On February 21, 2024, BlackCat ransomware took down Change Healthcare, UnitedHealth’s claims processing subsidiary, and dental practices across the United States stopped getting paid. Around 70% of US offices ran on Change Healthcare claims rails; the average solo practice lost six weeks of cash flow.
The business continuity plan dental practice owners reached for that morning was, in most offices, either missing, last opened in 2019, or never tested.
The American Dental Association’s Health Policy Institute polling that spring put the number of US practices at risk of closure at 32%. Federal Trade Commission and HHS OCR enforcement files filled with practices that could not even tell the OCR how many patient records were exposed.
Below is the business continuity plan dental practice template the post-Change-Healthcare owner can actually build to.
It maps to HIPAA’s contingency plan rule at 45 CFR 164.308(a)(7), to NIST Special Publication 800-34 Revision 1, and to ISO 22301:2019. Each section is sized for a US dental owner with five to fifty staff, not a hospital system.
Figure 1. Business continuity plan dental practice downtime causes that drive the example below. Source: ADA HPI, HHS OCR breach portal, FBI IC3.
The Business Continuity Plan Dental Practice Stakes Right Now
Three numbers frame the business continuity plan dental practice stakes for a US owner in 2026. The HHS OCR breach portal recorded 167 dental-practice breaches affecting 500-plus patients each between January 2022 and April 2026.
Each entry was a 60-day clock on patient and OCR notification that the owner had to run with no contingency rehearsal.
The second number is dollars. A Sophos State of Ransomware in Healthcare 2024 report put the median recovery cost for a small healthcare provider at $750,000, with 41% of recoveries running over a month.
The third number is staff: an ADA workforce study found 33% of US dental practices reported staffing gaps that materially extended their Change Healthcare recovery clocks.
A business continuity plan dental practice owners can use addresses all three. It tells the front desk how to schedule patients without the practice management system.
It tells the billing lead how to file claims by paper or alternate clearinghouse. It tells the dentist what clinical work is safe to continue with paper charts and what must be rescheduled or referred out.
Why the Business Continuity Plan Dental Practice Was Missing in 2024
Dental practices sat outside the federal cybersecurity push for a decade. Hospitals and health systems were forced into business continuity discipline by The Joint Commission and CMS Conditions of Participation; dental offices were not.
The result by February 2024 was a sector running on Dentrix, Eaglesoft, and Open Dental with little BCP discipline.
Three structural factors kept the business continuity plan dental practice template off owner desks. First, the typical practice is too small for a dedicated risk function.
Second, the HIPAA contingency rule has been on the books since 2003 with weak enforcement until the 2023-2024 OCR push. Third, dental service organization (DSO) consolidation only crossed 30% of US practices recently.
HIPAA Contingency: The Business Continuity Plan Dental Practice Compliance Floor
The HIPAA Security Rule’s contingency plan standard at 45 CFR 164.308(a)(7) is the floor under every business continuity plan dental practice.
It requires a data backup plan, a disaster recovery plan, an emergency mode operation plan, testing and revision procedures, and an applications and data criticality analysis. All five are addressable but operationally enforced through OCR enforcement settlements.
HHS published NIST SP 800-66 Revision 2 in February 2024 as the implementation guide. The revision pulled the dental and small-provider examples forward and aligned the contingency standard to NIST SP 800-34 and the NIST Cybersecurity Framework. Any business continuity plan dental practice template built in 2026 should cite this revision in its scope section.
The dental version of the five HIPAA contingency elements maps cleanly onto a small-practice operating model. Backup means daily encrypted copy of the PMS plus weekly off-site.
Disaster recovery means a documented restore test. Emergency mode means clinical and billing operations with paper.
Testing means annual tabletop. Criticality analysis means the BIA in the section below.
The Business Continuity Plan Dental Practice HIPAA Mapping
| HIPAA element | What the rule requires | Dental practice implementation |
| Data backup plan | Establish procedures to create and maintain retrievable exact copies of ePHI. | Daily encrypted PMS backup + weekly off-site copy. Verify with quarterly restore test and document the test. |
| Disaster recovery plan | Establish procedures to restore any loss of data. | Documented restore SOP for Dentrix, Eaglesoft, or Open Dental. Includes RTO, vendor contact, and decryption key escrow. |
| Emergency mode operations | Establish procedures to enable continuation of critical business processes for ePHI protection during operating in emergency mode. | Paper appointment book, paper consent forms, paper clinical notes, paper insurance verification scripts ready in printer drawer. |
| Testing and revision | Implement procedures for periodic testing and revision of contingency plans. | Annual tabletop + quarterly functional drill (PMS down, billing down, comms down, staff out). Document tabletop results. |
| Applications and data criticality analysis | Assess the relative criticality of specific applications and data in support of other contingency plan components. | BIA ranks PMS, digital radiography, sterilizer monitoring, claims, and patient comms by RTO. Refreshed annually. |
Table 1. The business continuity plan dental practice HIPAA mapping every US owner should be able to show OCR.
