Start here: HIPAA is about a process, not a product
No software makes you "HIPAA compliant." HIPAA's Security Rule asks you to run a process: assess your risks to protected health information (PHI), put reasonable safeguards in place, document what you did, and keep it current. An auditor doesn't want a logo on a box — they want to see that process. The checklist below is the IT half of it, organized the way the Security Rule is: administrative, physical, and technical safeguards, plus the paperwork that ties them together.
Administrative safeguards
- A written security risk analysis. This is the foundation and the most commonly missing document. It identifies where PHI lives, what could go wrong, and how likely and damaging each risk is. The Security Rule requires it, and OCR asks for it first. Refresh it annually and after any major change.
- A named security official. One person accountable for the program — even if the work is outsourced to an IT partner.
- Workforce training. Everyone who touches PHI needs regular, documented security and privacy training, including how to recognize phishing.
- Access management. Access to PHI granted by role, reviewed periodically, and revoked promptly when someone leaves. Turnover with stale accounts is a classic finding.
- A contingency plan. Documented data backup, disaster recovery, and an emergency-mode plan so care and operations continue if systems go down.
Technical safeguards
- Unique user IDs and MFA. Every user signs in as themselves — no shared logins — with multi-factor authentication on email, the EHR, and remote access. MFA is the highest-impact control you can turn on.
- Encryption, in transit and at rest. Encrypt laptops, phones, servers, and backups. It's the reasonable safeguard for portable devices and provides safe-harbor from breach notification if one is lost or stolen.
- Audit controls. Logging that records who accessed PHI and when, retained long enough to investigate an incident.
- Automatic logoff and EDR. Sessions that lock when unattended, and endpoint detection and response — modern protection in place of legacy antivirus — on every device.
- Patching. Centrally managed updates for operating systems and applications, with evidence of coverage. Unpatched software is a leading breach entry point.
Physical safeguards
- Facility and workstation controls. PHI screens not visible to the waiting room, server and network gear in locked space, and a record of who has physical access.
- Device and media disposal. A documented process for wiping or destroying drives, copiers, and old computers before they leave the building.
The paperwork that ties it together
- Business Associate Agreements (BAAs) with every vendor that can touch PHI — your IT provider, cloud backup, email host, EHR, and billing service. No BAA, no PHI.
- Written policies and procedures that match what you actually do (not a template you've never read).
- An incident-response and breach-notification plan, so if something happens you act on a plan instead of improvising under pressure.
- Evidence files. Keep the artifacts — the risk analysis, training logs, BAAs, backup test results, access reviews. In an OCR investigation, undocumented is treated as undone.
What your IT provider should own — and what stays on you
A good managed IT partner owns most of the technical and a chunk of the administrative safeguards: MFA and identity, encryption, EDR, patching, audit logging, backup and tested recovery, and the technical evidence files. They should also sign a BAA without hesitation and help you keep the risk analysis current.
What stays on you: the clinical and front-desk privacy practices, workforce behavior, who gets access to what, and the decision-making a risk analysis surfaces. HIPAA is a shared responsibility — the failures usually happen in the seam between "I thought IT had that" and "I thought you did." The fix is a partner who makes that line explicit and puts it in writing.