...

Ekim IT Solutions

Schedule a Fit Call
Blog / How DSOs Handle IT Onboarding and Offboarding for Staff
All Dental

How DSOs Handle IT Onboarding and Offboarding for Staff

Guide to managing IT onboarding and offboarding for staff across multiple DSO dental locations

At a single dental practice, onboarding a new employee means setting up one workstation and one software account. At a DSO, a new hire might need access to a shared database, a patient communication platform, a billing system, and a reporting tool. All of it configured consistently with every other employee at that location and across the organization.

Getting this wrong is not just an inconvenience. It is a HIPAA risk.

Leading Source of HIPAA Violations

Unauthorized access to patient records is one of the most common sources of HIPAA violations in dental practices.

Most cases are not the result of malicious intent. They are the result of access that was never properly configured on the way in or never properly removed on the way out. At DSO scale, without a documented process, this gap multiplies with every hire and every departure.

Why IT Onboarding and Offboarding Matter More at DSO Scale

Single Practice: 5 Employees

Access can be managed informally

A small team at one location can track who has access to what without a formal process. An owner or office manager knows every employee and which systems they use. Offboarding one person is a manageable task even without documentation.

DSO: 50+ Employees, 6 Locations

Informal access management creates compounding risk

Without a documented process, access permissions accumulate inconsistently. Former employees retain access longer than they should. New employees get access to systems they do not need for their role. Each unresolved gap is a HIPAA exposure that multiplies across every location.

HIPAA Minimum Necessary Requirement

HIPAA requires that access to protected health information be limited to the minimum necessary for each employee’s role. At DSO scale, enforcing that requirement without a structured IT onboarding and offboarding process is nearly impossible. The requirement applies per employee, per system, at every location.

Need centralized staff onboarding and offboarding across every DSO location? Find out in 15 minutes if we are the right fit.
Schedule a Discovery Call →

What IT Onboarding Should Cover at a DSO

A complete IT onboarding checklist for a DSO employee includes:

1
Account Creation

User accounts in the practice management platform, email, patient communication tools, and billing or reporting systems the role requires

Configured with role-appropriate permissions from day one. The default should not be full access with restrictions added later. Permission levels should be defined by role template so that every employee in the same role at every location gets the same access configuration. New accounts should require a password change at first login and MFA enrollment before production access is granted.

2
Device Setup

Workstation configured to the DSO’s standard, with required software installed, encryption enabled, and MFA active before the employee logs in for the first time

A workstation handed to a new employee before it meets the DSO’s configuration standard creates both a security gap and a support problem. Encryption must be enabled before the device is used. The practice management software, imaging tools, and any role-specific software must be installed and tested. This setup should follow a documented checklist, not be performed from memory by whoever is available.

3
Access Documentation

A record of which systems the employee has access to and at what permission level, retained for HIPAA audit purposes

HIPAA requires documentation of who has access to what. This record must be created at onboarding, updated when roles change, and used at offboarding to confirm that every access point has been closed. Without this documentation, offboarding is guesswork and an audit finding is a near certainty if OCR ever reviews access control practices.

What IT Offboarding Should Cover at a DSO

Offboarding is where most DSOs have gaps. The urgency of onboarding a replacement often overshadows the need to properly close out the departing employee’s access. Check each step your current offboarding process completes on the day of departure.

Each unchecked item represents an open access point that should not still be active after an employee leaves.

Offboarding steps completed on departure day 0 / 5

All five offboarding steps are completed on the day of departure.

Your offboarding process closes every access point before a former employee leaves the building. The next priority is confirming that the access documentation created during onboarding is being used as the checklist at offboarding so no system is missed because it was not on the list.

Offboarding gaps present.

Each unchecked step is an access point that stays open after an employee leaves. Even one gap means former employees retain access to systems containing patient data. The unchecked items are worth prioritizing: the risk from incomplete offboarding grows with each location and each employee departure.

Most offboarding steps are not completed on the day of departure.

Most access removal steps are not happening on departure day. This means former employees are retaining access to systems containing patient data for days or weeks after they leave. This is the most common HIPAA access control gap in dental organizations, and at DSO scale it compounds with every departure across every location.

Talk to Ekim about DSO onboarding and offboarding →

How Centralized Identity Management Helps

DSOs that use a centralized identity management platform like Microsoft 365 or Google Workspace can onboard and offboard employees across all locations from a single administrative console. One action disables the account everywhere simultaneously rather than requiring manual revocation in each system at each location. When an employee is added, their access is provisioned from a role template that applies consistent permissions across every tool the role requires.
The Standard Your IT Provider Should Meet

Your IT provider should be managing this centralized identity layer as part of their service. If onboarding and offboarding requires manual action in five separate systems at each location, that is a process gap that will eventually create a compliance problem. At DSO scale, the only sustainable approach is centralized identity management with role-based access templates and single-action account provisioning and revocation.

Frequently Asked Questions

On the day of departure, before the employee leaves the building. Access left active after an employee departs is a HIPAA liability regardless of whether it is ever misused. The risk is the exposure, not the intent.
Yes. HIPAA requires that access to protected health information be managed through formal authorization and that changes to access be documented. A DSO that cannot produce records of who had access to patient data and when that access was granted or revoked has a documentation gap that an auditor will find.
Unauthorized access to patient records by a former employee is a HIPAA breach. The practice is required to investigate, assess the scope of the exposure, and report to affected patients and OCR if the breach meets the notification threshold. Proper offboarding prevents this entirely.
Yes, and it should. A standardized onboarding and offboarding process that applies consistently across all locations is both more efficient and more compliant than location-specific variations. Your IT provider should maintain and execute that process as part of their standard service.
Does your DSO have a consistent IT onboarding and offboarding process across every location or is each office figuring it out on their own?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We build and manage standardized onboarding and offboarding workflows for DSOs so every new hire gets the right access and every departure gets fully revoked across every system.

An ex-employee with active system access is a HIPAA violation waiting to happen. Find out if your offboarding actually closes every door.
Standardize your DSO onboarding →

Related Posts

Dental cybersecurity in 2026 - what every practice needs to protect patient data and stay HIPAA compliant
All Dental

Dental Cybersecurity in 2026: What Every Practice Needs

Illustration showing a dental office building connecting to a checklist and IT icon representing common IT mistakes that cost new dental practices time and money
All Dental

Common IT Mistakes New Dental Practices Make

Dentrix Enterprise system requirements for 2026 covering server and workstation specifications for DSOs and multi-location dental groups.
All Dental

Dentrix Enterprise System Requirements in 2026