Dental Office Compliance and Risk Management:  You Don’t Know What You Don’t Know

Dental Office Compliance and Risk Management:  You Don’t Know What You Don’t Know

Dental Office Compliance and Risk Management:  You Don’t Know What You Don’t Know 1080 1080 russelldoc4ne

Dental Office Compliance and Risk Management:  You Don’t Know What You Don’t Know

Most practicing dentists learn very little in dental school about the myriad of safety and privacy rules that govern the operation of a dental office yet all must comply with these rules and be able to demonstrate compliance.  How, then, are practicing dentists supposed to hit all of their marks compliance- and risk-wise when they are trained to focus on clinical matters and have other, seemingly more pressing practice management responsibilities?  

Below is a short summary of the applicable compliance requirements but, just as you would refer out to a subject matter expert when a clinical issue requires more specialization, it may be advisable to do the same when dealing with technical compliance- and risk-management-related areas that are out of your comfort zone.


OSHA STANDARDS – These are federally-mandated (and sometime state-specific) standards for protecting the safety and health of dental employees and that address such topics as:  

Bloodborne Pathogens – Dental Offices should have in place the following plans and/or perform the following actions to mitigate risk of exposure to Hepatitis B and C and HIV, among others:

  • Exposure Control Plan (ECP) that clearly describes:
    • How to determine when employees have been exposed to bloodborne pathogens
    • Precautions for mitigating exposures, which include:
      • Standard precautions such proper hand hygiene, PPE use, cough etiquette, sharps safety, injection practices and sterilization of instruments and devices. 
      • Engineering controls, such as sharps disposal containers, rubber dams, needleless or shielded needle devices and high volume evacuators, and an annual evaluation of newer and potentially safer engineering controls available in the market.  
      • Workplace controls, such as single-handed recapping dental needles, discarding contaminated needles in sharps containers, and eliminating the storage of food and drink in closed spaces or countertops where blood or saliva may be present.  
      • PPE, which includes when and where to use and how to clean/dispose of gowns, gloves, masks, protective eyewear and face shields.
    • Housekeeping, such as when and how to clean equipment and work surfaces and the proper use of utility gloves. 
    • Hepatitis B Vaccinations, which employees should be able to get free-of-charge unless they decline the vaccination using language specifically prescribed by OSHA.
    • Post-Exposure Evaluations and Follow-Up, including how to obtain consent and test for HBV, HCV and/or HIV as well as documenting the exposure.
    • Communication of hazards to employees and training, particularly of the tasks and activities that may involve exposures (bloodborne pathogens, hazardous chemicals, radiation, etc.) and their responsibilities and rights under the ECP.
    • Recordkeeping, including documentation and retention for 30 years post-employment of medical records of employees who have been exposed. 

Hazard Communications – Dental Offices should have in place the following plans and/or perform the following actions to protect employees from chemical hazards in the workplace:

    • List of and Safety Data Sheets for Hazardous Chemicals in the Office, all readily accessible to employees
  • Labeling of hazardous chemicals on containers that are not the original containers, all per OSHA standards, as well as proper biohazard labeling
  • Employee Training for the proper handling of hazardous chemicals

Ionizing Radiations – Dental Offices should have in place the following plans and/or perform the following actions to limit employee exposures to radiation: 

  • SOPs for the proper operation and maintenance of x-ray machines
  • Employee training on radiation safety practices, including successful completion of a radiation safety course
  • Monitoring of baseline exposures
  • “Caution-X-Ray” signs in areas or rooms with x-ray equipment
  • State registration of all x-ray machines
  • Periodic inspections of x-ray machines

Exit Routes – Dental Offices should have in place the following plans and/or perform the following actions to provide safe and accessible building exits in case of fire or other emergency:

  • Assessments to confirm there are:
    • at least two exit routes that are unobstructed, well-lit and properly labeled with EXIT signs
    • Diagrams of exit routes posted in visible locations
    • Emergency alarm systems in place

OSHA Posters – Dental offices should prominently display the required Federal and State OSHA posters that explain worker rights to a safe workplace and how to file a complaint. 

