HIPAA for dental offices: The do’s and don’ts

Take a byte out of cyberattacks

Over the past year, the number of healthcare record breaches has declined somewhat; a small but important victory for overseers of HIPAA (Health Insurance Portability and Accountability Act) compliance regulation. Yet, patient record breaches still affected more than 3.2 million medical records in 2017. As of January 4, 2017, there were a total 342 healthcare security breaches reported — and it’s not just doctors’ offices. HIPAA for dental offices is a real concern, too. These breaches included large dental practices, where tens of thousands of patient records and X-rays were compromised due to hacking or cyberattacks.

Stolen medical records can be worth $500 or more per record on the black market.


Considering the typical American dental office has approximately 2,500 active patient records on its server, and years of inactive records, a compromised server could affect tens of thousands of people and cost millions in theft. So what can your dental office do to protect its patient information and get its HIPAA compliance up to best-in-class standards?

HIPAA for dental offices: Avoid these don’ts

First and foremost, you need to make sure your dental office isn’t committing any of these don’ts!

Broadcasting personal information to the masses

It’s easy to strike up conversations with patients in the waiting room, especially if the dental practice is small and everyone is friendly with one another. But conversations about patient information within earshot of others is a no-no.

Calling out to a patient to have them verify their birthdate or confirm what procedure they are coming in for should never be discussed within earshot of the waiting room.

Simply call the patient up to the desk if you have questions about anything in their medical record, and keep the conversation private.

Not backing up files

Digital medical records need to be stored on a secure server, and backed up regularly — preferably, nightly. Often, dental offices use built-in “backups” that are part of their records or scheduling software. But built-in backups don’t always capture all of the record data; only portions of data. Make sure your backup includes a full server image of every record you wish to protect.

A full server image will allow you to restore records to their original state if compromised.


Editor’s note: Protect your website from the unexpected with GoDaddy’s Website Backup service, featuring automatic daily backups and one-click restore.

Not encrypting data

It’s important to not only back up data, but also to encrypt the data in case a hacker finds his way onto your server. Under the HIPAA Security Rule, encryption of patient data is required if it is reasonable and appropriate to protect patient information, such as Social Security numbers, addresses and birthdates.

By encrypting medical records and X-rays, you can save your patients the agony of having their identities and health information stolen.

HIPAA For Dental Offices Encryption

Emailing other offices or specialists without encryption

It’s imperative to remember that patient data should not be shared through an open email system. Even identifying a patient by a member ID number alone is a violation, as the ID number can be found in the patient’s medical record. You are allowed to share data with others who specifically work with the same patient and need information in order to do their job. But communication with outside entities should be handled with a wall of security using secure email platforms, such as Microsoft Office 365 Business Premium, available from GoDaddy, or SendInc.

Not using passwords on office computers

Computers with access to patient data should be password-protected, and computers not in use should be logged off from the server. Many current scheduling systems limit the information that can be viewed, including first or last name, birthdate and what procedure a patient is scheduled for.

While it might be convenient to print a schedule out for dentists and hygienists to look at quickly between patients, this type of medical information needs to stay behind a password and wall of security.

Having an open WiFi network

Most smartphone users love to save on their data usage, and free, open networks are an easy way to check email, social media sites and apps while waiting for an appointment. But open networks are just that — open — leaving them vulnerable to hackers and cybersecurity attacks, which can compromise HIPAA for dental offices.

Pro tip: Keep your office WiFi network password protected. If you want to offer a separate guest login, place security around it and make patients ask for the password.

Leaving detailed information on voicemail

Appointment call reminders are standard practice in the dental community, but is your staff leaving too much information? Call reminders should only include the day and time of the appointment. Details about the procedure should not be discussed over the phone where individuals in the waiting room can overhear.

The do’s to keep your dental office HIPAA compliant

Maintaining HIPAA for dental offices compliance on your website, backing up your CRM (customer relationship management) system data, and conducting daily practices at the office are key. Here are some additional best practices to keep your dental office HIPAA compliant.

Do a risk assessment of your current systems

Where are your medical records most vulnerable? Do an audit of your current security and document areas where data could be breached. Recognize that security needs to be in place on the dental office’s website, CRM system and any other location where where medical records and X-rays are stored.

Train team members on HIPAA privacy, security and breach notifications

According to the American Dental Association, team members must be trained in policies and procedures required under HIPAA Privacy, Security and Breach Notification rules. New team members also must be trained within a reasonable timeframe from their hire date.

Pro tip: Make HIPAA training a regular part of the education program at your office. Periodic retraining can limit the dental office’s risk of breach.

Install HIPAA compliant antivirus software

Hackers can attack servers with viruses that exploit the vulnerabilities of the system. In addition to your server, hackers can attack email, web downloads, flash drives and older computers that have CD-ROMs. Antivirus software can not only protect a dental office’s server and machines, it can alert users of any threats. It’s important to regularly update antivirus software, as hackers find ways to create new threats once they understand how they are being blocked from patient information.

HIPAA For Dental Offices Computer

Install an SSL certificate if you’re taking transactions online

Websites without https in the URL are subject to breach. SSL (Secure Sockets Layer) certificates (the official name to get “https” in your office web address) can be purchased online to protect websites that provide online patient accounts or collect payments online. It’s an easy and reasonably priced way to stay secure.

In conclusion

Like in medical facilities, HIPAA for dental offices is a serious business. Your practice can maintain HIPAA compliance and help prevent patient information from becoming compromised by taking simple measures to protect patients’ personal data. Taking the time to review and improve the weak areas of your HIPAA training and processes is “best practice” medicine.