Key Takeaways:
- The hygienist who left your Fort Wayne or Warsaw practice last fall almost certainly still has at least one active credential somewhere — Dentrix, the patient portal, the imaging software, the front-desk shared login, or the recall system. This isn’t a worst-case scenario. It’s just what most small dental practices look like.
- Offboarding in a small practice happens during the workday, between patients, with the office manager handling it on top of everything else. That’s not a flaw in the office manager — it’s a flaw in the workflow. A checklist fixes it. More dedication won’t.
- HIPAA’s Security Rule requires that access be terminated when employment ends. “We meant to but it was busy” doesn’t hold up in an audit or a breach investigation.
- A 30-minute audit at your desk — no software purchases, no awkward conversations — will tell you exactly how many former staff members still have active access. Most office managers are surprised by the number.
- When you bring the audit results to the doctor, you’re not raising a worry — you’re giving a briefing. “Here is who still has access to what” is a business conversation. “I think we might have a problem” is not.
If you’re the office manager at a small Fort Wayne or Warsaw dental practice, picture the last hygienist who left. The one who moved to a bigger practice across town in October, or relocated out of state in November to be closer to family. You transitioned her recalls, reassigned her patients, and missed her because she was good. You planned to clean up her system access. You probably got the obvious ones — the front desk login, maybe Dentrix. The rest is still out there.
The patient portal admin account she used. The Eaglesoft shortcut on the operatory computer. The VOIP system she logged into for the answering service. The imaging software vendor portal where she set up new patient records. The recall reminder service that still emails patients from her login.
This doesn’t mean you forgot. Nobody actually knows everywhere she had access — because that list was never documented in one place. The practice grew, the software grew, and the vendor list grew right along with it. In our experience working with practices across northeast Indiana, this is the norm, not the exception.
The reason it matters right now is that HIPAA enforcement and cyber insurance applications have started asking about this directly. Indiana’s 45-day breach notification rule kicks in the moment you learn that patient records have been improperly accessed. “She still had Dentrix access six months after she left and we didn’t know” is exactly the kind of situation that rule was written for.
Indiana dental practices aren’t exempt from HIPAA enforcement, either. Westend Dental in Indianapolis paid $350,000 to the Indiana Attorney General in 2024 after a ransomware breach went unreported for two years — a case that started because a patient couldn’t get their records. The lesson isn’t limited to ransomware: any gap in your HIPAA controls, including access termination, is a real liability. (Source: HIPAA Journal)
The good news: the first step costs nothing and starts at your desk.
Why does this happen at every small dental practice?
Three reasons, all structural — none of them about you.
Offboarding happens during the workday. When a hygienist gives notice, you don’t get a quiet afternoon to sort through the transition. You have a full schedule, insurance questions, and someone waiting on a delivery. Offboarding gets done in the gaps. The big systems get handled. The small ones get missed.
Vendor logins multiply faster than anyone tracks. A small Fort Wayne or Warsaw dental practice can easily accumulate 25–40 vendor logins over time, and hygienists may have direct access to a significant portion of them — often set up on the spot when a vendor needed credentials and you were the one at the desk.
Shared logins are everywhere. The front-desk computer that everyone logs into the same way. The Dentrix supervisor account the doctor and office manager both use. When someone leaves, shared credentials don’t get deactivated — they just keep working.
How many former staff members still have access at a typical practice?
It depends on how long the practice has been running and how much turnover you’ve had. But the pattern is consistent across practices in the area.
Typical access still active at a 5–7 person dental practice
| Time since separation | Likelihood of at least one active credential | Most common system still active |
| Within last 30 days | Very high (almost certain) | Front-desk shared login, vendor portals |
| 1–6 months ago | High | Patient portal, recall service, imaging vendor |
| 6–12 months ago | Moderate to high | Vendor portals, MFA-less email aliases |
| 1–2 years ago | Moderate | Forgotten vendor portals, shared logins |
| More than 2 years ago | Lower but real | Vendor portals nobody remembers exist |
A practice with five years of history and a few hygienist departures may have far more active credentials from former employees than anyone expects. Most office managers guess one or two when asked, and turn up several more when they actually look.
What does HIPAA actually require for offboarding?
The HIPAA Security Rule includes a specific administrative safeguard called “Termination Procedures” that requires access to electronic protected health information (ePHI) to be terminated when employment ends. The rule doesn’t prescribe exactly how — just that you have to do it, and that you need to be able to show you did.
An update to the HIPAA Security Rule is currently proposed and could be finalized as early as May 2026. If it moves forward, compliance deadlines are expected to fall in late 2026 or into 2027. The proposed changes would make more controls explicitly mandatory and require documented evidence that processes like access termination were actually followed — not just that a policy exists on paper. (Source: HIPAA Journal)
“We meant to” is not a documented control. A checklist that gets initialed and dated on the day of separation is. The difference matters in an OCR audit, a breach investigation, and a cyber insurance claim review.
