Meeting HIPAA requirements can feel overwhelming for small healthcare practices, especially when most guidance is written for large hospital systems with dedicated compliance teams. The reality is that the Office for Civil Rights (OCR) holds small practices to the same standards - and smaller organizations are increasingly targeted by audits and cyberattacks.
This checklist focuses on the IT safeguards that matter most. It is not a substitute for legal counsel, but it covers the technical controls that form the foundation of any HIPAA compliance program.
1. Conduct a Risk Assessment
A documented risk assessment is the single most important step. OCR expects every covered entity to perform one, and the lack of a current risk assessment is the most frequently cited finding in HIPAA audits.
- Identify all systems that store, process, or transmit electronic protected health information (ePHI)
- Document potential threats and vulnerabilities for each system
- Assess the likelihood and impact of each identified risk
- Create a remediation plan with timelines and responsible parties
- Review and update the assessment annually or after any significant change
2. Implement Access Controls
Not every staff member needs access to every system. Role-based access controls limit exposure and reduce the blast radius if credentials are compromised.
- Assign unique user IDs for every person who accesses ePHI
- Implement role-based access so staff only see what they need
- Use automatic session timeouts on workstations and applications
- Establish a process for revoking access immediately when staff leave
- Review access logs quarterly to identify unused or excessive permissions
3. Encrypt Data at Rest and in Transit
Encryption is an addressable safeguard under HIPAA, which means you must either implement it or document why an equivalent alternative is in place. In practice, there is rarely a good reason not to encrypt.
- Enable full-disk encryption on all workstations and laptops
- Use TLS 1.2 or higher for data in transit (email, web portals, VPN)
- Encrypt backups, whether stored locally or in the cloud
- Verify that your EHR vendor encrypts data at rest in their environment
4. Establish a Backup and Recovery Strategy
Ransomware is the most common threat to small healthcare practices. A tested backup strategy is your best insurance policy.
- Follow the 3-2-1 rule: three copies, two different media types, one offsite
- Test restores quarterly - a backup that has never been tested is not a backup
- Document your recovery time objective (RTO) and recovery point objective (RPO)
- Ensure backups are isolated from the production network to prevent ransomware spread
5. Execute Business Associate Agreements
Any vendor that handles ePHI on your behalf - cloud providers, IT support companies, billing services, shredding companies - must have a signed Business Associate Agreement (BAA) in place.
- Inventory all vendors with access to ePHI
- Confirm each has a current, signed BAA
- Review BAAs annually and update when vendor relationships change
- Keep copies organized and accessible for audit purposes
6. Enable Audit Logging
HIPAA requires the ability to track who accessed what and when. Audit logs are essential for incident investigation and demonstrating compliance.
- Enable logging on EHR systems, file servers, and email platforms
- Centralize logs where possible for easier review
- Set retention policies that meet your state's requirements (minimum six years for HIPAA)
- Review logs regularly for anomalies - failed login attempts, after-hours access, bulk record views
7. Train Your Team
The most sophisticated technical controls fail when staff click phishing links or share passwords. Security awareness training is both a HIPAA requirement and your most cost-effective safeguard.
- Conduct initial training for all new hires before they access any systems
- Provide annual refresher training for all staff
- Cover phishing recognition, password hygiene, physical security, and incident reporting
- Document all training sessions with dates, attendees, and topics covered
- Consider simulated phishing exercises to measure awareness over time
Moving Forward
No practice achieves perfect compliance overnight. The goal is to demonstrate a reasonable and consistent effort to protect patient data. Start with the risk assessment, address the highest-priority findings first, and build from there.
If your practice needs help evaluating its current security posture or building a compliance roadmap, a focused assessment can identify the gaps that matter most and create a practical plan to close them.