HIPAA Compliance Checklist for New Dental Practice Owners (2026)

Step 1: Designate a HIPAA Privacy Officer and Security Officer

HIPAA requires every Covered Entity to designate a Privacy Officer (responsible for privacy policies and patient rights) and a Security Officer (responsible for protecting electronic PHI). In a small practice, these can be the same person — often the practice owner or office manager.

This designation must be documented in writing. 'I handle HIPAA' is not compliant. A written designation specifying the person's name, title, and responsibilities is required.

• Privacy Officer responsibilities: Developing and maintaining HIPAA privacy policies, handling patient rights requests, training oversight, and serving as the internal point of contact for privacy complaints.
• Security Officer responsibilities: Overseeing technical safeguards, conducting or coordinating the Security Risk Analysis, managing vendor security requirements, and leading breach response.

Step 2: Complete Your Security Risk Analysis Before Going Live

The Security Risk Analysis (SRA) must be completed before you begin storing electronic patient data — not after. This is a common mistake: practices complete their SRA months after opening, which creates a gap period of unaddressed risk.

Your initial SRA should assess: every device that will store or access patient data, your network architecture, your practice management software and any cloud systems, physical security of your office, and all vendor relationships that will involve patient data.

Step 3: Get BAAs Signed Before Any Vendor Touches Patient Data

Every vendor who will access patient data needs a signed Business Associate Agreement before your relationship begins. For a new practice, this means getting BAAs from your vendors before go-live — not after.

The vendors that new dental practices most commonly miss:

• Practice management software: Dentrix, Eaglesoft, Curve, Open Dental, etc. — all require BAAs. Most have standard BAAs available from their compliance department.
• IT company or managed services provider: If anyone other than you manages or has access to your computer systems, they need a BAA.
• Dental billing service or clearinghouse: Even if you handle billing in-house, the clearinghouse that transmits your claims requires a BAA.
• Cloud storage and email: If you use Google Workspace, Microsoft 365, or Dropbox for anything involving patient data, you need a BAA with these providers. Google and Microsoft offer BAAs — you must actively request and sign them.
• Patient communication platforms: Recall systems, appointment reminders, patient portals — all require BAAs.
• Dental labs receiving digital impressions: If the digital impression file includes patient identifying information, the lab is a Business Associate.

Step 4: Develop and Post Your Notice of Privacy Practices

Every dental practice must have a written Notice of Privacy Practices (NPP) that explains to patients how you use and protect their health information. The NPP must be:

• Posted prominently in your reception area
• Available on your website if you have one
• Given to new patients at first service
• Acknowledged in writing by each new patient (retain the signed acknowledgment)
• Updated whenever your privacy practices change materially

Step 5: Implement Technical Safeguards Before Seeing Patients

The 2026 HIPAA Security Rule specifies technical safeguards that are now required — not optional. For a new practice, these must be implemented as part of your setup, not retrofitted after opening:

• Multi-factor authentication (MFA): Required on all systems that access ePHI — your practice management software, email, cloud storage, and any remote access. Enable MFA during system setup, not as an afterthought.
• Encryption: All ePHI must be encrypted at rest and in transit. Most modern practice management software handles this, but verify explicitly with your vendor.
• Unique user accounts: Every staff member needs their own login credentials. Shared passwords are a direct HIPAA violation.
• Automatic logoff: Workstations must be configured to lock automatically after a period of inactivity. 15 minutes or less is the standard recommendation.
• Backup and recovery: Documented backup procedures with regular testing. A backup that's never been tested is not a compliant safeguard.
• Audit logs: Your practice management software must log who accessed which patient records and when. Verify this feature is enabled and that logs are retained.

Step 6: Train All Staff Before Day One

Every employee must complete HIPAA training before they have access to patient data. For a new practice, this means training all founding staff members during setup — before you begin scheduling patients.

Document every training session: who was trained, what was covered, and when. This documentation must be retained for six years.

Step 7: Establish Your Breach Response Plan

Before you see a single patient, you should have a documented plan for what happens if patient data is exposed, lost, or accessed without authorization. Your breach response plan should address:

• How employees report a suspected breach internally (and to whom)
• The four-factor breach risk assessment process OCR requires before determining if notification is necessary
• Notification timelines: affected individuals within 60 days, OCR within 60 days, and media outlets if 500+ patients in a state are affected
• How you will document breach investigations