HIPAA Compliance Checklist: Complete IT Requirements for Medical Practices

If you're managing a medical practice, dental office, or any healthcare organization that handles protected health information (PHI), you already know HIPAA compliance isn't optional. What you might not know is that IT-related violations account for the majority of HIPAA penalties - and fines range from $100 to $50,000 per violation, with maximum annual penalties reaching $1.5 million per category.

This HIPAA compliance checklist breaks down exactly what your practice needs to implement to meet federal requirements under the Security Rule, Privacy Rule, and Breach Notification Rule. We've structured this guide around the three core safeguard categories the government actually audits: Administrative, Physical, and Technical.

What is HIPAA and Why IT Compliance Matters

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting patient health information. For small medical practices, the IT component is where most violations occur - and where most practices are dangerously exposed.

Here's what gets practices into trouble:

  • Unsecured email containing PHI - Still the #1 violation we see in Orange County practices
  • Missing encryption on laptops and mobile devices - One stolen iPad = potential $1.5M penalty
  • No Business Associate Agreements (BAAs) with IT vendors - Your cloud backup provider needs one
  • Inadequate access controls - Front desk staff shouldn't access all patient records
  • Missing audit logs - Can't prove compliance without tracking who accessed what

The Office for Civil Rights (OCR) doesn't care if you're a two-person practice or a hospital network. The standards are identical. Let's make sure you meet them.

HIPAA Compliance Checklist for Small Business

Administrative Safeguards: Policies and Procedures

Administrative safeguards are the policies, procedures, and documentation that govern how your practice protects PHI. These aren't optional - they're required by law.

Administrative Safeguards Checklist:

  • [ ] Designate a HIPAA Security Officer - One person responsible for compliance (can be owner/manager)
  • [ ] Conduct annual risk assessments - Document IT vulnerabilities and mitigation plans
  • [ ] Implement written policies covering:

- [ ] Acceptable use of computers and mobile devices

- [ ] Password requirements (minimum 12 characters, complexity, 90-day rotation)

- [ ] Incident response procedures for data breaches

- [ ] Remote work and telehealth security protocols

- [ ] Employee termination procedures (immediate access revocation)

  • [ ] Provide HIPAA training to all staff - Required annually, must be documented
  • [ ] Execute Business Associate Agreements (BAAs) with:

- [ ] IT support providers (like Burgi Technologies)

- [ ] Cloud storage/backup vendors

- [ ] Email hosting providers

- [ ] Electronic health record (EHR) vendors

- [ ] Medical billing companies

- [ ] Any vendor with access to PHI

  • [ ] Document workforce authorizations - Who has access to what systems and why
  • [ ] Implement sanction policies - Disciplinary actions for HIPAA violations
  • [ ] Create a contingency plan - Data backup, disaster recovery, emergency mode operations

Physical Safeguards: Protecting Hardware and Facilities

Physical safeguards control access to buildings, equipment, and workstations where PHI is stored or accessed.

Physical Safeguards Checklist:

  • [ ] Restrict physical access to servers and network equipment - Locked server room or cabinet
  • [ ] Implement workstation security:

- [ ] Privacy screens to prevent shoulder surfing in waiting areas

- [ ] Automatic screen locks after 5 minutes of inactivity

- [ ] Workstations positioned away from public view

- [ ] No PHI visible on whiteboards or papers in public areas

  • [ ] Secure mobile devices and laptops:

- [ ] Full-disk encryption on all devices (BitLocker, FileVault)

- [ ] Remote wipe capability for lost/stolen devices

- [ ] GPS tracking enabled on practice-owned devices

  • [ ] Control facility access:

- [ ] Badge/key card systems for after-hours access

- [ ] Visitor sign-in logs

- [ ] Escort policy for non-employees in secure areas

  • [ ] Secure disposal procedures:

- [ ] Shred all paper PHI (cross-cut shredders minimum)

- [ ] Wipe or physically destroy hard drives before disposal

- [ ] Certificate of destruction from disposal vendors

Technical Safeguards: HIPAA IT Requirements

Technical safeguards are the technology controls that protect electronic PHI (ePHI). This is where most medical practices and dental offices need the most help.