CDC INFECTION CONTROL GUIDELINES – These are federal guidelines (but requirements in many States) for ensuring that dental offices have and follow infection control policies and practices to provide safe care to patients and a safe working environment for employees.  As you’ll see, there is some redundancy with OSHA requirements, a consistent theme of employee training and, in some cases, identification of a person responsible for certain functions.  Suggested/required by these guidelines include:

Administrative Measures

  • Written infection control policies that are reviewed and updated (as necessary) and at least annually
  • Assignment of an Infection Control Coordinator, who is responsible for coordinating implementation of effective infection control practices 
  • Adequate Supplies, such as hand hygiene products, safer devices to protect against sharps injuries and PPE
  • Patient screening, including taking medical histories and posting cough etiquette signs

Prevention and Training 

  • Employee training of infection control policies, at hire as well as annually
  • Immunization records for employees (Hep. B, MMR, Tdap, etc.)

Employee Safety

  • Exposure Control Plan and Employee Training on Bloodborne Pathogens
  • Hepatitis B and Flu Vaccinations offered
  • Sharps Logs to document sharps exposures
  • Treatment and follow-up for occupational exposures
  • Policies on who employees should contact when they are exposed to patients with transmissible conditions
  • Policies on proper hand hygiene, sterilization monitoring and PPE

Hand Hygiene

  • Adequate supplies of soap, water, paper towels, alcohol-based hand rub
  • Employee training on signs of hand antisepsis and surgical hand antiseptis


  • Adequate supplies of PPE, including gowns, examination gloves, face masks, eyewear/face shields, utility gloves, etc.
  • Employee training on the proper use and disposal of PPE depending on their role

Respiratory Hygiene/Cough Etiquette 

    • Posting signs at entrances, for the benefit of patients
    • Availability of tissues, no-touch receptacles, hand sanitizer and face masks
  • Adequate space in the waiting room

Sharps Safety

  • Policies for exposure prevention and post-exposure management
  • Annual evaluation of devices with engineered safety features 

Safe Injection Practices

  • Written policies governing the same, including how to prepare injections using the aseptic technique in a clean area

Sterilization/Disinfection of Patient Care Items and Devices

  • Policies (such as SOPs) on how to clean instruments and devices before use on another patients as well as reprocessing instructions for reusable instruments and devices
  • Employee training on reprocessing reusable instruments and devices as well as what is single-use
  • Maintenance of sterilization equipment and documentation regarding the same
  • Sterilization monitoring of autoclaves using a combination of mechanical (i.e., record cycle time, temperature and pressure as displayed on the sterilizer gauges for each instrument load), chemical (i.e., indicator tapes for each instrument load) and biological (i.e., spore-testing) indicators

Environmental Infection Prevention and Control

  • Policies (such as SOPs) on how to clean and disinfect clinical surfaces as well as the decontamination of bloodborne pathogens

Dental Unit Water Quality

  • Policies for regular testing of water lines and that meet EPA standards for drinking water/routine dental treatment output water
  • Policies for using sterile water when performing surgical procedures

STATE DENTAL BOARD REGULATIONS – These are licensing, safety and operational requirements for dental offices that generally address such topics as: 

Licensing, Training and Continuing Education requirements, for dentists, hygienists and/or dental assistants as well as for certain functions (e.g., radiology)

Posting of Licenses and Permits in the office

Infection Control as well as Occupational Health and Safety and Radiation Control requirements, often mirroring the requirements of the CDC and OSHA

Administration of Controlled Substances

What Dentists may not do (e.g., in MA, botox for non-dental-related treatment)

What Dental Hygienists and Dental Assistants may and may not do, both in and out of the presence of dentists

Patient Records, including required content, availability and retention

Need for medical Emergency protocols, including emergency drug kits, communication plans and employee training

Required and prohibited advertising practices 

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) – These are federal requirements that govern the use and disclosure of patient protected health information (PHI) and provide patients with certain rights over their own PHI.  Requirements include the following:

Written policies and procedures for identifying and protecting patient PHI.  Protection should include administrative, technical and physician safeguards.

