Back
HIPAA

3 Common HIPAA Compliance Issues Dental Offices Should Fix Before an Inspection

In today’s digital world, dental offices don’t keep patient information locked in file cabinets anymore. Instead, data moves constantly through email, cloud systems, practice management software, and sometimes even personal devices. HIPAA compliance isn’t just about paperwork—it’s about actively protecting sensitive information from cyber threats and accidental exposure. At Smart Training, we review hundreds of dental offices every year, and we continue to see the same common risks. Here are the top three HIPAA pitfalls your practice should address now to stay compliant and safeguard patient trust.

1. Unencrypted Email and Device Storage

Under the HIPAA Security Rule (45 CFR §164.312), covered entities must safeguard Electronic Protected Health Information (ePHI). While encryption is considered “addressable,” HHS makes it clear: if you don’t encrypt, you must document why and adopt an equally effective safeguard.

In reality, encryption remains the most reliable way to protect PHI in transit (email, file transfer) and at rest (laptops, mobile devices, external drives). Without it, a lost laptop or intercepted email can lead to a reportable breach, often followed by investigations, penalties, and loss of patient trust.

2. Weak Access Controls and Lack of Multi-Factor Authentication

HIPAA requires unique user identification and access controls so only authorized staff can view ePHI (45 CFR §164.312(a)(2)(i)). Unfortunately, shared logins, weak passwords, and rarely updated credentials are still common in dental practices.

The best defense? Strong, unique passwords combined with multi-factor authentication (MFA). MFA is especially important for remote access, email accounts with ePHI, and cloud services. Even if a password is compromised, MFA drastically reduces the chance of unauthorized access.

3. No Documented Annual Security Risk Analysis

The HIPAA Security Rule requires every covered entity to conduct a Risk Assessment to identify vulnerabilities to the confidentiality, integrity, and availability of ePHI (45 CFR §164.308(a)(1)(ii)(A)).

This isn’t a one-time task—it must be updated annually and whenever major changes occur (new software, new staff, or facility upgrades). In fact, the Office for Civil Rights (OCR) frequently cites the lack of a current, documented HIPAA Risk Assessment (HRA) as a leading cause of compliance failures during enforcement actions.

Free Resource to Strengthen Your HIPAA Compliance

To help you get started, we’re offering a free training resource: What’s Required for HIPAA. This program includes our Jump-start Checklist—a simple, actionable guide showing you exactly what to prioritize for both HIPAA and OSHA compliance. It’s designed to remove guesswork and help you close compliance gaps with confidence.

Take this free course today and learn what’s required of your dental practice to be HIPAA compliant!

References:

Naomi Hirsch

You may also like

Airway Goals for 2026 Series Part I
2026 Airway-Centric Goals Blog Series, Part 1: Scheduling with Intention
9 December, 2025
1200 x 800 Blog ACS part3
Awareness Characteristics Series (Part 3): Steps 2–1 — The Doctor’s Responsibility
25 November, 2025
1200 x 800 Blog ACS part2
Awareness Characteristics Series (Part 2): Steps 4–3 — The Patient’s Responsibility
17 November, 2025

By completing and submitting this order form, you acknowledge and agree to the following:

  1. Collection of Personal Data: You understand that in order to process your order effectively, we require certain personal information including but not limited to your name, contact details, shipping address, and payment information.
  2. Purpose of Data Collection: The personal data collected through this order form will solely be used for the purpose of processing and fulfilling your order, as well as communicating with you regarding your order status and related matters.
  3. Data Security: We are committed to safeguarding your personal information and maintaining its confidentiality. We utilize industry-standard security measures to protect your data against unauthorized access, disclosure, alteration, or destruction.
  4. Third-Party Disclosure: We do not sell, trade, or otherwise transfer your personal information to outside parties unless necessary for order fulfillment (e.g., shipping companies) or as required by law.
  5. Data Retention: Your personal data will be retained only for as long as necessary to fulfill the purposes outlined in this disclaimer or as required by applicable laws and regulations.
  6. Consent and Authorization: By submitting this order form, you consent to the collection, processing, and storage of your personal data as described herein.
  7. Data Subject Rights: You have the right to request access to, correction of, or deletion of your personal information held by us. For any inquiries or requests regarding your personal data, please contact us using the provided contact information.
  8. Updates to Disclaimer: We reserve the right to update or modify this disclaimer at any time without prior notice. Any changes will be effective immediately upon posting on our website or notifying you directly.
  9. Acceptance of Terms: By proceeding with the order, you signify your acceptance of this disclaimer and consent to the processing of your personal data in accordance with its terms.

If you do not agree with any part of this disclaimer, please refrain from submitting the order form. If you have any questions or concerns regarding the handling of your personal data, please contact us before proceeding with your order.

Event Cancellation Policy for
The Vivos Institute®

Thank you for your interest in our programs at The Vivos Institute®. We understand that sometimes circumstances may arise that require you to cancel your participation. Please review our cancellation policy carefully.

Standard Cancellation Policy:

  • 100% Refund: Cancellations received within 61 days or more before the start date of the program will receive a full refund minus a 7% administrative fee.
  • 85% Refund: Cancellations received within 31 to 60 days before the start date of the program will be eligible for an 85% refund of the program fee minus a 7% administrative fee..
  • No Refund: Cancellations received within 30 days of the program start date will not be eligible for a refund.

Please Note: All cancellations are subject to an additional 7% administrative fee, regardless of how far in advance the cancellation is received.

Cancellation Process: All cancellation requests must be submitted in writing via email to ce@thevivosinstitute.com. Please include your full name, contact information, program name, and the reason for cancellation in your email.

Special Events: Please note that this cancellation policy is subject to change for special events. Specific cancellation policies for special events will be communicated at the time of registration and will supersede the standard cancellation policy outlined above.

Refund Processing: Refunds, if applicable, will be processed within 30 days of receiving the cancellation request. Refunds will be issued to the original method of payment used during registration.

Contact Information: If you have any questions or need further assistance regarding our cancellation policy, please contact us at ce@thevivosinstitute.com. We appreciate your understanding and cooperation regarding our cancellation policy. We look forward to serving you at The Vivos Institute® and hope to welcome you to our programs soon.