Why Every Dental Practice Must Have an Internal Compliance Audit — Immediately
Key Takeaways
-
Dental practices are full HIPAA covered entities, regardless of size — a solo practitioner with three operatories faces the same legal obligations, and the same OCR fine schedule, as a large health system.
-
OCR has continued to pursue enforcement actions against small dental practices, including penalties for delayed patient record requests and inadequate risk analyses — being small is not a defense.
-
A pending overhaul of the HIPAA Security Rule — proposed in January 2025 and targeted for finalization in 2026 — would impose stricter, more prescriptive security requirements on every dental practice in the country.
-
Two documents deserve immediate attention in any audit: the practice's HIPAA compliance manual and its employee manual — both are frequently outdated, generic, or never actually followed in daily operations.
-
An internal compliance audit, conducted proactively and ideally under attorney-client privilege, is the most cost-effective way for a dental practice to find and correct gaps before a patient complaint, an OCR investigation, or an employment claim does it for them.
Introduction
A dental practice runs on trust — patients trust the practice with sensitive health information, and employees trust the practice to apply its policies fairly and consistently. Both forms of trust are backed by specific legal obligations, and both are far easier to maintain than to repair after something goes wrong.
Dental practices occupy a unique position in the compliance landscape. As covered entities under the Health Insurance Portability and Accountability Act (HIPAA), they carry the same privacy and security obligations as hospitals and large health systems, but typically operate with a fraction of the administrative and IT infrastructure.
At the same time, as employers, dental practices are subject to the same employment laws as any other business — often without a dedicated human resources function to manage that risk.
This combination makes dental practices a recurring target of regulatory enforcement and employment claims, and makes an internal compliance audit — specifically including a thorough review of the practice's HIPAA manual and employee manual — not a someday project, but an immediate priority.
This article explains why, and outlines how Oberman Law Firm can guide that review from start to finish.
Why This Cannot Wait
Three converging factors make immediate action the right call for dental practices in 2026, rather than a review scheduled for sometime down the road.
Dental Practices Are Full Covered Entities — Size Is Not a Shield
Under HIPAA, dental practices are covered entities subject to the same Privacy Rule, Security Rule, and Breach Notification Rule requirements as hospitals and large health systems.
The obligations do not scale down for a small or solo practice, and the Office for Civil Rights (OCR), which enforces HIPAA, has stated directly that it pursues small providers deliberately. Reported penalties touching dental and other small practices have ranged from several thousand dollars for a solo practitioner up to six-figure settlements, depending on the violation.
OCR Enforcement Against Dental Practices Is Active and Specific
Recent OCR enforcement activity in the dental sector has repeatedly centered on two recurring failures: slow-walking patients' requests for their own records beyond the required response window, and inadequate or outdated risk analyses of how electronic protected health information is stored, accessed, and protected.
Both are documentation and process failures — exactly the kind of gap an internal audit is designed to catch before a complaint or investigation does.
A Major Security Rule Overhaul Is on the Way
In January 2025, the U.S. Department of Health and Human Services proposed the most significant rewrite of the HIPAA Security Rule since it was first issued, with finalization targeted for 2026. The proposed changes would introduce more prescriptive, mandatory security requirements — including encryption of electronic protected health information and multi-factor authentication — and would reduce much of the flexibility that smaller practices have historically relied on.
Practices that have not reviewed their HIPAA manual recently will be starting that review from a significant deficit once the rule is finalized.
The Two Documents Every Audit Must Start With
While a full internal compliance audit covers the entire practice, two (2) documents deserve immediate, focused attention because they are the ones regulators, patients, and employees will look to first if something goes wrong.
HIPAA Manual Review
Many dental practices have a HIPAA manual on file — often purchased as a template years ago — that has never been updated to reflect the practice's actual workflows, current vendors, or current staff.
A proper HIPAA manual review should confirm that the manual accurately reflects current policies and procedures, that it has been distributed to and acknowledged by all current staff, and that it addresses the practice's real-world risk areas, including digital imaging systems, practice management software, and patient intake records.
