HIPAA applies from the moment your practice sees its first patient. There is no grace period for new practices, no ramp-up period, and no leniency for practices that are still getting organized.
The compliance requirements are the same on day one as they are at year ten. Here is the complete HIPAA compliance checklist every new dental practice needs to work through before opening.
OCR Enforcement Reality
OCR has investigated and fined dental practices open for less than one year. The most common finding in new practices is not a data breach. It is missing documentation that should have been in place before the first patient was seen.
A Security Risk Assessment, written HIPAA policies, and signed Business Associate Agreements are not optional. They are required before you open.
Need HIPAA technical compliance handled from day one of your new practice? Find out in 15 minutes if we are the right fit.
Check each item your practice has completed. Every unchecked item is a compliance gap that needs to be closed before you see your first patient.
Overall readiness
0 / 21
Administrative Safeguards
0 / 6
Business Associate Agreements
0 / 7
Technical Safeguards
0 / 7
Physical Safeguards
0 / 4
Your practice is fully prepared for HIPAA compliance on opening day.
All 21 items are in place. Keep documentation current — the Security Risk Assessment should be reviewed annually or whenever your environment changes, and staff training records should be updated as new employees are hired.
Most items are in place. Close the remaining gaps before your first patient appointment.
Any unchecked item is a compliance exposure that can result in an OCR finding. Missing BAAs and incomplete SRAs are the most commonly cited issues in enforcement actions against new practices.
Significant compliance gaps remain before opening day.
Multiple required safeguards are not yet in place. The most urgent items to resolve are the Security Risk Assessment, all Business Associate Agreements, and encryption configuration — OCR enforcement commonly cites these as required on day one regardless of practice age.
HIPAA requires that all security documentation be retained for six years from the date of creation or last effective date. Patient clinical records are governed separately by your state dental board.
Security documentation6 years
Security Risk Assessment, written HIPAA policies, staff training records, and Business Associate Agreements. Retained from date of creation or last effective date.
Patient clinical records7 to 10 years
Governed by your state dental board, which typically requires seven to ten years. Confirm the specific requirement for your state before opening.
Frequently Asked Questions
From the first day you see a patient. There is no startup exemption or grace period. Your Security Risk Assessment, written policies, BAAs, and staff training must be complete before your first appointment.
The administrative side, including policies, training, and documentation, can be handled with time and the right guidance at low cost. The technical safeguards including encryption, backup, and audit logging are typically bundled into a managed IT agreement. Most new dental practices find their managed IT provider handles the technical compliance layer as part of the standard service.
Not necessarily. A dental-specific IT provider handles the technical safeguards and can guide you through the documentation requirements. For larger or more complex practices, a dedicated HIPAA consultant adds value. For a solo startup, a dental IT provider with strong HIPAA expertise is typically sufficient for the technical and documentation components.
A Security Risk Assessment is a documented review of every threat to patient data in your practice environment. It covers physical risks like theft and unauthorized access, technical risks like malware and unencrypted devices, and administrative risks like missing policies or untrained staff. Your IT provider should complete and document the technical portions. You complete the administrative and physical portions with their guidance. The assessment must be updated annually.
Opening a new dental practice and need to make sure your HIPAA compliance is in place before your first patient walks in?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and startup practices nationwide with remote support. We handle the technical safeguards, BAA documentation, and Security Risk Analysis support your new practice needs to be HIPAA compliant from day one, not day ninety.
HIPAA applies on day one with no grace period. Make sure your checklist is complete before you open the doors.
Ezra Angelo
