Your Dental Office IT Compliance Checklist (HIPAA + State Board + the Things They Don't Tell You)

Dental offices are different from other small businesses for three reasons that matter for IT compliance.

First, every device in the operatory is also a clinical device. The imaging sensor, the mill, the intraoral scanner, the panoramic — these are not just computers, they are FDA-regulated equipment that talks to your network. Securing them looks different than securing a normal office laptop.

Second, your practice management system is the heart of the business. Dentrix, Eaglesoft, Open Dental, Curve — whichever you run, that database is patient health information, billing data, and treatment history all in one place. If it goes down, the practice does not run. If it gets ransomwared, you have a HIPAA breach the minute the encryption key is held for ransom.

Third, the regulatory stack is layered. HIPAA at the federal level. The California Dental Board on practice standards. CMIA (California Medical Information Act) for state-level patient privacy. The CCPA / CPRA for any non-patient consumer data. Cyber insurance carriers asking about MFA, EDR, and backup. PCI-DSS if you take card payments at the front desk. Each layer asks similar but not identical questions about your IT.

HIPAA boils down to three rules: the Privacy Rule (who can see PHI and under what conditions), the Security Rule (the technical and administrative safeguards on electronic PHI), and the Breach Notification Rule (what you do when something goes wrong).

For IT, the Security Rule is where the work lives. It groups requirements into three categories.

Administrative safeguards. Written policies. A designated security officer. Workforce training. Sanctions for violations. A business associate agreement (BAA) with every vendor who can touch PHI — including your IT provider, your cloud backup vendor, and your practice management software vendor. If any of those do not have a signed BAA on file, that is a compliance gap.

Physical safeguards. Workstations are not visible from the waiting room. Screens lock. Servers are in a locked room or closet. Devices that leave the office (laptops, mobile phones) are encrypted.

Technical safeguards. Unique user IDs (no shared logins). Automatic logoff. Encryption of PHI in transit and at rest. Audit logs that show who accessed what record when. The audit log requirement is the one most small practices fail — they assume their PMS does it, and sometimes it does not at the level HIPAA expects.

On top of HIPAA, California adds two layers that often get overlooked.

The Dental Board does not run a separate IT inspection, but it does require records be kept and producible on request. If your records are encrypted by ransomware and unrecoverable, you have a Dental Board problem in addition to a HIPAA problem. The Board also expects records be retained for at least seven years from the date of service, longer for minors.

The California Medical Information Act (CMIA) is in some respects stricter than HIPAA. It applies to providers and to anyone handling medical information on their behalf. CMIA breach penalties can be assessed per-patient and add up quickly even for small practices. The defense against CMIA penalties is the same defense against HIPAA penalties — encryption, access controls, audit logs, and a tested incident response — but the bar is unforgiving on documentation.

If your practice handles minors, custody-related releases, or anything mental-health adjacent, additional consent and disclosure rules apply. Talk to a dental compliance attorney about the specifics; the IT controls below cover the technical side.

Here is the working checklist we use when we onboard a new dental practice in the Inland Empire. If you can answer yes to all 15, you are in good shape.

1. MFA on every account that touches PHI — practice management, email, billing, imaging cloud. No exceptions for the doctor or front desk.
2. Unique user accounts — no shared logins on the operatory PCs. Every clinical user has their own.
3. Automatic screen lock after 10 minutes (HIPAA accepts up to 15 but tighter is better).
4. Disk encryption (BitLocker on Windows, FileVault on Mac) on every device that touches PHI, including operatory PCs and laptops.
5. EDR on every device — Defender for Business, SentinelOne, CrowdStrike, equivalent. Not just legacy antivirus.
6. Patch management with monthly verification. Operatory PCs get patched too — yes, even the one running the imaging software.
7. Backups of the practice management database to two locations — local appliance plus offsite cloud. Test a restore quarterly.
8. Backups of Microsoft 365 mailboxes and OneDrive to a third-party backup product. Microsoft does not back up your tenant for ransomware recovery purposes.
9. Signed BAAs on file with IT provider, PMS vendor, cloud backup, email provider, and any imaging cloud.
10. Written incident response plan specific to your practice, including who calls the cyber insurance carrier and the dental compliance attorney.
11. HIPAA training documented annually for every staff member, including doctors. Records of completion kept.
12. Audit logs enabled on the practice management system. Reviewed quarterly at minimum. Verify the logs survive a database restore.
13. Network segmentation — the operatory network is separated from the guest Wi-Fi and from any IoT devices (intraoral cameras, scanners with their own SSID, smart cameras).
14. Email security hardening — Safe Links, Safe Attachments, anti-phishing impersonation rules, DKIM signed for outbound.
15. Physical access controls — server closet locked, badge or PIN access to areas where PHI lives, visitor escort policy.

Beyond the checklist, three things tend to bite dental practices that we do not see in HIPAA training videos.

Imaging cloud subscriptions are a vendor risk. Many practices store cone-beam CT, panoramic, and intraoral scans in vendor-hosted clouds — Carestream, Pearl, OrthoSelect, and others. These are PHI. Verify the vendor has SOC 2 or HITRUST certification, has a current BAA on file, and that you can actually export your imaging data if you ever change vendors. We have seen practices effectively held hostage by an imaging cloud that did not support bulk export.

Old computers in the back of the office are a compliance landmine. Every dental office we walk into has a dusty PC somewhere — "that's the old billing computer, we don't use it but the old data is on it." If it is plugged in and on the network, it is in scope for HIPAA. Either decommission it properly (encrypt-erase the drive, document the disposal) or get it fully patched and into the management stack. There is no in-between.

Cyber insurance has gotten strict. The 2026 cyber insurance market for healthcare is much harder than it was three years ago. Carriers want documented MFA, EDR, tested backups, and a written incident response plan. Without those, you either cannot get coverage or you pay 2-3x what you used to. Putting the IT controls in place often pays for itself in insurance premium savings.

If you are looking at this list and feeling behind, the order we recommend is: items 1, 4, 5, 7, and 8 (the technical core) in the first 60 days. Items 2, 3, 6, 9, and 14 in the following 30 days. Items 10, 11, 12, 13, and 15 over the next quarter as policy and process work.

Most dental practices in the Inland Empire can get from "unsure" to "defensible" in 90 to 120 days when this is run as a project. Our dental industry page covers our specific approach for dental, and our security baseline assessment is the structured way to check where you stand against this list. Call 949-594-0742 if you want a 30-minute conversation. We do not write the legal compliance opinion — your dental compliance attorney does that — but we handle the technical side end to end.