HIPAA IT Compliance Scorecard

Does every person who accesses patient data (ePHI) have a unique username and password - no shared logins?

Are user access levels restricted by role so that front desk staff, clinical staff, and billing each see only what they need?

Do workstations and applications lock automatically after 5 minutes or less of inactivity?

Is there a documented process to revoke system access within 24 hours when an employee leaves or changes roles?

Is multi-factor authentication (MFA) enabled on all accounts that can access patient data - including email, EHR, and remote access?

Are all workstations, laptops, and portable devices encrypted with full-disk encryption (such as BitLocker or FileVault)?

Is patient data encrypted in transit using TLS 1.2 or higher for email, web portals, and remote connections?

Are your backups encrypted - both local copies and anything stored offsite or in the cloud?

Does your EHR vendor provide written confirmation that patient data is encrypted at rest in their environment?

Is your clinical network segmented from guest Wi-Fi, personal devices, and IoT equipment (smart TVs, cameras, etc.)?

Is a business-grade firewall in place with active threat management, intrusion detection, and current firmware?

Is endpoint protection (EDR or managed antivirus) installed and actively monitored on every workstation and server?

Are all operating systems, applications, and firmware patched within 30 days of critical security updates being released?

Do your backups follow the 3-2-1 rule: three copies of data, on two different media types, with one stored offsite or in immutable cloud storage?

Have you tested a full restore of your practice management database and imaging data within the last 90 days - not just verified that "backup completed successfully"?

Do you have a documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO) that your staff and IT provider have agreed to?

Are your backup copies isolated from your production network so that ransomware cannot encrypt them along with your live data?

Have you completed a formal HIPAA Security Risk Assessment (SRA) within the last 12 months, and is it documented with findings, risk ratings, and a remediation plan?

Do you have signed, current Business Associate Agreements (BAAs) on file for every vendor that handles patient data - including your IT provider, cloud services, billing company, and shredding service?

Do all staff members receive documented HIPAA security awareness training at hire and at least annually, including phishing recognition, password policies, and incident reporting?