 2022 under the Health Professions Act. The College sets standards of practice covering patient record content, retention, access, confidentiality, and secure disposal.

Health Professions Act (BC). The enabling framework for all regulated health colleges in the province, including the BC College of Oral Health Professionals.
Dentists Regulation. Scope of practice regulation made under the Health Professions Act.
College standards of practice. Cover record keeping, informed consent, advertising, sedation, and infection prevention and control. Record retention requirements typically include long retention periods for adult records and extended retention for records relating to minors, which affects backup retention, archive tiers, and disposal procedures.
CDAnet and ITRANS. The Canadian Dental Association's electronic claims network and its ITRANS client require specific connectivity, user provisioning, and audit-trail practices inside practice management software.
Medical Devices Regulations (federal). Apply to imaging hardware and other Class II and above devices operated in the clinic.
Radiation Emitting Devices Act (federal). Covers the registration and operation logs for X-ray, panoramic, and cone beam equipment.

Cross-cutting frameworks

Several non-dental frameworks are commonly referenced in assessor, insurer, and regulator conversations. They do not replace statutory obligations but are strong signals of reasonable safeguards.

PCI DSS. Applies to the handling of cardholder data for treatment payments and terminal integrations.
HIPAA. May apply on top of PIPEDA and BC PIPA if the practice serves US patients.
NIST Cybersecurity Framework and CIS Controls. Widely accepted control catalogues used to benchmark small-practice safeguards.
SOC 2. Often requested of cloud-hosted practice management and imaging vendors rather than the clinic itself, but clinic due diligence should review vendor SOC 2 reports.
Cyber insurance underwriter expectations. Underwriters now routinely require multi-factor authentication, endpoint detection and response, tested backups with offline copies, phishing simulation and training, a written incident response plan, and documented vulnerability patching cadence.

The practical effect for a typical BC dental clinic is that the underlying technical architecture has to answer the same questions regardless of which regulator or insurer is asking. Who can access which chart, when did they access it, how is it protected at rest and in transit, how long is it retained, what happens on an access request, and how is a breach detected, contained, and reported. Multi-factor authentication on email, remote access, and administrative accounts is table stakes. Endpoint detection and response replaces legacy antivirus. Backups are tested with real restores, and at least one copy is offline or immutable so ransomware cannot destroy both production and backups in one pass. Phishing training runs on a recurring schedule. An incident response plan exists in writing and has been walked through in a tabletop. Vulnerability patching follows a documented cadence.

How IT controls map to the regulatory stack

Retention schedules. Configured in practice management, imaging storage, email, and backups to match College retention periods and Income Tax Act requirements.
Access logs. Who accessed which chart, when, and from which workstation. Retained long enough to support breach investigation and College inquiries.
Encryption at rest and in transit. Full-disk encryption on servers, workstations, and backup targets. TLS for remote access, VPN with multi-factor authentication for offsite logins.
Written breach response plan. Aligned with PIPEDA Breach of Security Safeguards Regulations and BC PIPA expectations, with documented notification thresholds and contact procedures.
Tested backups and disaster recovery. Backups verified with periodic test restores, offline or immutable copies, and a documented recovery time objective.
MDR, EDR, MFA, and patching. Managed detection and response, endpoint detection and response, multi-factor authentication on all admin and remote access, and a documented vulnerability patching cadence.

The operational reality of these controls matters more than the labels on the policy document. A retention schedule is worthless if practice management, imaging, email, and backup expire records on different timelines. Access logs are worthless if nobody reviews them. Role-based access drifts over time as staff take on extra duties, so it needs periodic review. Encryption is only as good as the key management behind it. A written breach response plan needs the named contacts and thresholds confirmed at least annually. Tested backups need test restores that actually prove the data comes back. BC dental clinics that handle these basics well usually share three habits: they document the current state, they test the controls periodically, and they assign a named owner for each control so that changes get reflected across systems rather than disappearing into a shared drive.

These controls translate directly into regulatory evidence. When the Office of the Information and Privacy Commissioner for BC opens a file, the first requests are typically for the privacy management programme, safeguards, breach procedure, and access logs. When the BC College of Oral Health Professionals asks about records, the expectations are retention, access control, and secure disposal. When a cyber insurer asks questions at renewal, they want the same evidence in a slightly different format. A practice that has invested in the underlying technical controls can satisfy all three with a single set of artefacts, which is the practical payoff of treating compliance and IT as one programme rather than two.

Where Hexafusion fits

Hexafusion is a Vancouver-based managed IT and cybersecurity provider founded in 2020. We operationalize the IT controls that satisfy regulatory evidence requirements for BC dental practices. That includes backup configuration, endpoint hardening, access-log tuning, encryption rollout, and the written documentation that an assessor, insurer, or College inquiry wants to see. Our founder, Alex Barari, held the PCI DSS Internal Security Assessor designation earlier in his career, which means we speak the assessor dialect and can produce the kind of evidence artefacts a third-party reviewer expects.

We do not provide legal advice, do not interpret regulations, and do not act as your privacy officer. Those roles belong to qualified counsel, your College's practice advisors, and your internal privacy lead. Our job is the technical layer. For the dental-specific IT service companion to this guide, see our dental IT support Vancouver page.

Related compliance resources

Frequently Asked Questions

Who enforces dental compliance in BC?
The BC College of Oral Health Professionals regulates dental practice. The Office of the Information and Privacy Commissioner for BC enforces BC PIPA. The federal Office of the Privacy Commissioner enforces PIPEDA where it applies. Criminal matters fall under the Criminal Code of Canada.

Does Hexafusion provide legal advice?
No. Hexafusion is an IT services provider. We implement and document technical controls. Legal, compliance, and regulatory interpretation belong to qualified counsel and your College's practice advisors.

How do IT controls map to dental compliance rules?
Retention, encryption, access logging, role-based access, tested backups, breach response documentation, and endpoint security provide the technical evidence regulators look for when assessing PIPEDA, BC PIPA, and College obligations.

How does dental compliance overlap with cyber insurance?
Underwriters require multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and vulnerability patching. These controls also support privacy obligations, so compliance and insurance requirements overlap.

What records must my dental practice retain?
The BC College of Oral Health Professionals sets retention standards, generally long retention for adult patients and extended retention for minors. Confirm current standards with the College. Tax and employment records follow the Income Tax Act and BC Employment Standards Act.

Does PIPEDA or BC PIPA apply to my dental office?
Both can apply depending on activity. BC PIPA generally governs BC private-sector personal information handling. PIPEDA applies to federally regulated activities and cross-border data handling. Most day-to-day dental records fall under BC PIPA.

Disclaimer

This reference guide provides general regulatory context for BC-based dental practices. It is not legal or compliance advice. Confirm current requirements with your regulator, legal counsel, and compliance advisor. Hexafusion is an IT services provider and does not provide legal advice. Regulatory requirements and administrative monetary penalties change; contact the applicable regulator for current wording and maximums.

Other compliance reference pages

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).

Need help with the IT side of compliance?

Request a scoped assessment. We review your technical safeguards against the evidence an assessor, regulator, or insurer expects, and deliver a written report.

Request a scoped assessment