Complete HIB Compliance Checklist for Dental Clinics

Key Takeaway

This is your complete HIB compliance checklist, designed specifically for dental clinics. Print it, share it with your team, and work through it systematically. Focus on the high-priority items first—they're the ones MOH will check first.

How to Use This Checklist

Good to Know

Scoring Your Compliance:

Count checked items in each section

Sections under 50% complete = High Priority

Sections 50-80% complete = Moderate Priority

Sections 80%+ complete = Fine-tune

---

Section 1: Know Your Data

Before you can protect patient data, you must know where it lives.

Think of it Like This

This is like taking a complete patient history before treatment. You can't treat what you haven't diagnosed. Similarly, you can't protect data you haven't mapped.

Patient Data Inventory

List every system storing patient information (dental software, X-ray systems, billing)
Document what data each system holds
Map how data flows between systems
Identify which vendors/third parties can access your data
Set and document retention periods (typically 7 years after last visit)

Data Sensitivity Classification

Mark data as "Sensitive" (diagnoses, HIV status) or "Standard" (contact details)
Apply stronger protection to sensitive data
Review classifications every quarter

---

Section 2: Control Who Sees What

Important

Most Common Audit Finding: Staff having more access than their role requires. The receptionist doesn't need to see clinical notes. The dental assistant doesn't need billing access.

User Account Management

Every staff member has their own unique login (no shared accounts)
Passwords are minimum 12 characters with complexity rules
Multi-factor authentication (MFA) is enabled—yes, it's annoying, but essential
Access is role-based (reception vs. hygienist vs. dentist)
Access rights reviewed every 3 months

Access Logging

System records who accessed which patient record and when
Failed login attempts are logged
Data exports and downloads are tracked
Logs kept for minimum 5 years
Someone reviews logs monthly for suspicious activity

When Staff Leave

Pro Tip

Create a "staff departure" checklist that happens within 24 hours—not "when IT gets around to it."

Written procedure for account deactivation exists
Accounts disabled within 24 hours of departure
Clinic keys, access cards, devices collected
Remaining staff access reviewed after departures

---

Section 3: Technical Security Essentials

Device Protection

Think of it Like This

Antivirus is to your computer what your autoclave is to your instruments—it eliminates threats you can't see. You wouldn't skip sterilisation; don't skip digital protection.

Enterprise-grade antivirus on every computer (not free consumer versions)
Real-time scanning enabled
All devices accessing patient data are encrypted
Mobile devices (tablets for patient photos) have management controls

Network Security

Patient data systems are on a separate network segment from guest Wi-Fi
Firewall installed and properly configured
Intrusion detection is active
Wi-Fi uses WPA3 with strong passwords
Remote access only through VPN

Keeping Systems Updated

Important

Fact: Most ransomware attacks exploit vulnerabilities that had patches available months earlier. Delayed updates = open doors for attackers.

Monthly patching schedule established
Critical security patches applied within 7 days
No Windows 7 or other end-of-life software
Patching activities documented

Data Encryption

Patient data encrypted when stored (AES-256)
Data encrypted when transmitted (TLS 1.3)
Encryption keys stored separately from data
Backups are also encrypted

---

Section 4: Physical Security

Good to Know

Digital security means nothing if someone can walk out with your server. Physical and cyber security work together.

Facility

Server room/data storage is locked
Security cameras cover sensitive areas
Visitor sign-in procedures exist
Paper records locked in cabinets (not on open shelves)
Clean desk policy enforced

Devices

Workstations physically secured (can't be easily stolen)
Privacy screens where patients might see monitors
Screens auto-lock after 5 minutes of inactivity
Procedure for secure disposal of old computers/drives

---

Section 5: Breach Response—The 2-Hour Test

Important

Critical: You have 2 hours to report a breach to MOH. Can you detect a breach and notify within 2 hours on a Saturday night? If not, you're not compliant.

Breach Response Plan

Written incident response plan exists
Roles clearly defined (who does what)
Communication chain documented
MOH notification procedure ready (know exactly who to call)
Patient notification templates prepared

Response Team

Team members identified by name
After-hours contact numbers documented
Escalation procedures clear
External contacts ready (lawyer, IT forensics, PR if needed)

Practice Makes Perfect

Think of it Like This

You run fire drills. You should run data breach drills. When the real thing happens, muscle memory matters.

