Blog
← Back to Blog
July 20, 2023 dental

Is Your Dental Practice Ready for a HIPAA Audit? A Self-Assessment Checklist

Dental practice HIPAA audit readiness checklist

OCR's enforcement activity has increased significantly. Right of Access enforcement alone has generated over 40 actions since 2019, including penalties against solo dental practices. The question isn't whether audits happen. It's whether you're ready when they do.

This self-assessment covers the areas OCR examines most frequently. Score yourself honestly.

Risk Assessment (Most Common Deficiency)

  • Have you conducted a HIPAA Security Risk Assessment? (Required annually)
  • Does it identify threats and vulnerabilities to ePHI?
  • Does it assess current security measures?
  • Does it determine the likelihood and impact of potential threats?
  • Is it documented and dated?
  • Have you addressed the identified risks?

If you answered "no" to any of these: This is priority one. HHS offers a free Security Risk Assessment tool at healthit.gov.

Access Controls

  • Does every user have a unique login (no shared accounts)?
  • Is MFA enabled on systems containing ePHI?
  • Are user permissions role-based (front desk vs. clinical vs. billing)?
  • Are accounts disabled within 24 hours when employees leave?
  • Do workstations auto-lock after 5 minutes of inactivity?

Business Associate Agreements

  • Do you have signed BAAs with every vendor that accesses PHI?
  • IT provider, cloud services, billing company, shredding service, answering service, patient communication platform?
  • Are BAAs current (reviewed within the last year)?

Backup and Recovery

  • Is your patient data (PMS database + imaging) backed up?
  • Is at least one backup copy offsite or in the cloud?
  • Have you tested a restore in the last 90 days?
  • Is the backup encrypted?
  • Can you recover from a total system loss?

Breach Notification

  • Do you have a written breach notification policy?
  • Do you know the 60-day notification deadline for individuals?
  • Do you know how to report to HHS (through the breach portal)?
  • Do you have notification letter templates ready?

Training

  • Have all staff received HIPAA training?
  • Is training conducted annually?
  • Is training attendance documented?
  • Does training cover current threats (phishing, ransomware, social engineering)?

Physical Security

  • Is the server room/closet locked?
  • Are screens positioned so patients can't view PHI?
  • Are paper records secured when not in use?
  • Is backup media stored securely?

Scoring

Count your "no" answers:

  • 0-3: You're in good shape. Address the gaps and maintain your program.
  • 4-8: Significant gaps. Prioritize risk assessment, BAAs, and access controls.
  • 9+: You're at serious risk of an enforcement action. Get help immediately.

Don't wait for OCR to find your gaps. Find them yourself and fix them first.