(872) 808-0381 info@dentalnetworks.net Chicago & Southern Wisconsin Powered by TechniWorx
HIPAA Compliance

The Complete HIPAA Compliance Checklist for Dental Practices in 2026

HIPAA compliance isn't a one-time project — it's an ongoing program that requires annual review, documented policies, and continuous staff training. For dental practices, the specific requirements of the Security Rule and Privacy Rule create a detailed compliance landscape that can feel overwhelming. This checklist breaks it into manageable categories with actionable steps.

This article is for educational purposes. It does not constitute legal advice. Consult a qualified HIPAA compliance professional for a formal assessment of your practice.

1. Administrative Safeguards (§164.308)

Administrative safeguards are the policies, procedures, and training that govern how your practice handles ePHI. They're the foundation of HIPAA compliance and where most practices have the largest gaps.

Risk Analysis

  • Conduct a formal written risk analysis identifying all ePHI, threats, and vulnerabilities — minimum annually
  • Document the risk analysis process and retain records for 6 years
  • Address identified risks with a written risk management plan

Workforce Management

  • Designate a HIPAA Privacy Officer and HIPAA Security Officer (can be the same person in small practices)
  • Conduct HIPAA training for all workforce members at hire and annually
  • Document training with signed acknowledgment from each employee
  • Establish and enforce sanctions for workforce members who violate HIPAA policies
  • Implement workforce clearance procedures — not everyone needs access to all ePHI

Access Controls

  • Assign unique user IDs to every workforce member — no shared logins
  • Implement role-based access controls — front desk doesn't need clinical record access
  • Establish a process for granting, modifying, and terminating access upon hire/role change/termination
  • Review and audit access logs quarterly

Business Associate Agreements

  • Identify all business associates — any vendor who touches ePHI (cloud storage, IT support, billing company, transcription services)
  • Execute signed BAAs with every business associate before they access ePHI
  • Keep BAAs current — review annually and update when vendor services change

2. Physical Safeguards (§164.310)

Physical safeguards protect the physical hardware and facilities where ePHI is stored or accessed.

  • Control physical access to server rooms, wiring closets, and workstations containing ePHI
  • Lock servers in a dedicated room — not under a reception desk
  • Use privacy screens on workstations visible to the public
  • Implement a clear-desk policy — no patient records visible on desks in common areas
  • Secure printers containing ePHI — don't leave printouts unattended
  • Document hardware disposal procedures — securely wipe or destroy drives before disposal
  • Track and log all equipment containing ePHI (asset inventory)

3. Technical Safeguards (§164.312)

Technical safeguards are the technology controls protecting ePHI on your systems and during transmission.

Access Controls

  • Require strong passwords (minimum 12 characters, complexity requirements) for all accounts
  • Implement multi-factor authentication (MFA) for all remote access and email accounts
  • Enable automatic screen-lock after 10 minutes of inactivity on all workstations
  • Encrypt all devices storing ePHI — laptops, tablets, portable drives

Audit Controls

  • Enable audit logging on your PMS for all user access to patient records
  • Enable Windows Event logging on all servers and workstations
  • Retain audit logs for a minimum of 6 years
  • Review audit logs for anomalies — large exports, after-hours access, failed login attempts

Transmission Security

  • Encrypt all email containing ePHI — standard email is NOT HIPAA-compliant
  • Use encrypted file transfer methods for sharing imaging files and records
  • Ensure your VoIP system is configured to avoid ePHI exposure in voicemail
  • Use VPN for all remote access to practice systems

Backup and Recovery

  • Implement automated daily backups of all ePHI systems
  • Store at least one backup copy off-site or in encrypted cloud storage
  • Test backup restoration quarterly — a backup you can't restore isn't a backup
  • Document your disaster recovery plan in writing

4. Breach Notification Requirements

  • Establish a written breach notification policy
  • Train staff to recognize and report potential breaches immediately
  • Know your timelines: affected individuals within 60 days, HHS annually (if <500 records) or within 60 days (if ≥500 records)
  • Document all breach investigations, even those that don't meet the notification threshold

Where Do Most Dental Practices Fall Short?

In our experience working with dental practices across Chicago and Southern Wisconsin, the most common compliance gaps are:

  1. No formal documented risk analysis — having IT in place doesn't mean you've analyzed your risks
  2. Missing or outdated BAAs — especially with IT support providers, cloud storage, and patient communication platforms
  3. Shared login credentials — front desk staff sharing a single Dentrix login
  4. Unencrypted email with patient information — the front desk sends X-rays to referring dentists via Gmail
  5. No tested disaster recovery plan — "we back up to an external drive" isn't a DR plan

Dental Networks provides a comprehensive HIPAA compliance program for dental practices that addresses all of these gaps — risk analysis, policy documentation, BAA management, technical controls, and ongoing staff training. Learn more or contact us to schedule an assessment.

Need a HIPAA Risk Assessment for Your Practice?

Dental Networks provides formal HIPAA risk assessments and ongoing compliance programs for dental practices in Chicago and Southern Wisconsin.

Schedule a HIPAA Assessment
Back to Blog