Tabletop exercise conducted at least annually
Notification procedures tested
Lessons documented and plan updated

---

Section 6: Your Vendors' Security is Your Security

Third-Party Risk

Complete list of all vendors with patient data access
Each vendor's security practices assessed
Contracts include data protection requirements
Vendors provide security certifications
Annual vendor reviews conducted

Contract Requirements

Data protection clauses in all vendor contracts
Vendors must notify you of breaches immediately
Liability clearly assigned
You can audit vendors
Data returned/destroyed when relationship ends

---

Section 7: Staff Training

Pro Tip

Reality check: Your staff are your biggest security asset—or your biggest vulnerability. A single click on a phishing email can bypass all your technical controls.

Initial Training (All New Staff)

HIB awareness training provided
Data protection responsibilities explained
Security awareness covered (how to spot phishing, suspicious calls)
Training completion documented
Policy acknowledgment signed

Ongoing Training

Annual refresher training for all staff
Updates on new threats shared
Simulated phishing tests conducted
All training activities logged

---

Section 8: Required Documentation

Good to Know

If it's not documented, it didn't happen. MOH auditors will ask to see your policies. "We do it but didn't write it down" won't satisfy them.

Policies (Must Have)

Data protection policy
Information security policy
Acceptable use policy (what staff can/can't do)
Incident response policy
Business continuity policy

Procedures (Must Have)

How to request access to systems
How to report incidents
Data retention and destruction procedures
Backup and recovery procedures
Change management procedures

---

Section 9: Backup & Recovery

Think of it Like This

Backups are like insurance—you hope you never need them, but when you do, they save everything. A ransomware attack without backups can end a practice.

Backup Strategy (3-2-1 Rule)

3 copies of your data exist
2 different storage types (e.g., local + cloud)
1 copy offsite/cloud
Daily automated backups running
Backups encrypted
Monthly restoration tests (backups you've never tested aren't backups)

Business Continuity

Business continuity plan documented
Recovery time objective defined (how fast must you be back up?)
Recovery point objective defined (how much data loss is acceptable?)
Disaster recovery tested annually

---

Section 10: Ongoing Monitoring

Continuous Security Monitoring

24/7 monitoring for security threats
Alerts for unusual access patterns
Data exfiltration detection
Regular log reviews

Compliance Reviews

Internal compliance audit every quarter
Findings addressed within 30 days
All compliance activities documented
Annual external assessment considered

---

Your Compliance Score

Count your checked items:

Section

Your Score

Max

Priority if under 80%

Data Inventory

___

High

Access Controls

___

Critical

Technical Security

___

Critical

Physical Security

___

Medium

Breach Response

___

Critical

Vendor Management

___

Medium

Staff Training

___

High

Documentation

___

High

Backup & Recovery

___

Critical

Monitoring

___

Medium

Important

Sections marked "Critical" should be your first focus. These are the areas where gaps create the highest risk and draw the most audit attention.

---

What's Next?

Score yourself using the table above

Prioritise sections under 80%

Create a timeline working back from early 2027

Assign ownership for each gap

Track progress weekly

---

*Overwhelmed? That's normal. Synexo helps dental clinics work through this checklist systematically. Our free assessment tells you exactly where you stand and what to prioritise. Book your assessment—most clinics complete it in under 30 minutes.*

Complete HIB Compliance Checklist for Dental Clinics

How to Use This Checklist

Section 1: Know Your Data

Patient Data Inventory

Data Sensitivity Classification

Section 2: Control Who Sees What

User Account Management

Access Logging

When Staff Leave

Section 3: Technical Security Essentials

Device Protection

Network Security

Keeping Systems Updated

Data Encryption

Section 4: Physical Security

Facility

Devices

Section 5: Breach Response—The 2-Hour Test

Breach Response Plan

Response Team

Practice Makes Perfect

Section 6: Your Vendors' Security is Your Security

Third-Party Risk

Contract Requirements

Section 7: Staff Training

Initial Training (All New Staff)

Ongoing Training

Section 8: Required Documentation

Policies (Must Have)

Procedures (Must Have)

Section 9: Backup & Recovery

Backup Strategy (3-2-1 Rule)

Business Continuity

Section 10: Ongoing Monitoring

Continuous Security Monitoring

Compliance Reviews

Your Compliance Score

What's Next?

Need Help with HIB Compliance?