HIPAA Compliance Checklist for Dental Practices
Complete HIPAA compliance checklist for dental practices. 40+ items covering risk assessment, safeguards, BAAs, and breach response. Print and review quarterly.
Print this checklist and keep it in your compliance binder. Review quarterly. A 3-doctor practice in Texas paid $2.7M for missing half of these items.
How to use: Go through each section. Check what you have. Fix what you don't. The items marked \u26a0\ufe0f are the ones OCR inspectors check first.
1. Risk Assessment (Annual Requirement)
- \u2610 Completed written risk assessment within last 12 months \u26a0\ufe0f
- \u2610 All electronic PHI (ePHI) storage locations identified
- \u2610 Threats and vulnerabilities documented for each system
- \u2610 Risk levels assigned (high/medium/low) with mitigation plans
- \u2610 Risk assessment signed and dated by practice owner
2. Administrative Safeguards
- \u2610 Designated Privacy Officer (name documented) \u26a0\ufe0f
- \u2610 Designated Security Officer (can be same person)
- \u2610 Written HIPAA policies and procedures manual \u26a0\ufe0f
- \u2610 Staff training completed within 30 days of hire
- \u2610 Annual staff training refresher (documented with sign-off)
- \u2610 Sanction policy for HIPAA violations (written, acknowledged by staff)
- \u2610 Workforce access controls (who can access what ePHI)
- \u2610 Terminated employee access revoked within 24 hours
3. Physical Safeguards
- \u2610 Server room/closet locked (limited key access)
- \u2610 Workstations positioned away from patient view
- \u2610 Automatic screen lock on all computers (5 min or less)
- \u2610 Paper records in locked cabinets when not in use
- \u2610 Shredding service for PHI disposal (certificate on file)
- \u2610 Sign-in/sign-out log for after-hours access
4. Technical Safeguards
- \u2610 Unique username/password for every user \u26a0\ufe0f
- \u2610 Passwords minimum 8 characters, changed every 90 days
- \u2610 Encryption on all devices with ePHI (laptops, tablets, phones) \u26a0\ufe0f
- \u2610 Encrypted email for sending PHI (TLS minimum)
- \u2610 Firewall configured and updated
- \u2610 Anti-virus/anti-malware on all workstations
- \u2610 Automatic software updates enabled
- \u2610 WiFi network segmented (patient vs. practice)
- \u2610 Audit logs enabled on PMS and EHR systems
- \u2610 Data backup daily (encrypted, tested monthly)
5. Business Associate Agreements
- \u2610 BAA on file for every vendor with PHI access \u26a0\ufe0f
- \u2610 IT support company (BAA signed)
- \u2610 Cloud/software vendors (BAA signed)
- \u2610 Billing company (BAA signed)
- \u2610 Shredding service (BAA signed)
- \u2610 Answering service (BAA signed)
- \u2610 BAAs reviewed annually for current terms
6. Breach Response
- \u2610 Written breach notification policy
- \u2610 Breach investigation procedures documented
- \u2610 Breach log maintained (even for minor incidents)
- \u2610 Staff knows who to report suspected breaches to
- \u2610 HHS notification procedures documented (>500 individuals = 60 days)
Sources: HHS Office for Civil Rights HIPAA Security Rule guidance, OCR enforcement actions 2020-2025, ADA HIPAA compliance resources.
Disclaimer: This checklist covers common requirements but is not exhaustive. HIPAA compliance varies by state and practice type. Consult a HIPAA compliance specialist or healthcare attorney for guidance specific to your practice.
Disclaimer: This checklist covers common requirements but is not exhaustive. HIPAA compliance varies by state and practice type. Consult a HIPAA compliance specialist or healthcare attorney for guidance specific to your practice.