For more on Indiana’s breach notification requirements, see the Indiana Disclosure of Security Breach Act (IC 24-4.9).
How do I audit our current state without making this bigger than it needs to be?
Thirty minutes at your desk. Open a blank spreadsheet and make four columns: System, Last person who left with access, Status (active / deactivated / unknown), Action needed.
Work through your systems in this order:
Offboarding Audit — Working Order
| Tier | Systems to Check |
| Tier 1 — Practice Management & Clinical | Dentrix / Open Dental / Eaglesoft · Imaging software (Dexis, Sirona, etc.) · Patient portal (admin access) |
| Tier 2 — Front Office Operations | Email accounts and aliases · Phone / VOIP system logins · Insurance claims clearinghouse · Recall reminder service |
| Tier 3 — Vendor Portals | Dental supply vendors · Lab portals · Equipment service portals · Banking / merchant services |
| Tier 4 — Shared Logins | Front-desk shared computer login · Dentrix supervisor account · Any login where multiple staff shared the same credentials |
For each system, mark whether the last departed staff member who had access has been deactivated. If you’re not sure, mark “unknown” — that’s the honest answer, and it’s the one you need most.
You’ll end up with a list. It will be uncomfortable in places. It will also probably be the most useful document the practice has produced this quarter.
How do I bring this to the doctor without it sounding like a complaint?
The same way you’d bring any operational issue: lead with the data.
“Doctor, I did a quick audit this week of every system we use and who still has access from past employees. Here’s what I found. Here’s what I think we should address in the next 30 days, and what can wait until the end of the quarter. Here’s roughly what it takes in time.”
That’s a briefing. Doctors handle briefings about supply costs, insurance reimbursements, and staffing every week. A HIPAA access briefing fits right in that category.
“I’m worried about HIPAA” is a worry. Worries get acknowledged. Briefings get action. The audit is what makes the difference.
Want help reading what your audit found?
After 30 minutes at your desk, you’ll have a list of systems and statuses. What comes next is figuring out what needs immediate attention, what’s a quarterly project, and what can wait — without turning it into a vendor pitch for software you don’t need yet.
We have that conversation a lot. No pitch, no follow-up sequence.
Call Aptica: (260) 243-5100 | Schedule a free 15-minute conversation
Frequently Asked Questions
Does changing the office Wi-Fi password revoke a former employee’s system access?
No. Dentrix, the patient portal, and vendor portals are all cloud-based and accessed over the internet — not through your office network. A former hygienist with active credentials can sign in from anywhere. Changing your Wi-Fi password is still a reasonable security step for other reasons, but it doesn’t solve the offboarding problem.
How fast does HIPAA expect us to terminate access?
The Security Rule doesn’t specify an exact number of hours. The expectation is “as soon as reasonably possible after separation.” In practice, OCR investigations look for same-day or next-business-day deactivation for clinical systems, and within-the-week deactivation for non-clinical vendors. Documentation matters as much as speed.
Does Indiana require patient notification for unauthorized access to records?
Possibly, depending on what was accessible and for how long. Indiana’s 45-day notification rule (IC 24-4.9) is triggered by knowledge of unauthorized access, not by evidence of misuse. This is a question for your attorney or a HIPAA-experienced advisor — not something to sort out from a dental newsletter. Document what you find and ask early.
What is the difference between deactivating an account and deleting it?
Deactivating means the account exists in the system but can’t be used to log in. Deleting removes it entirely. For HIPAA and audit purposes, deactivation is usually the right move — it preserves the audit trail of what the user did while employed, which the Security Rule expects you to retain for six years.
Does a small dental practice need a written HIPAA offboarding checklist?
Yes — especially if you’re a small practice. A written checklist is the difference between “we usually remember” and “we documented our termination procedures.” The checklist itself is the control. It doesn’t need to be elaborate — a one-page document with system names and a place for a signature and date does the job.
About Aptica
Aptica is a locally owned IT provider serving manufacturers, distributors, engineers, healthcare practices, and professional services firms across Northern Indiana, Southern Michigan, and Northwest Ohio. Founded in 2003 and based in Angola and Fort Wayne. BBB Accredited, A+ rated.
Angola: 113 E Maumee St, Angola, IN 46703 · (260) 243-5100 Fort Wayne: 1690 Broadway, Bldg 19, Suite 10, Fort Wayne, IN 46802 · (260) 243-5182 Web: apticallc.com Email: info@apticallc.com
Call us. We answer the phone.