Practices that fail OCR examination on contingency usually fail on the same three elements: no documented restore test, no emergency mode SOP for paper operations, and no annual tabletop.
The OCR’s enforcement highlights page carries dental-specific settlements every quarter through 2025. The business continuity plan dental practice template below treats those three elements as default content, not optional.
Business Continuity Plan Dental Practice: The Threat Inventory
Threat identification is the first analytical move inside the business continuity plan dental practice. Use the approaches and tools for risk identification guide to anchor the exercise. The dental threat inventory has seven recurring categories: cyber, vendor, physical, workforce, clinical, regulatory, and financial.
Cyber is the largest category. Ransomware on PMS, phishing aimed at front-desk staff, and supply-chain compromise via clearinghouse or imaging vendor account for over 75% of dental BCP activations.
The cybersecurity risk management guide anchors the dental control set; CISA’s StopRansomware healthcare guidance carries the dental-specific advisories.
Physical, workforce, and clinical threats fill the rest. A burst pipe in the operatory, a hurricane evacuation in coastal Florida or Texas, a hygienist on extended FMLA, a sterilizer biological test failure, and a single dentist’s medical leave all activate the same plan with different sections.
The business continuity plan risk assessment guide walks the joint identification workshop.
The Business Continuity Plan Dental Practice Threat Register
| Threat | Recent US example | Most likely RTO impact | Owner accountability |
| Ransomware on PMS | MEDNAX dental subsidiary 2023; LockBit on practice servers 2024. | 8-24 hrs scheduling; 24-72 hrs claims. | Practice owner + IT vendor |
| Clearinghouse / vendor outage | Change Healthcare Feb 2024; Nordic dental imaging cloud outage 2024. | 24-72 hrs revenue cycle. | Office manager + billing lead |
| Phishing / credential theft | BEC against dental front desk; W-2 fraud Jan-Feb peak. | 4-24 hrs operations; 60-day OCR clock if PHI exposed. | Office manager + HIPAA officer |
| Severe weather / fire | Hurricane Helene 2024 NC/SC dental clinic closures; Maui fires 2023. | 72 hrs to 30 days physical closure. | Practice owner + landlord |
| Power / internet outage | Texas Feb 2024 storm outages; AT&T February 2024 cellular outage. | 4-12 hrs operations. | Office manager |
| Sterilization / clinical failure | Spore test failure; autoclave breakdown; OSHA citation. | 24-72 hrs sterile inventory. | Lead dentist + infection control lead |
| Staff illness / departure | Surge of staff illness; sudden hygienist or associate resignation. | 1-30 days scheduling capacity. | Practice owner + HR lead |
| Regulatory enforcement | HHS OCR breach investigation; state board complaint. | 60-day notification clock. | HIPAA officer + outside counsel |
Table 2. The business continuity plan dental practice threat register, anchored by US events 2023-2025.
Figure 2. Business continuity plan dental practice cost of a downtime day by practice size, anchored to ADA HPI economic polling 2024.
Business Impact Analysis for a Business Continuity Plan Dental Practice
The business impact analysis is the analytical engine of any business continuity plan dental practice.
It scores every business function by recovery time objective (RTO), recovery point objective (RPO), and financial impact per downtime day. The how to perform a business impact analysis guide lays out the workshop pattern for a small US provider.
RTO is the time within which the function must be restored to avoid unacceptable consequences. RPO is the maximum data loss the practice can tolerate.
The difference between RPO and RTO guide reconciles the two. For a US dental practice, scheduling and emergency triage carry the tightest RTO; legacy paper records carry the loosest.
The dental BIA usually identifies eight functions worth scoring: clinical triage and emergency care, scheduling and patient comms, sterilization and operatory turnover, digital radiography and imaging, PMS and clinical charting, claims and revenue cycle, payroll, and HIPAA-regulated patient notification. Each gets one row in the table below.
