Dental application and PHI mapping

Build a Dental Software and PHI Inventory That Exposes Hidden Risk

A dental HIPAA review should identify every software platform, workstation, server, scanner, imaging tool, cloud service, and vendor that stores or touches PHI. This page helps dental offices know what to look for.

Inventory platforms, modules, interfaces, exports, and support paths.
Record both PHI exposure and operational dependency.
Validate owner, logging, recovery, and vendor evidence.
Repeat the inventory after material technology change.
\n
System-of-record ledger

A Dental Software Inventory Must Explain Exposure, Dependency, and Recovery

A list containing only product names and vendors is not a risk inventory. The working record should show how each platform is deployed, what PHI it handles, how identity works, which systems exchange data, what evidence exists, and how the practice continues when the product is unavailable.

Inventory fieldQuestion the record must answerDental exampleEvidence to retain
Clinical purpose and dataWhat workflow depends on the system, and which PHI categories are created, received, maintained, or transmitted?Practice management, charting, radiographs, CBCT, intraoral scans, e-prescribing, claims, reminders, lab cases.Owner interview, screenshots, data dictionary, representative workflow, vendor documentation.
Deployment and hostingIs it cloud, local server, workstation, appliance, mobile app, browser extension, or hybrid? Where are production, cache, archive, and backup copies?Local imaging database with cloud backup; browser PMS with scan exports on a shared drive.Architecture note, system configuration, storage path, contract, backup scope.
Identity and privilegeHow are users authenticated, provisioned, changed, terminated, and reviewed? Which support or service accounts bypass normal roles?Shared image-acquisition login; vendor unattended remote agent; local database administrator.User export, role matrix, MFA setting, privileged account list, termination sample.
Interfaces and movementWhat sends or receives data, how is failure detected, and where do queues, exports, or attachments accumulate?Claims attachment portal, lab upload, imaging bridge, patient reminder feed, accounting export.Interface diagram, transmission settings, queue review, error log, owner assignment.
Logging and investigationWhich events are logged, who can retrieve them, how long are they retained, and can unusual access be reconstructed?Chart access, image deletion, administrative changes, bulk export, support session.Audit-log sample, retention setting, review ticket, alert, investigation procedure.
Recovery and continuityWhat must be restored, in what order, to what recovery objective, and when was the full workflow last tested?Database, image repository, license server, templates, scanner configuration, encryption keys.Restore-test record, downtime exercise, contact list, recovery sequence, lessons learned.
Vendor governanceDoes a BAA apply, which subcontractors are involved, how quickly must an incident be reported, and how are retained copies handled at termination?Cloud PMS, image hosting, support provider, statements, backup, analytics.BAA, security review, subprocessor list, incident clause, deletion confirmation.

Inventory validation method

Compare four views: staff interviews, network and endpoint discovery, identity or license exports, and financial/vendor records. Differences matter. A paid subscription absent from the system list, an installed program absent from invoices, or an account absent from the workforce roster can reveal shadow systems and unmanaged access.

Inventory reconciliation

Find Dental PHI Copies That Do Not Appear in the Main Application

Endpoint discovery

Review installed software, local databases, acquisition folders, scan destinations, browser downloads, print-to-file locations, remote-support tools, mapped drives, temporary exports, and removable media. Compare findings with the authorized software and device inventory.

Identity and license discovery

Export users, roles, administrator accounts, service accounts, API tokens, inactive users, vendor accounts, and licensed modules. Reconcile them to current workforce and vendor rosters. Investigate generic accounts and identities that cannot be tied to an owner.

Network and interface discovery

Identify servers, appliances, imaging devices, scanners, workstations, cloud endpoints, file shares, remote access, and data exchanges. Record protocols, encryption, authentication, firewall paths, queue monitoring, time synchronization, and logging.

Vendor and finance discovery

Review invoices, subscriptions, credit-card charges, procurement records, contracts, BAAs, and support tickets. This often reveals reminder tools, image portals, e-fax, cloud storage, analytics, statements, backup, and abandoned subscriptions absent from technical lists.

Grade every inventory record

Verified means evidence confirms deployment, data, owner, access, interfaces, logging, recovery, and vendor status. Partially verified means material fields are missing. Unverified means the organization relies on assumption. Assign collection work rather than treating every row as equally reliable.

\n

Dental Practice Management Systems to Review

Practice-management platforms and deployment models

Dental practices commonly use practice-management systems such as Dentrix, Eaglesoft, Open Dental, Curve Dental. Each product has different deployment models, integrations, backup needs, user permissions, and audit options.

Configuration determines the actual risk

The question is not whether a product is popular. The question is how the specific office has configured it, where the data resides, who has access, what gets exported, and whether PHI is protected across local and cloud locations.

Dental Imaging, Scanner, and Specialty Platforms

Imaging and specialty workflow scope

Dental imaging and specialty workflows may involve platforms such as Carestream Dental, DEXIS, iTero, Epic. These systems may store X-rays, CBCT images, intraoral scans, exports, case files, and referral attachments outside the main practice database.

