TechPro Support
All articles

HIPAA IT Compliance Checklist for Small Healthcare Practices

The technical safeguards the HIPAA Security Rule actually requires, prioritized for clinics and practices with 1–50 staff. Plain English, no fluff.

May 20, 20265 min read

If you run a small medical, dental, or behavioral health practice in the US, HIPAA isn't optional and the fines aren't theoretical. The Department of Health and Human Services Office for Civil Rights (OCR) issued enforcement actions ranging from $25,000 to $4.3 million in recent years — and the violations that triggered them were rarely sophisticated. They were missing MFA, untested backups, lost laptops without encryption, and undocumented access controls.

The good news: most small practices can get to a defensible HIPAA technical posture in 60–90 days with sensible tooling and a clear documentation trail. Here's the checklist we use when we onboard a healthcare client.

Important: HIPAA compliance is a combination of technical, administrative, and physical safeguards. This article covers only the technical safeguards (45 CFR § 164.312) — the IT side. Administrative safeguards (training, BAAs, policies) and physical safeguards (lock the door) are equally required and beyond the scope of this guide.

The minimum technical safeguards (45 CFR § 164.312)

1. Access controls

  • Unique user IDs. Every staff member has a named login. No shared accounts. No "front desk" generic logins.
  • Automatic logoff. Workstations lock after 10–15 minutes of inactivity.
  • Encryption and decryption. All ePHI at rest and in transit is encrypted. (See below.)

How to verify: Pull your Microsoft 365 or Google Workspace user list and reconcile against your HR list. Look for orphan accounts from departed staff — they're the #1 finding in HIPAA assessments.

2. Audit controls

You must record and examine activity in systems that touch ePHI.

  • Microsoft Purview audit logs enabled (or equivalent in Google Workspace)
  • EHR audit logging turned on (your vendor's documentation will show how)
  • Logs retained for at least 6 years per the HIPAA documentation requirement

Common gap: Most practices have audit logging enabled but never review it. Schedule a quarterly review with documented sign-off.

3. Integrity controls

  • ePHI must not be improperly altered or destroyed.
  • Backups with verified restoration. Untested backups don't count.
  • Tamper-evident logs (immutable, write-once-read-many).

We require monthly restore tests with documented sign-off for every healthcare client.

4. Transmission security

  • TLS 1.2 or higher on every connection touching ePHI.
  • Encrypted email when sending ePHI externally (Microsoft 365 Message Encryption, Google Workspace S/MIME, or a dedicated tool like Virtru / Paubox).
  • VPN with strong authentication for any remote access to ePHI systems.

5. Authentication (yes, really MFA)

This isn't optional anymore, regardless of HHS's official position. Every HIPAA settlement in the past three years has called out missing MFA as a contributing factor.

  • MFA on every account that touches ePHI. Email, EHR, billing system, fileshare — everything.
  • Hardware security keys (YubiKey) for admin accounts.
  • Phishing-resistant MFA (FIDO2 / WebAuthn) on high-privilege roles.

If your EHR vendor doesn't support MFA in 2026, that's an EHR problem you need to escalate to them with a written timeline.

Encryption: the non-negotiable

The HIPAA Security Rule's "addressable" language has been interpreted by OCR enforcement as effectively mandatory for encryption.

  • At rest: Full-disk encryption on every device that stores ePHI. BitLocker on Windows, FileVault on macOS — both free, both fine. Enrolled and enforced through your management tool, not "we asked everyone to turn it on."
  • In transit: TLS 1.2+ everywhere, including internal network traffic where feasible.
  • Email: Encrypt ePHI before it leaves your network. The portal-link model (recipient logs in to read) is the most defensible.
  • Backups: Encrypted at rest and in transit, with keys stored separately.

Workstation and mobile device management

Lost laptops cause more HIPAA breaches than hackers do. Every device that touches ePHI needs:

  • Full-disk encryption (enforced, not optional)
  • Remote wipe capability
  • Screen lock after 10 minutes
  • Enterprise antivirus or EDR
  • Inventory record (model, owner, encryption status)

For mobile devices: enroll in Intune / Workspace MDM. Personal devices accessing ePHI require BYOD policies in writing, with the user's consent on file.

Business Associate Agreements (BAAs)

Every vendor that processes ePHI on your behalf must have a signed BAA before they touch any data. This includes:

  • Cloud email (Microsoft 365, Google Workspace — both will sign BAAs for healthcare customers)
  • Backup providers
  • EHR / practice management vendor
  • Billing services and clearinghouses
  • IT support provider (yes, including us — we sign a BAA before onboarding any healthcare client)

The BAA must be specific to HIPAA and explicitly cover the use of ePHI. A generic vendor agreement doesn't count.

Incident response plan

You must have a written plan for security incidents. At minimum:

  • Who is the designated security incident coordinator?
  • Who do you call first (your IT provider, your insurance, an attorney)?
  • How do you assess whether a breach notification is required (60-day rule)?
  • What's your communication template for patients and HHS?
  • Where do off-site copies of the plan live? (Because the network may be down.)

We deliver a one-page incident response cheat sheet to every healthcare client during onboarding, with the phone numbers pre-filled.

Documentation: the OCR test

When OCR audits you (and they do audit), they'll ask for documentation of:

  • Risk assessment (annual, written, dated, signed)
  • Policies and procedures
  • Workforce training records
  • Encryption configuration evidence
  • Backup test logs
  • Audit log review records
  • Access control reviews
  • BAAs for every vendor
  • Incident response plan

If you can't produce these on demand, you fail — even if your technology is fine.

How to actually get this done

For a 1–50 person practice, the technical work usually takes 30–60 days with a competent IT partner. The documentation and policy work takes another 30–60 days, often in parallel.

Budget reality check: expect to spend $129–$179 per user per month for managed IT services that include the HIPAA-grade controls above, plus a one-time $3,000–$8,000 for the initial assessment, encryption roll-out, and policy templates.

That's a fraction of the cost of a single breach. The 2023 HHS-reported small-practice settlement averaged $147,000, plus legal fees, patient notification cost, and reputation damage.

If you want a free 30-minute review of where your practice stands today, book a call — we'll walk through the checklist live and you'll leave with a prioritized fix list, whether or not you ever work with us.

Disclaimer: This article is educational and not legal advice. HIPAA compliance also requires administrative and physical safeguards, written policies, workforce training, and a formal risk assessment. Consult a HIPAA-qualified attorney and a healthcare-experienced IT provider for your specific situation.

Continue reading

Tired of fighting your IT?

Book a free 30-minute call. We'll review your current setup, point out the quick wins, and tell you honestly whether we're the right fit — no pitch required.

Book a free callSend us a message