← Recursos

Legal templates

HIPAA / GDPR / LGPD compliance checklist

Practical compliance for dental clinics and imaging centers that handle sensitive health data

Plantilla pública

This checklist covers the principles common to HIPAA (US), GDPR (EU), LGPD (Brazil) and equivalent laws in LATAM. It does not replace specific legal advice for your jurisdiction and business model.

Radiology images and clinical patient data are sensitive health data — the most strictly regulated category under modern data protection laws. This checklist helps you audit your level of compliance in a practical way, without unnecessary legal jargon.

Why it matters

A typical GDPR fine for non-compliance can reach 20 million euros or 4% of global turnover. Under HIPAA, civil penalties can range from USD 100 to USD 50,000 per violation, up to USD 1.5 million per category/year. But more important than the fines: patient trust. A single leak of medical images can destroy a reputation built over years.

1. Data inventory and classification

  • I identify what sensitive health data (PHI / special category) my clinic handles: patient name, date of birth, identifiers, DICOM images, radiology reports, clinical history, insurance data
  • I have a record of processing activities (ROPA per GDPR Art. 30 / local equivalents) with: what data, purpose, legal basis, retention period
  • I know where data is physically stored (on-premise server, cloud, third-party provider, paper) and in which jurisdictions

2. Legal basis for processing

  • Each data processing activity has a documented legal basis (explicit patient consent, healthcare contract, legal obligation, vital interest)
  • For consent-based processing: consent is freely given, specific, informed and unambiguous — and can be withdrawn at any time
  • Data is used only for the purposes disclosed to the patient; any secondary use (research, marketing, training) requires an additional legal basis

3. Patient rights

  • There is a clear channel to exercise rights (dedicated email, web form): access, rectification, objection, portability, erasure
  • The response time for rights requests is documented (typically 30 days under GDPR)
  • There is a procedure to deliver data in a portable format (DICOM, PDF, etc.) when the patient requests it
  • There is a procedure to delete data at the close of the care cycle (respecting legal minimum retention periods for clinical records)

4. Encryption and technical security

  • Data in transit is encrypted (TLS 1.2+ on any communication with servers)
  • Data at rest is encrypted (AES-256 or equivalent) in databases and DICOM file storage
  • Passwords are stored hashed with a secure algorithm (bcrypt, Argon2), never in plain text
  • Two-factor authentication is in place for administrative access to the system
  • Backups are encrypted and restorations are tested periodically

5. Access control

  • Each team member has their own personal account (accounts are not shared)
  • Permissions follow the principle of least privilege: each user only accesses what they need for their role
  • Access is revoked immediately when an employee leaves the clinic
  • There is an audit log of who accessed what data and when
  • Passwords have reasonable complexity and expiration requirements

6. Vendors and subprocessors

  • I have identified all vendors that process sensitive data on my behalf (cloud DICOM viewer, patient management, accounting, transactional email, etc.)
  • There is a signed Data Processing Agreement (DPA) with every vendor that acts as a Processor
  • Vendors have reasonable certifications (SOC 2, ISO 27001) and are listed in my privacy policy
  • If I transfer data to third countries, I have valid transfer mechanisms in place (European Commission Standard Contractual Clauses, adequacy decision, etc.)

7. Breach notification

  • There is a documented breach response procedure
  • I know I have 72 hours (GDPR) or "without unreasonable delay" (HIPAA) to notify the supervisory authority and the patient when applicable
  • My SaaS provider (DICOM viewer, management system) will notify me if there is a breach in their infrastructure
  • I have a notification template ready for the patient and the authority

8. Legal documentation

  • I have a public, up-to-date privacy policy
  • I have a privacy notice / privacy statement to show the patient at the start of treatment
  • I have specific informed consent for CBCT and other studies
  • I have an up-to-date record of processing activities (ROPA)
  • I have a Data Protection Impact Assessment (DPIA) for high-risk processing where applicable

9. Staff training

  • All staff received initial data protection training upon joining
  • There are periodic refreshers (at least annually)
  • Staff know how to spot a phishing email and who to alert
  • Staff know what sensitive data is and how to handle it (no DICOM photos on personal WhatsApp, no leaving the workstation unlocked, etc.)

10. Sharing data with patients and colleagues

  • When I share a study with the patient or a colleague, I use a secure channel (unique tokenized link, not a public direct download)
  • If I use WhatsApp/email to communicate, I verify the recipient before sending
  • When a colleague requests data on a shared patient, I verify the patient's authorization or rely on the corresponding legal basis
  • Sharing links have an expiration date and/or can be revoked

11. Retention and deletion

  • I know the legal minimum retention period for clinical records in my jurisdiction (typically 5–15 years in LATAM, depending on the country)
  • After the legal period, data is permanently deleted (also from backups and vendors)
  • I have a procedure to respond to "right to be forgotten" requests where applicable
  • Physical records are destroyed by a secure method (shredder, not regular trash)

12. Formal designations

  • If my clinic exceeds the threshold, I have appointed a Data Protection Officer (DPO) and registered their contact
  • Under HIPAA: I have appointed a Privacy Officer and a Security Officer
  • These roles are documented, communicated to the team and published to the patient

Common risks in dental clinics and imaging centers

  • Sharing DICOM via the practice WhatsApp: the staff group has full access to the images. If a phone is lost or the chat leaks, the clinic is liable for that exposure. Always use channels with access control.
  • Receptionist computer without screen lock: leaves the patient list visible to anyone walking by. Auto-lock after 5 minutes solves 90% of the risk.
  • Dentist's personal email to send studies: sensitive data on vendors not officially contracted, with no DPA and no traceability. Always use the official system.
  • Backups on an external drive at reception: unencrypted, physically accessible. If the drive is lost, the unprotected data is a serious breach.
  • Shared logins: "the system password is 1234 and the whole team knows it". Impossible to audit who did what. Requires an individual account per person.

How CBCTHub helps you with compliance

  • TLS 1.3 encryption in transit and AES-256 at rest
  • DICOM processing 100% in the user's browser (pixels do not pass through servers)
  • Audit log exportable to CSV (for audits)
  • Data portability per GDPR Art. 20 (full ZIP download)
  • Self-service account deletion
  • Public DPA downloadable at /legal/dpa
  • Individual user account with optional MFA
  • Sharing links with expiration and optional PIN

¿Te resultó útil este recurso?

Ver más recursosCrear cuenta gratis en CBCTHub

CBCTHub · cbcthub.com — Documento de referencia. No reemplaza el criterio profesional ni la normativa local vigente.