Last year, a dental practice in Ohio received a $10,000 HIPAA fine not because they had a data breach, but because they couldn't demonstrate that they were actively protecting patient data. Their IT provider said they were "HIPAA compliant," but during an OCR audit, they couldn't produce evidence of encryption, access controls, or audit logging.

HIPAA compliance is not a one-time certification—it's an ongoing implementation of specific technical, administrative, and physical safeguards. This checklist focuses on the technical IT controls that dental practices must have in place.

Understanding HIPAA Technical Safeguards

The HIPAA Security Rule requires three types of safeguards: Administrative, Physical, and Technical. This guide covers Technical Safeguards—the IT infrastructure controls that protect electronic protected health information (ePHI).

Key distinction: Some controls are required (you must implement them). Others are addressable (you must implement them OR document why they're not reasonable/appropriate AND implement an alternative).

Don't confuse "addressable" with "optional." If you don't implement an addressable control, you need a documented risk assessment explaining why and what you're doing instead.

The Technical Safeguards Checklist

1. Access Control (§164.312(a)(1)) — REQUIRED

The Requirement: Implement technical policies and procedures that allow only authorized persons to access ePHI.

✓ Unique User IDs (Required)

What it means: Every person who accesses systems containing ePHI must have their own username. No shared accounts like "frontdesk" or "Doctor1."

How to verify:

  • Open your practice management software user list
  • Check Windows Active Directory users (if applicable)
  • Verify email accounts are individual (not shared)
  • Confirm each person has their own login credentials

Common violations:

  • Multiple hygienists sharing one login
  • Generic "Admin" account used by several people
  • Vendors using shared credentials for remote access

Implementation:

  • Create individual accounts for each staff member
  • Disable or delete generic/shared accounts
  • Document user provisioning/deprovisioning process
  • Review user lists quarterly, disable inactive accounts

✓ Emergency Access Procedure (Required)

What it means: Documented procedure for accessing ePHI during emergencies when normal access methods fail.

What this looks like:

  • Break-glass accounts with documented access logs
  • Backup administrator credentials (securely stored)
  • Procedure for password resets when admin is unavailable
  • Contact list for after-hours IT emergencies

Documentation required:

  • Written emergency access policy
  • Physical location of backup credentials (locked, limited access)
  • Log of emergency access instances (date, person, reason)

✓ Automatic Logoff (Addressable)

What it means: Systems automatically log out users after a period of inactivity.

Implementation standards:

  • Practice management software: 15-30 minutes of inactivity
  • Workstations: 10-15 minutes lock screen, 30-60 minutes logoff
  • EHR/Imaging systems: Per vendor recommendation (typically 10-20 minutes)

How to configure:

  • Windows: Group Policy → Screen saver timeout + password required
  • Open Dental: Security → Settings → Automatically logoff after X minutes
  • Dentrix: Utilities → eServices → Security Settings → Automatic Logoff
  • Eaglesoft: File → Preferences → Security → Timeout

✓ Encryption and Decryption (Addressable)

What it means: Encrypt ePHI at rest and in transit to prevent unauthorized access.

Required locations for encryption:

  1. Data at rest:
    • All servers containing ePHI (BitLocker, FileVault, or vendor encryption)
    • All workstations with local ePHI copies (BitLocker required for Windows)
    • Backup devices (encrypted backup software + encrypted storage)
    • Portable devices (laptops, tablets, USB drives—must be encrypted)
  2. Data in transit:
    • Email containing PHI (encrypted email or secure portal only)
    • Remote access connections (VPN with AES-256 encryption)
    • Cloud backups (TLS 1.2+ in transit, AES-256 at rest)
    • Patient portal access (HTTPS with valid SSL certificate)

Verification checklist:

  • Server encryption: Run manage-bde -status (Windows) or check vendor documentation
  • Workstation encryption: Check BitLocker status on all PCs
  • Email: Test sending PHI—should trigger encryption prompt or block
  • Website: Check SSL certificate at patient portal URL (look for padlock icon)

2. Audit Controls (§164.312(b)) — REQUIRED

The Requirement: Implement hardware, software, and/or procedural mechanisms that record and examine activity in systems containing ePHI.

✓ Logging Enabled

What must be logged:

  • User authentication (logins, logouts, failed attempts)
  • Access to ePHI (viewing/editing patient records)
  • Security events (permission changes, configuration changes)
  • Data exports and backups

Where to enable logging:

  1. Practice management software:
    • Open Dental: Security → Audit Trail (enabled by default)
    • Dentrix: Audit Logs (enabled in Security settings)
    • Eaglesoft: System → Audit Trail
  2. Windows Server:
    • Event Viewer → Windows Logs → Security
    • Audit Policy must enable: Logon events, Account management, Object access
    • Configure via Group Policy: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
  3. Workstations:
    • Same audit policy as servers
    • Logs should be forwarded to centralized location
  4. Network devices:
    • Firewall: Enable logging of allowed/blocked connections
    • VPN: Log all remote access sessions

✓ Log Review Process

HIPAA requires reviewing logs, not just collecting them.

