HIPAA compliance is not just about what your practice does. It is about what you can prove. A dental office with strong security but no documentation has no defense during an audit.
Here is what documentation your practice needs and how to keep it organized.
6years required retention
OCR requires covered entities to retain HIPAA documentation for six years from creation or last effective date.
Practices that cannot produce documentation within a short timeframe during an audit are treated as non-compliant, regardless of their actual security posture.
Why Documentation Matters More Than You Think
An OCR auditor does not have time to observe how your practice operates day to day. They review what is written down. Missing a signed Business Associate Agreement, an outdated risk assessment, or no staff training records can result in a finding even if your systems are technically secure.
How OCR audits work in practice
OCR sends a document request with a short deadline, typically 10 business days. Every item they ask for must be located, retrieved, and submitted. A practice that keeps documentation organized can respond completely. A practice that does not has no way to demonstrate compliance, regardless of how well its IT environment is configured.
Documentation is your paper trail. It is the only thing standing between your practice and a fine.
Need your HIPAA documentation produced and maintained? Find out in 15 minutes if we are the right fit.
The Four Core Documents Every Dental Practice Needs
Start with these four before anything else. Check each one your practice currently has completed, signed, and on file.
Core documents in place0 / 4
All four core documents confirmed in place.
Your practice has the foundational HIPAA documentation. Confirm that each is current: the Security Risk Assessment should be no more than 12 months old, BAAs should be reviewed when vendors change their services, and training records should cover every current staff member.
Documentation gaps present.
The unchecked documents are what OCR requests first. A missing Security Risk Assessment or unsigned BAA found during any investigation adds violations on top of whatever triggered the audit. The Security Risk Assessment is the highest priority: start there.
Most core HIPAA documentation is missing.
Without these foundational documents, any OCR contact results in non-compliance findings. These items cannot be backdated but starting now limits future exposure. The documentation requirements are the same regardless of practice size: every dental practice needs all four.
The technical side of HIPAA compliance generates its own documentation. Check each record your IT provider currently produces and retains on your behalf.
IT documentation confirmed0 / 5
All five IT documentation categories confirmed.
Your IT provider is producing the technical documentation HIPAA requires. Confirm that these records are stored in a location your practice can access independently, not only on your IT provider's systems. If your IT provider changes, you need to retain those records yourself.
IT documentation gaps present.
The unchecked records are what an auditor requests when reviewing technical safeguards. If your IT provider cannot produce any of these on request, that is a documentation gap that an auditor will find. Ask your IT provider directly which of these they generate and where they are stored.
Most IT documentation is not being produced.
An IT provider that cannot produce technical safeguard documentation leaves your practice unable to satisfy the technical requirements during an OCR audit, regardless of how well your own compliance program is organized. This is a direct IT provider accountability issue.
Keep all HIPAA documentation in a single secure location
A shared drive with access limited to the practice owner and office manager works well. A physical binder kept in a locked cabinet is acceptable but harder to update and search. Whatever the format, everything OCR could ask for should be in one place, not spread across email threads and desktop folders.
2
Date every document and retain old versions
When you update a policy, keep the old version with its original date. OCR wants to see the history of your compliance program, not just the current state. An auditor reviewing a breach may ask which policy was in effect at the time of the incident, not what the policy says today.
3
Store IT documentation where the practice can access it independently
Encryption configurations, access logs, and backup verification records produced by your IT provider should be stored in your compliance folder, not only on your IT provider's systems. If your IT relationship ends and an audit follows, you need to be able to produce those records yourself.
4
Review and update annually, not only after an incident
HIPAA documentation is not a one-time project. Security Risk Assessments must be conducted annually. BAAs must be reviewed when vendor services change. Training records must be updated when staff members are added or their roles change. Build an annual review into the practice calendar.
Frequently Asked Questions
Your Security Risk Assessment should be updated annually and whenever significant changes occur to your systems, staff, or vendors. Policies and procedures should be reviewed at least once per year. Training records should be updated each time staff complete a training session.
Every dental practice is required to designate a HIPAA Privacy Officer and a HIPAA Security Officer. In smaller practices, these roles are often filled by the same person. That individual is responsible for maintaining and updating compliance documentation.
No. Software vendors may sign a Business Associate Agreement and provide documentation of their own compliance, but the documentation of your practice's internal policies, risk assessments, and training records is entirely your responsibility.
Incomplete documentation is treated as a compliance failure. OCR may issue a corrective action plan, impose fines, or both. The severity depends on how many gaps exist and whether the practice can demonstrate any good-faith compliance effort.
Your practice might be doing everything right. Can you prove it if OCR asks?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We provide the signed BAAs, SRA support, and technical documentation your compliance requires.
Good security with no paper trail is not compliance. Find out what your practice is still missing.
Ezra Angelo