Local storage and remote support require review

Review where images and scans are saved, whether exports land on local workstations, how vendors connect remotely, whether backups include the right folders, and whether staff can identify every place patient information is copied.

PHI Locations Dental Offices Often Miss

Hidden repositories beyond the patient chart

Look for PHI in local imaging folders, scanned forms, insurance attachment folders, referral attachments, exported PDFs, treatment-plan print files, QuickBooks notes, front-desk desktops, shared network drives, old server shares, backup disks, remote-access tools, text reminder platforms, email archives, and cloud sync folders.

Device exports remain protected information

Intraoral scanners, CBCT devices, digital X-ray tools, and image viewers may store copies outside the main practice management database. Those copies still matter.

Fields That Make a Dental Software Record Actionable

Fields that make the inventory actionable

For each application, document product name, vendor, deployment type, local or cloud storage, PHI types, user roles, administrator accounts, MFA support, audit logging, backup coverage, encryption status, vendor remote access, BAA status, integration points, export locations, and last review date.

Events that trigger an inventory update

The inventory should be reviewed when software changes, a new location opens, staff roles change, vendors change, or a breach or ransomware event occurs.

Local Versus Cloud Risk

Local-system exposure

Local systems may create risk through unpatched servers, weak backups, exposed remote access, shared folders, and workstation downloads. Cloud systems may create risk through weak admin controls, missing MFA, unclear BAA status, risky integrations, and unreviewed exports.

Cloud responsibility is still shared

A good dental HIPAA review considers both models. Cloud does not remove responsibility, and local servers do not automatically make data safer.

Dental Software Evidence Ledger

Use this scrollable worksheet as a starting structure for PHI mapping. It is not a substitute for a full assessment, but it helps teams collect the right evidence.

AreaPHI or ePHI RiskEvidence to Review
Practice management / EHRCharts, demographics, insurance, treatment, billingUsers, roles, MFA, audit logs, backup scope, BAA
Imaging / X-ray / scannerImages, scans, referrals, exportsLocal folders, exports, retention, workstation encryption
Email and cloud storageAttachments, referrals, patient communicationSharing controls, MFA, retention, DLP, training
Billing and clearinghouseClaims, insurance, payment recordsBAA, access, transmission security, reports
BackupsDatabases, file shares, images, mailboxesRestore tests, isolation, encryption, retention
Remote accessVendor support paths, admin accessMFA, approval, logging, termination
Workstations and laptopsCached reports, downloads, scansEncryption, EDR, patching, timeout, disposal
Paper and scanned recordsIntake, consents, insurance cardsScanning workflow, disposal, storage, retention

Build the Inventory From Data Flows and Dependencies

Record the technical dependency chain

For every dental platform, identify database server, file shares, acquisition PCs, image repositories, cloud tenant, integration services, license server, scanner or sensor drivers, backup jobs, remote-support tool, DNS and internet dependency, and administrator ownership. A product name alone cannot show whether the office can secure or recover it.

Record every routine export

Ask where staff save claim attachments, treatment plans, X-rays, referral packages, patient lists, finance reports, scanner cases, and vendor troubleshooting files. Document default export folders, cloud sync, removable media, retention, deletion, and backup coverage.

Validate the Inventory With Evidence

Observe a real workflow, inspect configured paths, compare user and administrator lists, review vendor remote access, confirm BAA status, trace backup jobs, and perform a sample restoration. Record unsupported versions, shared accounts, local PHI, missing encryption, excessive privilege, absent logging, and dependencies with no owner.

The inventory should become an operational register with system owner, data owner, vendor contact, recovery tier, patch responsibility, evidence link, last review, and next action—not a one-time spreadsheet.

Use Risk Analysis to Decide Inventory Depth

The inventory is an input to risk analysis, not a replacement for it. It should be detailed enough to identify reasonably anticipated threats and vulnerabilities.

HHS risk analysis

HHS describes scope, data collection, threats, vulnerabilities, likelihood, impact, and documentation considerations. Review risk-analysis guidance

NIST HIPAA resource guide

NIST provides sample activities for asset management, information flow, access, protection, detection, response, and recovery. Use NIST SP 800-66r2

Questions About Dental Software and PHI Inventory

Should dental software vendors provide HIPAA documentation?

Dental offices should request relevant security, privacy, BAA, backup, audit, and access-control documentation from vendors when PHI is involved.

Can PHI be stored locally even if the main system is cloud based?

Yes. Exports, scans, images, reports, email attachments, and synced files can create local PHI copies.

What is the first step?

Create a PHI software inventory and map every system, device, export path, backup location, and vendor connection.

Turn the Dental Software List Into a Governed Risk Record

OC Security Audit can help discover dental applications, devices, interfaces, vendors, PHI locations, privileges, logging, backup dependencies, and evidence gaps.

IT Perfection can support implementation such as endpoint standardization, server and network remediation, Microsoft 365 controls, backup testing, monitoring, patching, and lifecycle management.