Delivery to patients and posting of a HIPAA Privacy Notice that informs patients about how your office uses and discloses PHI and what rights patients have with respect to their own PHI

Assignment of a HIPAA Privacy Officer and HIPAA Security Officer (who may be the same person) to implement and assess the effectiveness of the office’s privacy and security practices

Employee training of HIPAA and office-specific practices and responsibilities, either provided or arranged by the HIPAA Privacy/Security Officer

Identification of and Agreements with Business Associates who may have access to patient PHI and contractually need to protect it 

Annual Security Assessment, to document what PHI the office maintains, where it is located and whether it is safe given current protections

STATE DATA PRIVACY LAWS – These are State-specific privacy and security laws designed to protect personal identifying information (PII) of both State-resident patients and employees that may be considered a valuable asset by hackers (e.g., social security numbers, bank account numbers, credit card numbers, etc.).  As for HIPAA, there generally is a requirement to conduct an Annual Security Assessment to document what PII the office maintains, where it is located and whether it is safe given current protections.  


As you can see from the above, there are numerous rules from several authorities that may be difficult to interpret and are subject to change from time to time.  How can a dentist and his/her staff approach and succeed at the task of compliance?   Below are what we consider to be best practices for dental offices:

TONE AT THE TOP – The dentist and/or practice owners must instill a culture of compliance and risk management.  They must convey to staff that adherence to the various rules is not only requirement but in the best interest, healthwise, for patients and staff and, reputation-wide, for the office.  One good way for a dentist/practice owner to be taken seriously is to lead by example and walk-the-walk.  Nobody’s going to listen to a leader who doesn’t follow the same rules as s/he is espousing. 

ASSIGNMENT OF RESPONSIBILITIES/ACCOUNTABILITY FOR STAFF – Every office should assign a single person to be the Infection Control Coordinator (ICC) to be responsible for implementing and assessing the effectiveness of the office’s infection control policies and practices.  Additionally, every office should assign one or two people to undertake the responsibilities of the HIPAA Privacy Officer and Security Officer.  These staff members should be familiar with the operations of the practices, have sufficient authority to enforce the office’s policies and fully understand their responsibilities as described in the ECP (for the ICC) and HIPAA Compliance Manual (for the Privacy/Security Officer).  These two responsibilities are too important and fundamental to the safety and security of the office to leave to all employees.  When everybody is responsible, in theory, nobody is responsible, in practice. 

EMPLOYEE TRAINING – As noted above, employee training is a requirement and key feature of many of the regulations.  Some best practices for training are the following:

  • Don’t try to cover too much in a given sitting – People’s attention spans are limited.  Shorter is often better.
  • Spread out the training throughout the year – Consider focusing on infection control concepts one month, emergency training another month, etc.  It may be useful to put these on a schedule so you can confirm that you cover everything and have time to prepare for each training session. 
  • Focus on office-specific and emerging issues – General training is fine but it may be more interesting to focus on issues pertinent to the office.  For example, if bacteria in water lines is in the news, spend time at a staff meeting discussing how and when the staff should be conducting water testing and water shocking as well as where staff can go if they have questions.  Additionally, if the Office of Civil Rights (which enforces HIPAA) is penalizing offices for not responding quickly enough to patient requests for access to their own PHI,  discuss what staff should do when a patient requests access and how to document fulfillment of that request.  
  • Feel free to bring in experts – If you don’t feel knowledgeable or comfortable enough with a given requirement, ask a subject matter expert (such as a compliance consultant) to virtually attend a staff meeting so s/he can help you educate the staff.  You don’t have to do this on your own.    

Have a Schedule of What Compliance Activities You Need to Accomplish and When – Some tasks (like logs) need to be done routinely while others (like security assessments) only have to be done once a year.  By putting these tasks on a calendar, you’ll make sure that nothing falls between the cracks.  If you’re unsure whether everything you need to do is somewhere on your calendar, ask a compliance consultant to review it for completeness.  As you can see, there are many tasks to undertake throughout the year and it can be daunting to think about.   

DOCUMENT EVERYTHING – To an OSHA or Board inspector, nothing exists unless it is written down.  As painful as it may seem to write things down in real time, it can save you a lot of time and aggravation later.  Additionally, the practice of documenting compliance and risk management activities will help instill a culture of compliance.