Minimum review frequency:

  • Security events: Real-time alerting + weekly review
  • Access logs: Monthly sample review (not every entry, but looking for anomalies)
  • Failed login attempts: Real-time alerts for >5 failures in 10 minutes
  • After-hours access: Monthly review of all non-business-hours ePHI access

Documentation required:

  • Written policy defining what's logged and how often reviewed
  • Log review records (date, reviewer, findings, actions taken)
  • Retention: Logs must be kept for 6 years (HIPAA requirement)

✓ Log Protection

Logs themselves must be protected from tampering.

  • Store logs on separate system from source systems
  • Restrict access (administrators only)
  • Use write-once media or WORM storage for long-term retention
  • Alert on log deletion or modification attempts

3. Integrity Controls (§164.312(c)(1)) — REQUIRED

The Requirement: Implement policies and procedures to protect ePHI from improper alteration or destruction.

✓ Mechanism to Authenticate ePHI (Addressable)

What it means: Systems to verify ePHI hasn't been improperly changed.

Practical implementation:

  • Database integrity checks: Automated consistency checks (built into most PM software)
  • Checksum verification: Backup software verifies file integrity after backup
  • Audit trails: Track all modifications to patient records (who, when, what changed)
  • Version control: Keep history of record changes (most PM software does this)

Red flags for integrity violations:

  • Missing audit trail entries
  • Database corruption errors
  • Unexplained data changes
  • Backup restore failures

4. Person or Entity Authentication (§164.312(d)) — REQUIRED

The Requirement: Verify that a person or entity seeking access to ePHI is who they claim to be.

✓ Strong Password Policy

HIPAA doesn't specify password requirements, but industry standards require:

  • Minimum length: 12 characters (14+ preferred)
  • Complexity: Uppercase, lowercase, numbers, symbols
  • Expiration: 90 days (or use MFA and extend to 180 days)
  • History: Cannot reuse last 6 passwords
  • Lockout: After 5 failed attempts, lock account for 15 minutes

How to configure (Windows domain):

  • Group Policy → Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy
  • Set minimum password length, complexity requirements, expiration
  • Account Lockout Policy → Set threshold and duration

✓ Multi-Factor Authentication (MFA)

While addressable under HIPAA, MFA is essentially required in 2026.

Where MFA must be implemented:

  • Remote access: VPN, remote desktop, cloud services (required)
  • Email: Microsoft 365, Google Workspace admin accounts (required)
  • Practice management software: If cloud-based or remote access (required)
  • Administrative accounts: Any account with admin privileges (required)

MFA options:

  • Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy)
  • Hardware tokens (YubiKey, Titan Security Key)
  • SMS codes (least secure, but better than nothing)
  • Biometric + password (fingerprint reader + password)

5. Transmission Security (§164.312(e)(1)) — REQUIRED

The Requirement: Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic networks.

✓ Integrity Controls (Addressable)

What it means: Detect when transmitted ePHI has been modified.

Implementation:

  • TLS/SSL for all web-based transmissions (email, patient portals, cloud services)
  • IPsec for VPN connections
  • SFTP instead of FTP for file transfers
  • Digital signatures for sensitive communications

✓ Encryption (Addressable)

What it means: Encrypt ePHI whenever transmitted outside your secure network.

Required encryption:

  • Email: TLS for server-to-server + encryption for PHI content (Office 365 Message Encryption, Paubox, etc.)
  • VPN: AES-256 encryption minimum
  • Cloud services: TLS 1.2 or higher for connections
  • File transfers: SFTP, FTPS, or encrypted file sharing services

HIPAA IT Compliance Quick Checklist

Print this and verify each item:

Access Control

  • ☐ Every user has unique login credentials
  • ☐ No shared accounts exist
  • ☐ Emergency access procedure documented
  • ☐ Automatic logoff configured (workstations and PM software)
  • ☐ All servers encrypted (BitLocker or equivalent)
  • ☐ All workstations encrypted (BitLocker or equivalent)
  • ☐ Backup devices encrypted
  • ☐ VPN uses strong encryption (AES-256)
  • ☐ Email encryption enabled for PHI