HIPAA Security Rule Checklist - Technical Requirements:

  • [ ] Implement unique user IDs - No shared logins, ever
  • [ ] Enforce strong authentication:

- [ ] Multi-factor authentication (MFA) on all systems with PHI access

- [ ] Automatic logoff after 15 minutes of inactivity

- [ ] Emergency access procedures documented

  • [ ] Encrypt all ePHI:

- [ ] Data at rest: Full-disk encryption on servers, workstations, laptops

- [ ] Data in transit: TLS 1.2 or higher for email, file transfers, remote access

- [ ] VPN required for all remote access to practice network

- [ ] Encrypted email for sending PHI (not regular Gmail/Outlook)

  • [ ] Enable audit controls and logging:

- [ ] Log all PHI access (who, what, when)

- [ ] Monitor login attempts and failed authentications

- [ ] Review logs quarterly minimum

- [ ] Retain audit logs for 6 years

  • [ ] Implement network security:

- [ ] Enterprise-grade firewall with intrusion detection

- [ ] Separate guest WiFi network (no access to practice systems)

- [ ] Network segmentation for medical devices and workstations

- [ ] Regular security patches and updates (monthly minimum)

  • [ ] Deploy endpoint protection:

- [ ] Antivirus/anti-malware on all devices

- [ ] Endpoint detection and response (EDR) tools

- [ ] Email security filtering (anti-phishing, malware scanning)

  • [ ] Backup and disaster recovery:

- [ ] Daily automated backups of all ePHI

- [ ] Encrypted backup storage (local and offsite)

- [ ] Quarterly restore testing to verify backups work

- [ ] Documented recovery time objectives (RTO) and recovery point objectives (RPO)

HIPAA Compliance for Medical Practices: What Gets You Fined

Based on OCR enforcement data and our 20+ years securing healthcare IT systems, these are the violations that trigger penalties:

Top 5 HIPAA IT Violations:

  1. Unencrypted devices - A stolen laptop without encryption is a reportable breach. If it affects 500+ patients, it's a public disclosure and OCR investigation.
  1. Missing risk assessments - OCR's first request during an audit is your most recent risk assessment. Don't have one? That's a violation before they even look at your systems.
  1. No Business Associate Agreements - Using Google Workspace, Dropbox, or any cloud service without a signed BAA is a violation. The vendor won't protect you - it's your responsibility.
  1. Inadequate access controls - We routinely find medical practices where every employee can access every patient record. HIPAA requires "minimum necessary" access only.
  1. No audit logs or monitoring - If you can't prove who accessed a patient's record, you can't demonstrate compliance. Lack of audit controls is both a technical violation and evidence of systemic non-compliance.

Penalty Structure (Per 45 CFR § 160.404):

| Violation Category | Minimum Penalty | Maximum Penalty | Annual Cap |

|-------------------|-----------------|-----------------|------------|

| Unknowing | $100 per violation | $50,000 per violation | $1,500,000 |

| Reasonable cause | $1,000 per violation | $50,000 per violation | $1,500,000 |

| Willful neglect (corrected) | $10,000 per violation | $50,000 per violation | $1,500,000 |

| Willful neglect (not corrected) | $50,000 per violation | $50,000 per violation | $1,500,000 |

A single ransomware attack affecting 1,000 patient records where you lacked encryption = 1,000 violations. Do the math.

How to Use This HIPAA Compliance Checklist

For new practices: Start with Administrative safeguards (policies and training), then implement Physical controls, then Technical. Budget 3-6 months and $15,000-$35,000 for a 5-10 person practice to reach full compliance.

For existing practices: Complete a risk assessment first. It will identify your highest-risk gaps. Prioritize encryption, access controls, and BAAs - these are the low-hanging fruit that eliminate 80% of your exposure.

For practices post-breach: OCR will require a corrective action plan. This checklist is your roadmap. You'll need documentation proving implementation of every item.

When to Hire HIPAA Compliance Experts

HIPAA compliance isn't a one-time project. It's an ongoing operational requirement. Most practices under 20 employees can't justify a full-time IT security staff member.

You need professional HIPAA compliance support if:

  • You don't have documented policies for all three safeguard categories
  • Your last risk assessment was over 12 months ago (or you've never done one)
  • You're not 100% certain all your data is encrypted at rest and in transit
  • You don't have 24/7 monitoring and response capabilities
  • You've experienced a security incident and aren't sure if it's a reportable breach
  • You're opening a new location or implementing new technology (telehealth, patient portal, etc.)

