HIPAA Compliance Checklist for Medical Practices

HIPAA compliance is not a one-time project. It is an ongoing operational requirement that affects every system, process, and employee that touches Protected Health Information (PHI). Yet many medical practices treat it as a paperwork exercise, leaving significant gaps in their actual security posture. This checklist covers the requirements that matter most and the violations that cost practices the most money.

Understanding the Three Safeguard Categories

HIPAA's Security Rule organizes requirements into three categories: administrative, physical, and technical safeguards. All three are mandatory, and OCR (Office for Civil Rights) investigators evaluate compliance across all of them during audits and breach investigations. Focusing on only one category while neglecting the others is one of the most common mistakes practices make.

Technical Safeguards Checklist

Technical safeguards are the IT controls that protect electronic PHI (ePHI). These tend to be the areas where practices have the most gaps.

• Access controls: Implement unique user IDs for every employee who accesses ePHI. Use role-based access so that staff members can only see the data they need for their job function. Emergency access procedures should be documented and tested.
• Encryption: Encrypt ePHI both at rest and in transit. This means full-disk encryption on workstations and laptops, TLS for email containing PHI, and encrypted database storage. Encryption is an addressable specification under HIPAA, but failing to implement it without a documented alternative makes you liable for breach notification even for lost devices.
• Audit controls: Maintain logs of who accessed what ePHI and when. Your EHR system likely has audit logging built in, but you need to verify it is enabled, that logs are retained for at least six years, and that someone actually reviews them periodically.
• Integrity controls: Implement mechanisms to ensure ePHI has not been improperly altered or destroyed. This includes database integrity checks, backup verification, and version control on critical records.
• Transmission security: All ePHI sent over networks must be protected. This covers not just email but also fax-to-email services, patient portal communications, telehealth platforms, and any API integrations between systems.

Administrative Safeguards Checklist

Administrative safeguards are the policies, procedures, and training programs that govern how your practice handles PHI.

1. Risk analysis: Conduct a thorough, documented risk analysis at least annually. This is the single most-cited deficiency in OCR enforcement actions. Your risk analysis must identify every location where ePHI is created, received, maintained, or transmitted and evaluate threats and vulnerabilities for each.
2. Risk management plan: A risk analysis without a remediation plan is incomplete. Document how you will address each identified risk, assign responsible parties, set deadlines, and track progress.
3. Workforce training: Every employee must receive HIPAA training at hire and annually thereafter. Training should cover PHI handling procedures, social engineering awareness, incident reporting, and the specific policies of your practice.
4. Business Associate Agreements (BAAs): Every vendor that handles PHI on your behalf must have a signed BAA. This includes your EHR provider, cloud storage services, billing companies, IT support vendors, shredding services, and even your email provider if PHI is transmitted via email.
5. Incident response plan: Document your procedures for identifying, containing, and reporting security incidents and breaches. Include specific roles, contact information, and timelines that align with the 60-day breach notification requirement.

Physical Safeguards Checklist

Physical safeguards protect the facilities and equipment that house ePHI.

• Facility access controls: Restrict physical access to areas where ePHI is accessible. Server rooms should be locked. Workstations in patient areas should be positioned so screens are not visible to unauthorized individuals.
• Workstation security: Implement automatic screen locks, prohibit the storage of PHI on local drives when possible, and establish clean desk policies for areas where paper records are handled.
• Device disposal: Hard drives, USB drives, copier hard drives, and any media containing ePHI must be properly sanitized or destroyed before disposal. Document the destruction with certificates of destruction from your vendor.

"HIPAA violations are not theoretical risks. In 2024, OCR settled enforcement actions ranging from $50,000 for a small practice that failed to conduct a risk analysis to $4.75 million for a health system with systemic compliance failures."

The Most Common Violations

Based on OCR enforcement data, these are the violations that most frequently result in penalties for medical practices:

• Failure to conduct an adequate risk analysis (cited in nearly every enforcement action)
• Lack of encryption on portable devices
• Missing or incomplete Business Associate Agreements
• Insufficient access controls allowing employees to view records outside their job scope
• Failure to provide timely breach notification (the 60-day window starts when the breach is discovered, not when the investigation is complete)

Conclusion

HIPAA compliance is ultimately about building a culture of data protection into every aspect of your practice's operations. The checklist above covers the essential requirements, but compliance is only meaningful when these controls are implemented, maintained, and regularly tested. An annual risk analysis is the foundation. Everything else builds from there.

If your practice has not conducted a comprehensive risk analysis in the past 12 months, or if you are unsure whether your technical safeguards meet current requirements, a compliance assessment can identify your gaps and prioritize remediation before a breach or audit forces the issue.