Why Dental Offices Need This Checklist
HIPAA compliance is not optional for dental practices. If you file insurance claims electronically, use digital X-rays, or maintain electronic patient records, you are a covered entity under HIPAA.
The problem? Most dental offices know they need to comply but aren't sure what that actually means for their IT systems. The regulations are written in legal language, not practical IT terms.
This checklist translates HIPAA requirements into specific, actionable IT tasks. Print it out, hand it to your IT person or MSP, and make sure every item is addressed.
The HIPAA IT Checklist
Access Controls
•[ ] **Unique user accounts** — Every employee has their own login. No shared passwords, no generic "front desk" accounts
•[ ] **Role-based access** — Staff can only access the patient data they need for their job. The receptionist doesn't need access to clinical notes
•[ ] **Strong passwords** — Minimum 12 characters, enforced by policy. Password manager recommended
•[ ] **Multi-factor authentication (MFA)** — Required for email, practice management software, and any remote access
•[ ] **Automatic session timeouts** — Workstations lock after 5 minutes of inactivity. Critical in operatories where patients might see screens
•[ ] **Terminated employee procedure** — Written process to disable accounts immediately when an employee leaves. Same day, no exceptions
Encryption
•[ ] **Encryption at rest** — All devices storing ePHI (workstations, servers, portable devices) use full-disk encryption (BitLocker on Windows, FileVault on Mac)
•[ ] **Encryption in transit** — All ePHI transmitted over networks uses TLS/SSL encryption. This includes email, remote access, and data sync between locations
•[ ] **Encrypted email** — Any email containing patient information must be encrypted. Standard Gmail or Outlook email is NOT encrypted
•[ ] **Encrypted backups** — Backup data must be encrypted both in transit and at rest
•[ ] **Mobile device encryption** — Any phone or tablet that accesses patient data must be encrypted with remote wipe capability
Backup & Disaster Recovery
•[ ] **Automated daily backups** — All patient data backed up at minimum daily, preferably hourly
•[ ] **3-2-1 backup strategy** — 3 copies, 2 media types, 1 offsite (cloud). Learn more about [backup strategy](/services/backup)
•[ ] **Tested restores** — Quarterly restore tests documented. Backups that haven't been tested are not reliable
•[ ] **HIPAA-compliant backup vendor** — Your backup provider must sign a Business Associate Agreement (BAA). Not all backup services are HIPAA-eligible
•[ ] **Disaster recovery plan** — Written plan for how you restore operations after a major incident (ransomware, fire, flood). Include RTOs for each system
•[ ] **Backup monitoring** — Someone is verifying daily that backups completed successfully. Automated alerts for failures
Network Security
•[ ] **Business-grade firewall** — Not a consumer router. Enterprise firewalls from Fortinet, SonicWall, or similar with intrusion prevention
•[ ] **Separate guest WiFi** — Patient WiFi must be completely isolated from your practice network. No exceptions
•[ ] **Encrypted WiFi** — WPA3 or WPA2-Enterprise on your practice network. WPA2-Personal with a strong password at minimum
•[ ] **VPN for remote access** — Any remote access to practice systems must go through an encrypted VPN tunnel
•[ ] **Network segmentation** — Separate your practice management system, digital imaging, and general internet traffic. If one is compromised, others are protected
•[ ] **No unauthorized devices** — Only managed devices connect to the practice network. Personal laptops and phones use guest WiFi
Endpoint Protection
•[ ] **Next-gen antivirus** — Traditional antivirus is not enough. Deploy endpoint detection and response (EDR) like SentinelOne on every workstation and server
•[ ] **Automated patching** — Operating system and application updates applied regularly. Unpatched systems are the #1 way ransomware gets in
•[ ] **Web filtering** — Block malicious websites and categories that pose security risks
•[ ] **USB controls** — Restrict or monitor USB device usage. USB drives are a common vector for malware
Email Security
•[ ] **Spam and phishing filtering** — Enterprise-grade email filtering that catches malicious emails before they reach inboxes
•[ ] **Attachment scanning** — All email attachments scanned for malware before delivery
•[ ] **DMARC, DKIM, SPF** — Email authentication protocols configured to prevent spoofing of your domain
•[ ] **Security awareness training** — Monthly [phishing simulations](/blog/phishing-attacks-how-to-protect-your-business) and training for all staff. Employees are the #1 target
Physical Security