The Business Continuity Plan Dental Practice BIA Table
| Function | RTO target | RPO target | Cost per day down (mid-size) | Tier |
| Clinical triage / emergency-only care | 4 hrs | 0 (paper) | $8,000 lost + reputation | Tier 1 |
| Scheduling + patient comms | 4 hrs | 1 hr | $12,000 lost revenue | Tier 1 |
| Sterilization + infection control monitoring | 8 hrs | Same shift | Practice closure if uncontrolled | Tier 1 |
| Digital radiography / imaging | 8 hrs | 4 hrs | $6,000 deferred care | Tier 2 |
| PMS + clinical charting | 8 hrs | 1 hr | $15,000 cascading impact | Tier 1 |
| Claims + revenue cycle | 24 hrs | 24 hrs | $5,000 cash flow / day | Tier 2 |
| Payroll | 72 hrs | Last pay period | Staff exit risk | Tier 2 |
| HIPAA breach notification (if triggered) | 60-day clock | Forensics | $50,000+ legal + OCR fine risk | Tier 1 (regulatory) |
Table 3. The business continuity plan dental practice BIA table sized for a US 4-6 dentist group.
Aggregate the BIA into a single one-page heat map for the owner. Tier 1 functions get redundancy, hot backups, and quarterly drills.
Tier 2 functions get warm backups and annual drills. Tier 3 functions get documented manual procedures only. The guide to risk assessment methodology anchors how the dental practice scores severity vs. likelihood across the eight functions.
The 12-Section Business Continuity Plan Dental Practice Template
The business continuity plan dental practice template below is the working artifact. Twelve sections, each one to three pages, totaling 30 to 50 pages.
The structure tracks ISO 22301:2019 BCMS clauses, NIST SP 800-34, and HIPAA contingency. The how to build a business continuity plan guide walks the build sequence for any small US provider.
Section 1 (Scope and Governance) names the practice owner as accountable executive and a BCP coordinator (usually the office manager) as program lead. Section 2 (Risk Assessment) is the threat register in Table 2 above.
Section 3 (Business Impact Analysis) is the BIA in Table 3. Section 4 (HIPAA Contingency) is the Table 1 mapping. The key elements of business continuity management guide anchors the governance discipline.
Section 5 (Vendor and Third Party) lists every PMS, billing, lab, imaging, and supply vendor with primary contact, support phone, contract reference, and the documented escalation path.
Section 6 (Communications Plan) carries scripts for patients, staff, the board, and OCR. Section 7 (Workforce and Location) carries cross-training matrices, alternate-site agreements, and telework rules. Section 8 (IT and Data Recovery) carries the restore SOP.
Section 9 (Clinical Continuity) sets the emergency-only triage SOP and the referral playbook. Section 10 (Financial Contingency) defines the cash reserve, line of credit, and BI insurance carrier.
Section 11 (Testing) sets the annual tabletop and quarterly drill schedule. Section 12 (Review and Update) keeps the plan current. The disaster recovery vs business continuity plan guide and the effective business continuity planning process page walk the full refresh cycle.
Figure 3. The 12-section business continuity plan dental practice template mapped to HIPAA 164.308(a)(7), NIST SP 800-34, and ISO 22301.
Section 5 Detail: The Business Continuity Plan Dental Practice Vendor Card
The single most useful artifact inside the business continuity plan dental practice is the one-page vendor card per critical vendor. Every dental owner should be able to find these cards inside two minutes of a Tuesday-morning ransomware call.
The card carries primary and secondary contact, after-hours phone, contract reference, RTO commitment, and the alternate workflow if the vendor is down.
| Vendor type | Critical detail to record | Alternate workflow if down |
| Practice management software (Dentrix, Eaglesoft, Open Dental, Curve, etc.) | Vendor support phone; restore SLA; cloud vs. on-prem; encryption key escrow. | Paper appointment book + paper consent + paper insurance verification. Backup recovery to standby device. |
| Claims clearinghouse (Change Healthcare, Inovalon, Vyne, DentalXChange) | Primary + backup clearinghouse; paper claim submission process. | Switch to alternate clearinghouse; submit paper to top 10 payers; document delays for patient comms. |
| Digital radiography / imaging (Carestream, Planmeca, Dexis) | Cloud sync vendor; local backup location; alternate imaging vendor. | Defer non-emergency imaging; refer urgent imaging to nearby practice with MoU. |
| Dental lab (Glidewell, Henry Schein, local lab) | Primary lab phone; cut-off times; backup lab contact. | Switch case to backup lab; document delay; communicate to patient. |
| Supply (Henry Schein, Patterson, Benco) | Account rep; emergency order line; nearby practice MoU for inventory share. | Emergency order from backup vendor; borrow from MoU partner; reschedule elective. |
| Internet / phone (carrier) | Account number; static IP; emergency 24-7 line; cellular hotspot capacity. | Cellular hotspot; landline backup; suspend non-urgent appointments. |
| Payroll (Gusto, ADP, Paychex) | Account number; emergency contact; offline payroll process. | Manual payroll with cut paper checks; communicate timing to staff. |
Table 4. The vendor card discipline US dental owners build inside Section 5 of the business continuity plan dental practice.
