← ALL POSTS
CYBERSECURITY EXPLAINER

HIPAA IT compliance: the checklist without the lawyer bill

If your business touches patient health information (you're a clinic, a dental office, a therapy practice, a billing company, or you provide services to any of those), HIPAA applies to you. The frustrating part is that HIPAA's Security Rule doesn't hand you a checklist. It hands you legal language like "implement reasonable and appropriate safeguards," and then a lawyer offers to interpret it at $400 an hour. The lawyer has a place, especially for policies and contracts. But the technical side of HIPAA is concrete IT work, and you can understand it without a retainer.

One disclaimer up front: we're an IT shop, not a law firm, and this covers the technical safeguards, not your full compliance program. Here's the work itself.

Start with the risk assessment, because everything hangs off it

The Security Rule's first real requirement is a risk analysis: a documented inventory of where electronic protected health information (ePHI) lives, how it moves, and what could go wrong. This is also the first thing an auditor or investigator asks for, and "we don't have one" is the most common finding in enforcement actions.

Practically, it means answering on paper: What systems hold ePHI? Our EHR, the practice management system, email, that shared drive, the front-desk scanner's memory, someone's laptop? Who can access each one? What happens if each one is stolen, encrypted by ransomware, or emailed to the wrong person? The federal government publishes a free Security Risk Assessment tool through HealthIT.gov that walks small practices through this. It's tedious and it works.

Access controls: unique logins and the minimum necessary

Every person gets their own account, on every system that touches ePHI. The shared "frontdesk" login that four people use is one of the most common problems we find in medical offices, and it fails HIPAA on its face because you can't tell who did what.

Encryption at rest and in transit

Encryption is technically "addressable" under the rule, which people misread as optional. It isn't, in practice. If an unencrypted laptop with patient data is stolen, that's a reportable breach with notification duties and potential fines. If the same laptop was encrypted, it's generally not a reportable breach at all. Encryption is the cheapest breach you'll never have to report.

Audit logs: someone has to be able to answer "who looked at this?"

The rule requires mechanisms that record activity in systems containing ePHI. Your EHR almost certainly has audit logging built in; the requirement is that it's turned on, retained, and that access is reviewed occasionally, not just collected. Same for Microsoft 365 or Google Workspace audit logs. When a patient complains that a staff member snooped their chart, the log is how you answer, and reviewing logs periodically is how you catch it before the complaint.

Business associate agreements

Any vendor that touches ePHI on your behalf (your EHR vendor, your IT provider, your cloud email, your billing service, your online backup, sometimes your shredding company) needs a signed business associate agreement, a BAA. Microsoft and Google will sign one for their business plans; consumer plans, no. This is the item that catches people using free Gmail or personal Dropbox for anything patient-related. Make a list of every vendor with ePHI access and confirm a BAA exists for each. Missing BAAs have driven six-figure settlements on their own.

The rest of the technical list

How to know it's done right

You have a written risk assessment less than a year old. Every account is individual, MFA is on, and offboarding is same-day. Every laptop would be a shrug, not a breach, if stolen tonight. You can produce a signed BAA for every vendor on your list. And your backups restored successfully the last time someone tested them, on a date you can name. That's the technical core. Get those in writing and the lawyer conversation gets a lot shorter and cheaper.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Do you still need a VPN? Explainer
Set up a company password manager the right way Step-By-Step Guide
PCI DSS for small business: what taking cards commits you to Explainer
The employee IT onboarding and offboarding checklist we use Step-By-Step Guide
The server room checklist: cooling, power, access Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston