HIPAA Compliance Checklist for Dental Practices

One person can fill both roles in a small practice. Document the appointment in writing with a signed acknowledgment and specific responsibilities listed.

Required annually. Use the HHS SRA Tool or equivalent to identify threats to ePHI. Document every finding and your remediation plan, even if the risk is accepted.

Dental labs, imaging centers, cloud-based practice management software (Dentrix, Eaglesoft, Open Dental), IT support, shredding companies, and answering services all need signed BAAs before they receive any PHI.

DICOM files stored on local servers, USB drives, or cloud storage must be encrypted with AES-128 or stronger. Unencrypted portable media is the #1 breach vector for dental offices.

Shared logins make audit trails useless and violate the HIPAA access control standard. Every hygienist, assistant, and front-desk employee needs their own credentials.

Must be provided to every patient at their first visit and posted in a visible location in the office. Keep signed acknowledgment forms on file. Update whenever your privacy practices change.

Document the training date, topics covered, and attendee signatures. New hires must complete training within 30 days. Cover front-desk scenarios: confirming appointments to callers, discussing treatment in open areas, handling records requests.

Document how you will investigate a suspected breach, determine if notification is required, and notify affected individuals within 60 days. Breaches affecting 500+ people require HHS and media notification.

Lock the room or closet containing your practice management server. Limit access to authorized personnel. Log entry if possible. Paper charts must be in locked cabinets when not actively in use.

Set screens to lock after 2-5 minutes of inactivity. Operatory workstations in patient areas are high-risk — patients and visitors can see open records if the screen stays active.

Patient appointment reminders, treatment plans, and referral letters containing PHI must be encrypted or sent through a HIPAA-compliant patient portal. Gmail and Outlook are not HIPAA-compliant by default.

Include workstations, laptops, tablets, smartphones, USB drives, backup drives, and cloud services. Track device location, encryption status, and responsible person.

Hard drives from decommissioned workstations must be wiped (NIST 800-88 guidelines) or physically destroyed. Paper records must be cross-cut shredded. Document every disposal.

Enable and review access logs to track who viewed, modified, or exported patient records. Review logs at least quarterly. Anomalies — like a staff member accessing records of patients they did not treat — should trigger investigation.

Back up ePHI daily. Store backups encrypted and offsite (or in a HIPAA-compliant cloud with a BAA). Test restoration at least annually. Document your Recovery Time Objective.

If you use a paper sign-in sheet, patients should not be able to see the reason for other patients' visits. Use a sign-in sheet that covers previous entries or switch to electronic check-in.

Patients have the right to obtain copies of their records within 30 days of request, request amendments, and receive an accounting of disclosures. Have a documented workflow for each request type.

HIPAA requires policies to be maintained for six years. Assign a review date, document changes, and re-train staff on any updates. Keep prior versions for the retention period.