Dental Office Patient Record Privacy Check Checklist [FREE PDF]

Dental practices are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and are required to implement comprehensive administrative, physical, and technical safeguards to protect patient health information (PHI). The HIPAA Privacy Rule (45 CFR Part 164) and Security Rule establish specific requirements for access controls, minimum necessary disclosure, patient rights, and breach notification that apply to all practice locations and electronic systems. Failure t

• Industry: Dental Practice
• Frequency: Quarterly
• Estimated Time: 45-60 minutes
• Role: Office Manager
• Total Items: 36
• Compliance: HIPAA Privacy Rule 45 CFR Part 164 Subpart E, HIPAA Security Rule 45 CFR Part 164 Subpart C, HIPAA Breach Notification Rule 45 CFR Part 164 Subpart D, ADA Standards for Patient Record Management, State Dental Board Patient Record Retention Regulations

HIPAA Policies and Procedures

Confirm that required HIPAA privacy and security policies are current, documented, and accessible to all staff.

• Is a current written HIPAA Privacy Policy and Procedures document available and reviewed within the past 12 months?
• Has a designated Privacy Officer been assigned and documented in writing?
• Has a designated Security Officer been assigned to oversee electronic PHI safeguards?
• Are Business Associate Agreements (BAAs) in place with all vendors who access PHI (e.g., billing, IT, labs)?
• Is the Notice of Privacy Practices (NPP) current, posted in the office, and provided to new patients?

Staff Training and Workforce Compliance

Evaluate HIPAA training completion, documentation, and workforce sanctions for privacy and security violations.

• Have all workforce members received HIPAA privacy and security training upon hire and at least annually thereafter?
• Are HIPAA training records (including dates, content, and employee signatures) retained for at least six years?
• Is there a documented workforce sanctions policy for HIPAA violations that has been communicated to all staff?
• Are staff aware of the minimum necessary standard and do they apply it when accessing or sharing patient records?
• Have staff been trained to recognize and report potential HIPAA breaches to the Privacy Officer promptly?

Physical Safeguards for Patient Records

Assess physical controls protecting paper and electronic patient records from unauthorized access, theft, or destruction.

• Are paper patient records stored in locked filing cabinets or a restricted-access records room?
• Are computer workstations positioned so that patient screens cannot be viewed by other patients in waiting or treatment areas?
• Are computer screens set to auto-lock after a maximum of 15 minutes of inactivity?
• Is access to the records room and server area restricted to authorized personnel only, with an access log maintained?
• Are printed records with PHI shredded using a cross-cut shredder or disposed of via a certified document destruction service?

Technical and Electronic PHI Safeguards

Review technical controls protecting electronic patient health information in practice management systems and communications.

• Is access to the dental practice management software controlled by unique usernames and strong passwords for each user?
• Are audit logs enabled in the practice management system to track who accessed, modified, or deleted patient records?
• Is patient PHI transmitted via encrypted email or a secure patient portal rather than unencrypted standard email?
• Is data backed up regularly and stored in an encrypted, secure offsite or cloud location with a tested recovery plan?
• Are all portable devices (laptops, tablets, USB drives) containing PHI encrypted and inventoried?
• Is antivirus and anti-malware software installed, active, and updated on all workstations used to access ePHI?

Patient Rights and Record Access

Confirm that the practice has procedures to honor patient rights including record access, amendment, restriction requests, and accounting of disclosures.

• Does the practice have a documented procedure to provide patients access to their records within 30 days of request?
• Is there a documented process for patients to request amendments to their health records?
• Does the practice maintain an accounting of disclosures log for PHI shared outside treatment, payment, and operations?
• Are valid written authorizations obtained before releasing PHI for purposes beyond treatment, payment, or operations?
• Are minor patient records protected per applicable state law, including restrictions on parental access where legally required?

Breach Detection and Notification Procedures

Evaluate the practice's ability to detect, assess, document, and respond to potential PHI breaches within required timeframes.

• Is there a written breach response plan that outlines steps for discovery, risk assessment, and notification?
• Has the practice conducted a formal HIPAA Security Risk Analysis within the past 12 months?
• Are potential breaches logged and investigated by the Privacy Officer within 24 hours of discovery?
• Has the practice reported all reportable breaches affecting 500 or more individuals to HHS within 60 days of discovery?
• Are breach response documentation and investigation records retained for at least six years?

Front Desk and Reception Area Privacy Controls

Assess privacy protections at the point of patient check-in, scheduling, and verbal communication to prevent incidental disclosures.

• Is the front desk sign-in sheet designed to prevent patients from viewing other patients' names or appointment reasons?
• Do reception staff avoid discussing patient PHI in areas where other patients or visitors can overhear?
• Is patient identity verified before PHI is disclosed verbally or records are released in person or by phone?
• Are fax machines used to transmit PHI located in a secure area and are fax cover sheets used with confidentiality notices?
• Are patient recall and appointment reminder messages designed to minimize PHI disclosed in voicemails or texts?

Related Dental Practice Checklists

• Dental Supply Inventory & Expiration Audit Checklist [FREE PDF]
• Dental Office AED and Emergency Drill Review Checklist [FREE PDF]
• Dental Emergency Preparedness Kit Check Checklist [FREE PDF]
• Dental Office Fire and Safety Inspection Checklist [FREE PDF]
• Dental Lab Equipment Maintenance Checklist [FREE PDF]
• Dental Panoramic and CBCT Equipment Check Checklist [FREE PDF]
• Dental Compressor & Vacuum System Inspection Checklist [FREE PDF]
• Dental Office Annual Compliance Review Checklist [FREE PDF]

Related Patient Safety Checklists

• Dental Emergency Preparedness Kit Check Checklist [FREE PDF] - FREE Download
• Dental Office Fire and Safety Inspection Checklist [FREE PDF] - FREE Download
• Dental Supply Inventory & Expiration Audit Checklist [FREE PDF] - FREE Download
• Dental Office AED and Emergency Drill Review Checklist [FREE PDF] - FREE Download

Why Use This Dental Office Patient Record Privacy Check Checklist [FREE PDF]?

This dental office patient record privacy check checklist [free pdf] helps dental practice teams maintain compliance and operational excellence. Designed for office manager professionals, this checklist covers 36 critical inspection points across 7 sections. Recommended frequency: quarterly.

Ensures compliance with HIPAA Privacy Rule 45 CFR Part 164 Subpart E, HIPAA Security Rule 45 CFR Part 164 Subpart C, HIPAA Breach Notification Rule 45 CFR Part 164 Subpart D, ADA Standards for Patient Record Management, State Dental Board Patient Record Retention Regulations. Regulatory-aligned for audit readiness and inspection documentation.

Frequently Asked Questions

Browse More Checklists

• All Patient Safety Checklists
• Dental Practice Checklists
• Browse 9,600+ Free Checklist Templates
• Operations Blog
• Book a Demo