Menu
A dental practice runs on trust — patients trust the practice with sensitive health information, and employees trust the practice to apply its policies fairly and consistently. Both forms of trust are backed by specific legal obligations, and both are far easier to maintain than to repair after something goes wrong.
Dental practices occupy a unique position in the compliance landscape. As covered entities under the Health Insurance Portability and Accountability Act (HIPAA), they carry the same privacy and security obligations as hospitals and large health systems, but typically operate with a fraction of the administrative and IT infrastructure.
At the same time, as employers, dental practices are subject to the same employment laws as any other business — often without a dedicated human resources function to manage that risk.
This combination makes dental practices a recurring target of regulatory enforcement and employment claims, and makes an internal compliance audit — specifically including a thorough review of the practice's HIPAA manual and employee manual — not a someday project, but an immediate priority.
This article explains why, and outlines how Oberman Law Firm can guide that review from start to finish.
Three converging factors make immediate action the right call for dental practices in 2026, rather than a review scheduled for sometime down the road.
Under HIPAA, dental practices are covered entities subject to the same Privacy Rule, Security Rule, and Breach Notification Rule requirements as hospitals and large health systems.
The obligations do not scale down for a small or solo practice, and the Office for Civil Rights (OCR), which enforces HIPAA, has stated directly that it pursues small providers deliberately. Reported penalties touching dental and other small practices have ranged from several thousand dollars for a solo practitioner up to six-figure settlements, depending on the violation.
Recent OCR enforcement activity in the dental sector has repeatedly centered on two recurring failures: slow-walking patients' requests for their own records beyond the required response window, and inadequate or outdated risk analyses of how electronic protected health information is stored, accessed, and protected.
Both are documentation and process failures — exactly the kind of gap an internal audit is designed to catch before a complaint or investigation does.
In January 2025, the U.S. Department of Health and Human Services proposed the most significant rewrite of the HIPAA Security Rule since it was first issued, with finalization targeted for 2026. The proposed changes would introduce more prescriptive, mandatory security requirements — including encryption of electronic protected health information and multi-factor authentication — and would reduce much of the flexibility that smaller practices have historically relied on.
Practices that have not reviewed their HIPAA manual recently will be starting that review from a significant deficit once the rule is finalized.
While a full internal compliance audit covers the entire practice, two (2) documents deserve immediate, focused attention because they are the ones regulators, patients, and employees will look to first if something goes wrong.
Many dental practices have a HIPAA manual on file — often purchased as a template years ago — that has never been updated to reflect the practice's actual workflows, current vendors, or current staff.
A proper HIPAA manual review should confirm that the manual accurately reflects current policies and procedures, that it has been distributed to and acknowledged by all current staff, and that it addresses the practice's real-world risk areas, including digital imaging systems, practice management software, and patient intake records.
The review should also confirm that a current risk analysis has been performed and documented, that breach notification procedures are clearly defined and assign specific responsibility, and that Business Associate Agreements are in place and current for every vendor that handles patient information, including software providers, billing services, and IT support.
A practice's vendors' HIPAA failures can become the practice's own breach-notification obligation — making vendor diligence a critical, and frequently overlooked, part of this review.
Finally, the review should confirm that the manual's Notice of Privacy Practices and patient-facing language reflect current requirements, and that staff can demonstrate — not just acknowledge in writing, but actually demonstrate — that they know how to respond to a patient's request for their own records within the required timeframe.
A dental practice's employee manual is often the single most-referenced document in the event of a workplace dispute, and is frequently the most outdated document in the practice.
An employee manual review should confirm the manual reflects current federal, state, and local employment law; includes clear, current anti-harassment and anti-discrimination policies with a defined complaint procedure; and accurately describes the practice's actual onboarding, performance review, and termination procedures — not an idealized or outdated version of them.
The review should also confirm the manual addresses leave policies, accommodation request procedures, and confidentiality obligations specific to a clinical setting where staff routinely handle protected health information as part of their daily duties. Just as importantly, the audit should test whether the manual is actually being followed in practice — a manual that exists on paper but is not reflected in day-to-day decisions offers little real protection if those decisions are later challenged.
Dental practices sit at the intersection of two (2) demanding compliance frameworks — HIPAA's privacy and security requirements, and the full range of federal, state, and local employment law — typically without the dedicated compliance staff that larger healthcare organizations maintain.
Active OCR enforcement against small dental practices, combined with a major Security Rule overhaul on the horizon, means the cost of waiting continues to rise. A focused internal audit, starting with the practice's HIPAA manual and employee manual, is the most direct way to find and close those gaps now.
Oberman Law Firm offers a structured internal compliance audit designed specifically for dental practices, built around the two (2) priority documents outlined above and extending to the practice's full compliance picture. The process typically includes:
Dental practice owners and administrators interested in scheduling an internal compliance audit, or in discussing whether their current HIPAA manual or employee manual already presents exposure, are encouraged to contact Oberman Law Firm to arrange a confidential consultation.
The dental practices best positioned to withstand a patient complaint, an OCR inquiry, or an employment dispute are not the ones that assume their existing manuals are fine — they are the ones that took the time to confirm it. With active OCR enforcement against small dental practices and a significant HIPAA Security Rule overhaul on the near horizon, an internal compliance audit is no longer a project to schedule for later in the year.
Oberman Law Firm encourages every dental practice client to begin with a focused review of its HIPAA manual and employee manual today, and stands ready to guide that process from initial assessment through full implementation.
This article is provided for general informational purposes only and does not constitute legal advice. Laws and proposed rules referenced are subject to amendment, judicial interpretation, and state or local variation, and certain HIPAA Security Rule provisions described remain proposed and not yet final as of this writing. Please contact Oberman Law Firm directly to discuss how these requirements apply to your specific practice.
Privacy Policy | View Our Disclaimer | Terms of Use | Client Services
© 2026 Oberman Law Firm