Audit Controls

  • ☐ PM software audit trail enabled
  • ☐ Windows server audit policy configured
  • ☐ Workstation audit policy configured
  • ☐ Firewall logging enabled
  • ☐ VPN connection logging enabled
  • ☐ Log review process documented
  • ☐ Logs reviewed monthly (documented)
  • ☐ Logs retained for 6 years

Integrity Controls

  • ☐ Database integrity checks enabled
  • ☐ Backup verification automated
  • ☐ Audit trails track all PHI changes
  • ☐ Record version history maintained

Authentication

  • ☐ Password policy enforced (length, complexity, expiration)
  • ☐ Account lockout configured (5 attempts)
  • ☐ MFA enabled for remote access
  • ☐ MFA enabled for email admin accounts
  • ☐ MFA enabled for cloud services

Transmission Security

  • ☐ All web traffic uses HTTPS (valid SSL certificates)
  • ☐ Email uses TLS + content encryption for PHI
  • ☐ VPN uses modern encryption protocols
  • ☐ No unencrypted file transfers of PHI

Additional Critical Items

  • ☐ Business Associate Agreements (BAAs) with all vendors who access ePHI
  • ☐ Risk assessment documented (completed annually)
  • ☐ Security incident response plan documented
  • ☐ Breach notification procedure documented
  • ☐ HIPAA training completed by all staff (annually)
  • ☐ Terminated employee access revoked (same day)
  • ☐ Workstation security (locked when unattended)
  • ☐ Visitor access restricted in areas with ePHI

Common Compliance Gaps and Fixes

Gap: "Our IT provider says we're HIPAA compliant"

Problem: Your IT provider installed antivirus and a firewall, but you have no documentation, no audit log reviews, and can't demonstrate compliance.

Fix:

  • Request written documentation of all implemented controls
  • Schedule quarterly compliance review meetings
  • Obtain copies of audit logs and review summaries
  • Verify encryption on all devices (don't just trust—verify)

Gap: Encryption not enabled

Problem: Workstations and servers don't have BitLocker (or equivalent) enabled.

Fix:

  • Enable BitLocker on all Windows devices (requires TPM chip or USB key)
  • Document recovery keys in secure location (not on the encrypted device)
  • Test recovery process (reboot one device, verify can unlock with key)

Gap: No log review process

Problem: Logs are being generated but nobody reviews them.

Fix:

  • Create simple log review checklist
  • Assign responsibility (IT provider or internal staff)
  • Document review schedule (monthly minimum)
  • Keep records of reviews (date, reviewer, findings)

Gap: Shared accounts

Problem: "Front Desk" login used by 4 people, can't trace who accessed what.

Fix:

  • Create individual accounts immediately
  • Train staff on why this matters
  • Disable shared accounts
  • Implement automatic logoff to prevent "borrowing" someone's unlocked session

HIPAA Audit Survival Guide

If you receive an OCR audit notice, you'll need to produce:

  1. Written policies and procedures covering all required safeguards
  2. Risk assessment documentation (initial and annual updates)
  3. Evidence of implementation:
    • Screenshots of encryption status
    • Audit log samples
    • Password policy configuration
    • MFA implementation proof
    • Backup verification logs
  4. Training records (all employees, annually)
  5. Business Associate Agreements (with IT provider, cloud services, any vendor accessing ePHI)
  6. Incident log (all security incidents, even if not breaches)

You typically have 30 days to respond to an audit request. If you don't have this documentation ready, you'll struggle to comply.

The Cost of Non-Compliance

HIPAA violation tiers (per violation, per individual):

  • Tier 1: $100-$50,000 (individual didn't know and couldn't have known)
  • Tier 2: $1,000-$50,000 (reasonable cause, not willful neglect)
  • Tier 3: $10,000-$50,000 (willful neglect, corrected within 30 days)
  • Tier 4: $50,000 per violation (willful neglect, not corrected)

Annual maximum: $1.5 million per violation category.

Real examples:

  • Small dental practice: $10,000 fine for lack of risk assessment and insufficient access controls
  • Multi-location practice: $100,000 fine for unencrypted laptops containing ePHI
  • DSO: $250,000 fine for systematic lack of audit controls across multiple locations

Bottom Line: Compliance Is Continuous

HIPAA compliance is not a project you complete—it's an ongoing operational requirement. Your checklist should be reviewed quarterly and updated whenever systems change.

The practices that stay compliant are those that:

  • Document everything (policies, reviews, incidents)
  • Verify controls regularly (don't assume—test)
  • Train staff continuously (not just annual checkbox training)
  • Respond to incidents promptly (document and investigate)
  • Update procedures when technology changes

Because OCR audits are random—any practice can be selected. And when that notice arrives, "we thought we were compliant" is not an acceptable response.

Make sure you can demonstrate compliance with documentation, not just assurances.