Tabletop Testing the Business Continuity Plan Dental Practice
The plan is the artifact, the tabletop is the program. A business continuity plan dental practice that has never been tested is a binder, not a plan. CISA’s Tabletop Exercise Packages for healthcare provide ready-made scenarios; the dental adaptation simply swaps the institutional language for the practice setting.
Run one full tabletop annually with all staff and a documented after-action review. The 2026 default scenario is the Change Healthcare replay: clearinghouse goes down at 8 a.m. on a Tuesday, no payments process for two weeks, decide how to schedule patients and pay staff. Practices that run this scenario find their plan gaps inside 45 minutes.
Run quarterly functional drills on a single capability: PMS down, internet down, phones down, sterilization down, lead dentist out for the day. Each drill should be 30 to 60 minutes and end with one documented improvement to the business continuity plan dental practice.
The incident response plan vs business continuity comparison reconciles the two test cadences.
The Business Continuity Plan Dental Practice Annual Test Calendar
| Quarter | Drill scenario | Participants | Documentation output |
| Q1 (Jan-Mar) | PMS ransomware: full tabletop, four-hour session. | Owner, office manager, lead dentist, billing, IT vendor. | After-action report; updated plan v.X+1. |
| Q2 (Apr-Jun) | Clearinghouse outage: 60-minute functional drill replaying Change Healthcare. | Office manager, billing lead, two front-desk staff. | Drill log; alternate clearinghouse contract validation. |
| Q3 (Jul-Sep) | Internet + phone outage during clinical hours: 30-minute drill. | Front desk, hygienists, on-duty dentist. | Drill log; cellular hotspot test result. |
| Q4 (Oct-Dec) | Severe weather + staff absence: 30-minute drill. | Office manager, owner, on-call dentist. | Drill log; updated emergency-mode SOP. |
Table 5. The business continuity plan dental practice test calendar US owners run to satisfy 45 CFR 164.308(a)(7)(ii)(D).
Frequently Asked Questions About the Business Continuity Plan Dental Practice
Is a business continuity plan dental practice owners build legally required by HIPAA?
Yes. The HIPAA Security Rule at 45 CFR 164.308(a)(7) requires every covered entity, including dental practices, to maintain a contingency plan covering data backup, disaster recovery, emergency mode operations, testing, and applications criticality analysis. HHS OCR has closed 17 dental enforcement actions citing missing or untested contingency plans between 2022 and 2025.
How long does it take to build a business continuity plan dental practice from scratch?
A solo or small-group US dental practice can build a working business continuity plan dental practice template in 30 to 60 days.
The first two weeks cover risk assessment and BIA; the next three weeks cover the 12-section template draft; the final week covers tabletop testing. Owners using the template above usually halve the timeline. The artifact is reusable across years with annual refresh.
What is the right RTO for a business continuity plan dental practice?
RTOs vary by function inside the business continuity plan dental practice. Clinical triage and scheduling carry a 4-hour RTO; PMS and digital radiography 8 hours; claims and revenue cycle 24 hours; payroll 72 hours; full normal operations 72 hours to 7 days.
These targets align with NIST SP 800-34 small-provider guidance and reflect the cash and clinical risk a dental owner can absorb.
How does the business continuity plan dental practice handle Change Healthcare-style vendor outages?
Section 5 of the business continuity plan dental practice carries a one-page card per critical vendor, including a documented alternate workflow.
For Change Healthcare specifically, the alternate is a backup clearinghouse contract (Inovalon, Vyne Dental, DentalXChange) and a paper-claim SOP for the top 10 payers by volume. Practices with a signed backup clearinghouse before February 2024 lost 11 days of cash; those without lost 36.
What does a business continuity plan dental practice cost to build?
Most US dental practices build the business continuity plan dental practice template for between $3,000 and $15,000 depending on practice size and outside support used. Solo practices using the riskpublishing.com template self-build for under $5,000.
Mid-size groups with a consultant typically budget $10,000-$15,000. The cost equals roughly one to two downtime days at the practice’s BIA loss rate, justifying the spend inside any single activation.
Who owns the business continuity plan dental practice in a small US office?
The practice owner (dentist or DSO regional director) is the accountable executive who signs and refreshes the business continuity plan dental practice annually.
The office manager is the BCP coordinator who maintains the document and runs the drills. The lead dentist owns the clinical continuity section.
