HIPAA Compliance Software Checklist

To maintain doctor-patient confidentiality, and comply with federal legislation regarding Protected Health Information (PHI), your dental practice is required to safeguard and protect sensitive patient information. There are a number of different software providers that state "HIPAA Compliance", but as the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" it can be difficult to substantiate this claim.

To determine if the product or service you are using is "HIPAA compliant" and to clarify what your provider is offering in regards to HIPAA compliance, we have developed a HIPAA Software Checklist. Please use this checklist when determining if your software provider is meeting the current standards in the industry. Please note that this checklist is an industry guide and is not intended as an exclusive resource on HIPAA compliance. For more information on HIPAA please contact the U.S. Department of Health & Human Services (HHS)."

# Question Standard Additional Costs Not Available
Awareness and Education

Has your software provider had any awareness, education or training on HIPAA regulations and compliance?


Does everyone who has access to Protected Health Information (PHI) had awareness, education and training on HIPAA regulations and compliance? (This includes 3rd party hosting services)


Has your software provider set written standards for the handling of Protected Health Information?


Does your software provider keep updated on HIPAA legislation and/or any changes to HIPAA legislation?


Will your software provider sign a HIPAA Business Associates Agreement?


Will your software provider sign a specific Service Level Agreement (SLA ) to ensure standards are met?

Data Storage

Does your software provider store Protected Health Information (PHI) outside of North America?


Does your software provider continually test your hosting centre for HIPAA compliance ? (back-up, recovery, access and controls)


How often does your software provider test their data recovery?


Can your software provider enable retrievable exact copy of Protected Health Information?


Can your software provider prepare or detailed list of information access and controls when requested? Including all individuals access to Protected Health Information and set controls to regulate that access

Data Disposal

Does your organization implement policies and procedure to address the final disposition of any data stored?


How long is data backed-up and stored with your software provider before it is disposed of?


Does your software provider enable and auditable record of data disposal?

Audit logging

Does your service/product provide procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information?


Does your service/product implement electronic mechanisms to corroborate that Protected Health Information has not been altered or destroyed in an unauthorized manner?


Does your service/product implement policies and procedures to protect electronic protected health information from improper alteration or destruction?


Has your software provider gathered, reviewed and compared your current billing forms, policies, and procedures to the HIPAA Electronic Claims Transaction and Code Set regulations?

Privacy and Security

Does your service/product implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network?


Does your product/service implement procedures to verify that a person or entity seeking access to Protected Health Information (PHI)is the one claimed?


Does your product/service assign a unique name and/or number for tracking and identifying users' identity?


Does your product/service allow users to obtain necessary Protected Health Information during an emergency?


Does your product/service implement electronic procedures that terminate an electronic session after a predetermined time of inactivity?


Does your product/service encrypt data at rest and in motion following NIST standards?


What is your organizations policies regarding a data breach?


Have you developed or revised current consent forms for patients in line with HIPAA regulations?


Does your organization use a separate database and web servers for production?

General Information

Has your software provider been independently audited against the OCR HIPAA Audit Protocol?


Please note that the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as "HIPAA compliant."