The review should also confirm that a current risk analysis has been performed and documented, that breach notification procedures are clearly defined and assign specific responsibility, and that Business Associate Agreements are in place and current for every vendor that handles patient information, including software providers, billing services, and IT support.
A practice's vendors' HIPAA failures can become the practice's own breach-notification obligation — making vendor diligence a critical, and frequently overlooked, part of this review.
Finally, the review should confirm that the manual's Notice of Privacy Practices and patient-facing language reflect current requirements, and that staff can demonstrate — not just acknowledge in writing, but actually demonstrate — that they know how to respond to a patient's request for their own records within the required timeframe.
Employee Manual Review
A dental practice's employee manual is often the single most-referenced document in the event of a workplace dispute, and is frequently the most outdated document in the practice.
An employee manual review should confirm the manual reflects current federal, state, and local employment law; includes clear, current anti-harassment and anti-discrimination policies with a defined complaint procedure; and accurately describes the practice's actual onboarding, performance review, and termination procedures — not an idealized or outdated version of them.
The review should also confirm the manual addresses leave policies, accommodation request procedures, and confidentiality obligations specific to a clinical setting where staff routinely handle protected health information as part of their daily duties. Just as importantly, the audit should test whether the manual is actually being followed in practice — a manual that exists on paper but is not reflected in day-to-day decisions offers little real protection if those decisions are later challenged.
Summary
Dental practices sit at the intersection of two (2) demanding compliance frameworks — HIPAA's privacy and security requirements, and the full range of federal, state, and local employment law — typically without the dedicated compliance staff that larger healthcare organizations maintain.
Active OCR enforcement against small dental practices, combined with a major Security Rule overhaul on the horizon, means the cost of waiting continues to rise. A focused internal audit, starting with the practice's HIPAA manual and employee manual, is the most direct way to find and close those gaps now.
How Oberman Law Firm Can Help You Review Your Internal Procedures
Oberman Law Firm offers a structured internal compliance audit designed specifically for dental practices, built around the two (2) priority documents outlined above and extending to the practice's full compliance picture. The process typically includes:
-
A comprehensive HIPAA manual review, including risk analysis status, breach notification procedures, Business Associate Agreement diligence, and Notice of Privacy Practices language.
-
A comprehensive employee manual review, including anti-harassment and anti-discrimination policies, leave and accommodation procedures, and onboarding, review, and termination practices.
-
A document and personnel-file sampling review to test whether written policy is actually being followed day to day, not just on paper.
-
A practical readiness assessment against the pending HIPAA Security Rule changes, so the practice is not starting from zero once the rule is finalized.
-
A written findings summary that prioritizes issues by legal and regulatory risk and recommends specific, practical corrective steps — conducted, where appropriate, under attorney-client privilege to protect the candor of the review.
-
Follow-up support to update the HIPAA manual and employee manual, train doctors and staff, and establish a recurring audit schedule so compliance becomes routine rather than reactive.
Dental practice owners and administrators interested in scheduling an internal compliance audit, or in discussing whether their current HIPAA manual or employee manual already presents exposure, are encouraged to contact Oberman Law Firm to arrange a confidential consultation.
Conclusion
The dental practices best positioned to withstand a patient complaint, an OCR inquiry, or an employment dispute are not the ones that assume their existing manuals are fine — they are the ones that took the time to confirm it. With active OCR enforcement against small dental practices and a significant HIPAA Security Rule overhaul on the near horizon, an internal compliance audit is no longer a project to schedule for later in the year.
Oberman Law Firm encourages every dental practice client to begin with a focused review of its HIPAA manual and employee manual today, and stands ready to guide that process from initial assessment through full implementation.
This article is provided for general informational purposes only and does not constitute legal advice. Laws and proposed rules referenced are subject to amendment, judicial interpretation, and state or local variation, and certain HIPAA Security Rule provisions described remain proposed and not yet final as of this writing. Please contact Oberman Law Firm directly to discuss how these requirements apply to your specific practice.