The HIPAA privacy or security officer owns the contingency plan and breach notification sections. Outside IT and outside counsel act as advisors.
How does the business continuity plan dental practice connect to cyber insurance?
Most US dental cyber insurance carriers (Coalition, Tokio Marine HCC, Beazley, Travelers) require a documented contingency plan and at least annual testing as policy conditions. Coverage typically includes incident response, forensics, OCR notification cost, and business interruption.
Carriers offering preferred dental rates in 2025-2026 ask for the business continuity plan dental practice template, the most recent tabletop after-action, and a backup-restore test log inside underwriting.
How often should the business continuity plan dental practice be reviewed?
Refresh the business continuity plan dental practice annually as part of the HIPAA risk analysis cycle, immediately after any practice acquisition or move, and within 30 days of any plan activation.
Section 12 (Review and Update) sets the discipline. ADA and HHS OCR both treat plans older than 18 months as functionally expired during enforcement reviews.
Common Pitfalls in Business Continuity Plan Dental Practice Programs
Seven failure modes account for most stalled business continuity plan dental practice programs across US offices in 2026. None are sophisticated; all are well-documented in HHS OCR enforcement files and ADA Health Policy Institute polling.
The operational risk management process page and the five steps of the risk management process anchor the discipline that closes them.
| Pitfall | Root cause | Remedy |
| Plan exists but has never been restored from backup. | No documented restore test; IT vendor told the owner the backup is fine. | Quarterly restore test to standby device; log the time and any issues. |
| No alternate clearinghouse contract on file. | Sole reliance on incumbent (Change Healthcare or Vyne); no procurement of backup. | Sign a no-fee standby contract with second clearinghouse; test paper claims to top 10 payers. |
| No emergency-mode paper SOP. | Practice digitized in 2010-2015 and disposed of paper templates. | Print paper appointment book, consent forms, insurance verification scripts; keep in locked drawer. |
| Vendor cards out of date. | Office manager turnover; no annual refresh schedule. | Annual September vendor card refresh tied to ADA Annual Meeting cycle; documented in Section 5. |
| Tabletop never run. | No coordinator named; owner assumed IT vendor covers it. | Name office manager as BCP coordinator; schedule Q1 tabletop in January each year. |
| Breach notification process untested. | OCR clock starts at 60 days from discovery; practice cannot identify scope. | Annual breach notification drill; pre-drafted OCR letter; outside counsel on retainer. |
| Plan and HIPAA risk analysis are separate documents. | Different consultants ran the two; no cross-reference. | Cross-reference risk analysis findings into Section 2 of the BCP; refresh together annually. |
Table 6. The seven pitfalls that stall a business continuity plan dental practice and the remedies that close them.
The Business Continuity Plan Dental Practice Horizon: 2026 to 2028
Three forces will reshape the business continuity plan dental practice over the next three years. The first is DSO consolidation.
As DSO penetration crosses 35% of US practices by 2027, the BCP shifts from a single-practice artifact to a multi-site standard with regional director ownership and shared vendor cards across 10 to 200 offices.
Regulator pressure follows DSO scale. The HHS HIPAA Security Rule notice of proposed rulemaking issued December 2024 proposes mandatory annual contingency plan testing, mandatory encryption, and mandatory multi-factor authentication.
If finalized as proposed, dental practices will need a tested BCP and a documented MFA rollout by the compliance date.
Insurance underwriting closes the loop. After the Change Healthcare and MGM 2023-2024 events, carriers serving dental practices started requiring the artifact stack: BCP document, most recent tabletop after-action, MFA attestation, and backup restore test log. Practices unable to produce the stack are facing premium increases of 30-60% or non-renewal in 2025-2026.
Owners who build the business continuity plan dental practice template in 2026 absorb all three forces with no extra engineering tax. Owners who skip the build face higher premiums, OCR exposure, and an unplannable response to the next vendor or ransomware event.
Build the artifact, name an owner, and put one tabletop on the Q1 calendar.
Infographic: The Business Continuity Plan Dental Practice in 7 Steps
Figure 4. The seven-step build sequence US dental owners ran after Change Healthcare in 2024 to deliver a defensible business continuity plan dental practice.
Next Steps on the Business Continuity Plan Dental Practice
Risk Publishing helps US dental practice owners and DSO regional directors build the business continuity plan dental practice template, run the first tabletop, and refresh it annually against HIPAA, NIST SP 800-34, and ISO 22301. Visit the BCMS business continuity management system page for the underlying methodology and contact the practice when the BCP is the next item on your owner’s agenda or your DSO’s risk dashboard.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.