HIPAA Compliance Checklist for Your Dental Software Stack

HIPAA compliance isn't optional, and it doesn't stop at your practice management software. Every tool that touches patient data — your PMS, imaging software, communication platform, payment processor, and cloud backups — needs to meet the standard. Here's a practical checklist dental practices can use to audit their software stack.

The Basics: What HIPAA Requires of Software

HIPAA's Security Rule requires three categories of safeguards for electronic protected health information (ePHI):

• Administrative — policies, training, risk assessments
• Physical — facility access controls, workstation security
• Technical — access controls, encryption, audit logs, transmission security

Your software vendors are "business associates" under HIPAA. You need a signed Business Associate Agreement (BAA) with every vendor that stores, processes, or transmits ePHI.

The Checklist

Practice Management Software

• BAA signed with vendor
• Role-based access controls configured (not everyone needs access to everything)
• Audit logging enabled — who accessed what, when
• Database encrypted at rest
• Automatic session timeout configured
• Regular backups with encryption, stored offsite
• Password complexity requirements enforced

Open Dental, for example, supports role-based security groups, audit trails, and database encryption. But these features need to be actively configured — they're not all on by default.

Patient Communication Tools

• BAA signed (this catches many practices — popular texting and email tools often don't sign BAAs)
• Messages encrypted in transit (TLS minimum)
• Patient data not stored on personal devices
• Opt-out mechanisms in place for marketing communications

Imaging and Clinical Software

• BAA signed
• Images stored with access controls matching your PMS permissions
• DICOM files encrypted if transmitted between locations

Cloud and Backup Services

• BAA signed (AWS, Google Cloud, and Azure all offer BAAs; many smaller providers do not)
• Encryption at rest and in transit
• Backup restoration tested at least annually

Payment Processing

• BAA signed
• PCI DSS compliant (separate from HIPAA, but equally important)
• Payment data not stored in your PMS database

Common Gaps

The most frequent compliance gaps we see in dental practices:

1. No BAA with communication tools — switching to a HIPAA-compliant patient messaging platform is often the easiest fix
2. Shared login credentials — every user needs their own account for audit trail integrity
3. Unencrypted backups — your backup is only as secure as its weakest link
4. No regular risk assessment — HIPAA requires periodic risk assessments, not just a one-time setup

Keeping Compliant as You Grow

As your practice adds locations or providers, compliance complexity increases. Each new tool in your stack is another BAA to manage and another access control surface to audit.

Practices using Open Dental with integrated tools like Dental Canvas benefit from a reduced vendor surface — fewer separate systems means fewer BAAs to track and fewer potential points of exposure. When evaluating any new tool, "Do they sign a BAA?" should be your first question, not an afterthought.

This Is Not Legal Advice

This checklist is a practical starting point, not a substitute for professional compliance guidance. Consider engaging a HIPAA compliance consultant for a formal risk assessment, especially if you're a multi-location practice or DSO.