Protect Patient Data from Day One in a New Dental Practice

Every device that stores or accesses patient data must be encrypted before it is used for any patient-related work. A stolen laptop without encryption is a HIPAA breach. A stolen laptop with encryption is an inconvenience.

• Enable BitLocker on every Windows workstation and server before entering any patient data
• Confirm that your cloud platform encrypts data at rest and in transit before going live
• Encrypt every backup drive and confirm that cloud backups use AES-256 encryption
• Includes your server, every workstation, every laptop used for remote access, and every external drive used for backup

Shared login credentials are one of the most common HIPAA violations in dental practices. HIPAA requires that access to patient data be attributable to specific individuals. If three staff members share one login, there is no way to determine who accessed a record, when, or why.

• Every staff member needs a unique username and password configured before their first day
• Front desk staff do not need access to clinical notes. Clinical staff do not need access to billing administration
• Access should be limited to the systems and records each person needs for their specific role
• Your IT provider configures role-based access controls as part of setup

Every vendor that touches patient data must sign a BAA before your practice uses their service. Do not assume a vendor is HIPAA compliant because they serve dental practices. Confirm the BAA exists, is signed, and is retained in your compliance files.

• IT managed services provider — they access your systems and patient data as part of standard service
• Practice management software vendor — they store or process patient records in their platform
• Cloud backup provider — they store copies of your patient database
• Patient communication platform — appointment reminders and patient contact data
• Billing or insurance processing service
• Email provider if patient information is ever transmitted by email

MFA is the single most effective control for preventing unauthorized access through stolen or phished credentials. Configuring it after the fact — when credentials have already been in use for months — creates a window of exposure that never needed to exist.

• Enable MFA on every email account before entering any patient data
• Enable MFA on every remote access account before connecting remotely to practice systems
• Enable MFA on every cloud-based system your practice uses before going live
• Enforced at the organizational level — not optional per user

A Security Risk Assessment is a documented review of every threat to patient data in your specific practice environment. HIPAA requires it, and it must be completed before you are actively seeing patients — not scheduled for later in the year.

• Your IT provider completes the technical portions: device encryption status, network configuration, backup status, and access controls
• You complete the administrative and physical portions: staff access policies, physical security of equipment, and breach response procedures
• The completed SRA must be documented and retained — the document itself is what OCR reviews
• The assessment must be updated annually or whenever your environment changes significantly