Burgi Technologies specializes in HIPAA compliance for Southern California medical and dental practices. We provide risk assessments, policy development, technical implementation, and ongoing compliance monitoring. Our clients maintain 100% compliance with zero reportable breaches.

Call (949) 381-1010 for a free HIPAA compliance assessment. We'll identify your gaps and provide a fixed-price quote to close them.

HIPAA Compliance FAQs

1. Do small medical practices really need to comply with HIPAA?

Yes. HIPAA applies to all covered entities regardless of size - even solo practitioners. The regulations don't scale down for small practices. A single-doctor office faces the same requirements and penalty structure as a hospital network. The only practical difference is that smaller practices can often implement simpler, less expensive technical solutions while still meeting the standards.

2. What's the difference between the HIPAA Privacy Rule and Security Rule?

The Privacy Rule governs how PHI can be used and disclosed - it's about patient rights and consent. The Security Rule specifically addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to protect it. Most IT-related HIPAA violations fall under the Security Rule. Practices must comply with both.

3. How often do I need to conduct a HIPAA risk assessment?

HIPAA requires regular risk assessments but doesn't specify a frequency. Industry best practice and OCR guidance recommend annual assessments at minimum. You should also conduct assessments whenever you implement new technology, change IT vendors, experience a security incident, or make significant changes to how you store or transmit PHI.

4. Do I need a Business Associate Agreement with my IT support company?

Absolutely. Any vendor that has access to your systems, data, or PHI must sign a BAA. This includes IT support providers, cloud hosting companies, backup services, email providers, EHR vendors, and billing companies. Using a vendor without a BAA is a direct HIPAA violation. The vendor must agree to safeguard PHI and report any breaches to you.

5. What happens if we have a data breach?

If a breach affects fewer than 500 individuals, you must notify OCR within 60 days of discovery. For breaches affecting 500+, you must notify OCR within 60 days AND notify affected individuals within 60 days AND notify media outlets. OCR will investigate. Breaches caused by lack of encryption or other willful neglect typically result in penalties. Having documented compliance efforts, risk assessments, and incident response procedures significantly reduces penalty exposure.

Final Checklist: Next Steps for HIPAA Compliance

  • [ ] Download and print this HIPAA compliance checklist - Use it for your next internal audit
  • [ ] Schedule a risk assessment - Required annually, identifies your specific gaps
  • [ ] Review your Business Associate Agreements - Ensure every vendor with PHI access has signed one
  • [ ] Verify encryption is enabled - Check laptops, servers, mobile devices, email, backups
  • [ ] Test your backups - Attempt a full restore to verify your disaster recovery plan works
  • [ ] Document everything - OCR audits require proof of compliance, not just claims

HIPAA compliance protects your patients, your practice, and your professional reputation. The regulations are complex, but the consequences of non-compliance are worse. Whether you handle implementation in-house or partner with compliance experts, make 2026 the year your practice achieves and maintains full HIPAA compliance.

Need help implementing this HIPAA compliance checklist? Burgi Technologies provides complete HIPAA compliance solutions for Orange County medical and dental practices. Risk assessments, technical implementation, policy development, staff training, and ongoing monitoring. Call (949) 381-1010 or contact us for a free consultation.

---

*Burgi Technologies is an Orange County managed service provider specializing in HIPAA-compliant IT for healthcare organizations. We maintain 100% client retention and provide 30-second response times for critical security incidents.*

Check our other posts

No items found.
From remote IT support in Orange County to full business IT support services, we make technology simple, secure, and cost-effective.
Main Pages
Infrastructure and Cloud
Managed IT Services
Professional IT Services
IT Security
Industries
Areas We Serve
Other Pages
About usBlogRemote SupportTestimonialContact UsSitemapQR
Let's Talk
(949) 381-1010
info@burgitech.com
California
2522 Chambers Rd. Suite 100, Tustin CA 92780
10535 Foothill Blvd. Suite 365 Rancho Cucamonga, CA 91730
Washington
600 1st Ave. Suite 102 Seattle, WA 98104
Arizona
4742 N 24th St Suite 300 Phoenix, AZ 85016
Want to know more? Find our Privacy Policy, Disclaimer and Terms of Services.
©2025 Burgi Technologies
""