•[ ] **Locked server room/closet** — Network equipment and server (if applicable) in a locked space. Not the break room
•[ ] **Screen positioning** — Monitors displaying patient data positioned away from patient view
•[ ] **Visitor access** — IT vendors, cleaning crews, and other non-employees don't have unsupervised access to areas with ePHI
•[ ] **Disposal procedures** — Hard drives and devices containing ePHI are wiped or physically destroyed before disposal. Keep certificates of destruction
Documentation & Policies
•[ ] **Annual risk assessment** — Required by HIPAA. Document all identified risks and your plan to address them
•[ ] **Written security policies** — Acceptable use, password policy, incident response, breach notification, data disposal
•[ ] **Business Associate Agreements (BAAs)** — Signed with every vendor that touches patient data: your MSP, cloud storage, backup provider, email provider, practice management vendor
•[ ] **Incident response plan** — Written procedure for what to do if a breach occurs, including who to notify and when
•[ ] **Training documentation** — Records of all security training completed by each employee, with dates and topics
•[ ] **Access logs** — Audit trails showing who accessed what patient data and when. Your practice management software should support this
Ongoing Monitoring
•[ ] **24/7 system monitoring** — Continuous monitoring of all systems for security events, performance issues, and failures
•[ ] **Log retention** — Security and access logs retained for minimum 6 years (HIPAA requirement)
•[ ] **Regular vulnerability scans** — At least quarterly scanning of your network for vulnerabilities
•[ ] **Annual penetration testing** — Recommended (not required but strongly advised by HHS) to test your defenses
•[ ] **Quarterly reviews** — Regular review of security posture, access rights, and compliance status with your IT provider
Common HIPAA IT Mistakes in Dental Offices
Using Personal Email for Patient Communication
Gmail, Yahoo, and standard Outlook.com accounts are not HIPAA-compliant. Patient communication requires encrypted email through a HIPAA-eligible platform with a signed BAA.
No Business Associate Agreements
Every vendor that accesses, stores, or transmits ePHI must sign a BAA. This includes your IT company, cloud backup provider, payment processor, and even your shredding service. Missing BAAs are one of the most common findings in HIPAA audits.
Shared Login Credentials
"Everyone uses the same password for the practice management system" is a HIPAA violation. Every user needs their own account with appropriate access levels. Shared accounts make it impossible to create audit trails.
Unencrypted Laptops and Portable Devices
If a laptop with patient data is stolen from a car and it isn't encrypted, that is a reportable breach. Full-disk encryption makes the data unreadable even if the device is stolen, and you may not need to report it.
No Tested Backups
Having a backup is not the same as having a working backup. If you haven't tested a restore recently, you don't actually know if your backup works. We've seen dental offices discover their backups had been failing for months — after a ransomware attack.
Worried about your security?
Get a free security assessment and find out where your vulnerabilities are.
What Happens During a HIPAA Audit
If HHS (the Office for Civil Rights) investigates your practice, here's what they'll ask for:
1. Your most recent risk assessment
2. Written security policies and procedures
3. Evidence of employee training
4. Business Associate Agreements with all vendors
5. Evidence of encryption (device management reports)
6. Backup and disaster recovery documentation
7. Access control documentation (user accounts, permissions)
8. Incident response plan
If you can't produce these documents, you have a compliance gap. Fines range from $100 to $50,000 per violation.
How Triangle Tech Helps Dental Offices
We support dental practices across the Raleigh-Durham Triangle on our Light plan at **$150/user/month**. Every item on this checklist is either included in our service or something we can help you implement:
•**24/7 monitoring and support** — We watch your systems around the clock
•**Endpoint protection with EDR** — Next-gen security on every device
•**HIPAA-compliant backup** with tested restores and signed BAA
•**Email security** with phishing filtering and encryption
•**Security awareness training** with monthly phishing simulations
•**Annual risk assessment** support and documentation
•**Policy templates** customized for dental practices
•**BAA management** — We sign one with you and help you get them from other vendors
All of this is included. No add-ons, no surprise fees.
Schedule a free HIPAA IT assessment → or call [(919