HIPAA IT checklist for independent pharmacies

The framing: HIPAA Security Rule, translated

The HIPAA Security Rule defines three categories of safeguards: administrative, physical, and technical. For an independent pharmacy with PrimeRx or QS/1, a small team, and a relationship with a wholesaler, the technical and administrative pieces are where IT lives. The pharmacist owns the clinical workflow and the physical safeguards (lock the medication area, secure the printers, keep the patient-facing counter clear). The IT side maps to a tight checklist of controls that an auditor — or your wholesaler's compliance team — can verify by asking for evidence.

This is not legal advice. It's a practical control list built from a decade of supporting independent pharmacies in Western Kentucky and the surrounding region. Always pair the IT controls with your pharmacy attorney's read of your specific environment.

The 12-control checklist

1. Identify a Security Official (and write it down)

HIPAA requires a designated Security Official. In a small pharmacy this is often the pharmacist-in-charge, or the office manager who handles compliance. The role doesn't have to be technical — the responsibility is being the named decision-maker. Write it into a one-page policy.

2. Sign Business Associate Agreements (BAAs) with every vendor handling PHI

The MSP, the cloud-backup vendor, the EHR / dispensing-system vendor, the email provider (Microsoft 365 requires the BAA in writing — it's not implied), the e-faxing vendor, the cloud-storage tool the pharmacy uses for scanned documents. A vendor that won't sign a BAA either doesn't handle PHI or shouldn't be in your environment.

3. Enforce MFA on every account that can access PHI

Microsoft 365 mailboxes, PrimeRx / QS/1 logins, the remote-desktop gateway, the wholesaler portal, the e-prescribing platform. SMS-based MFA is the floor; phishing-resistant (Microsoft Authenticator with number-matching, hardware key, passkey) for the pharmacist-in-charge and the office manager. See what MFA actually buys you.

4. Deploy endpoint detection and response (EDR) on every device

Every workstation in the pharmacy — counter, fill station, office — runs an EDR agent with 24/7 monitoring, not legacy antivirus. The EDR's job is to detect and contain the early stages of an attack before encryption or exfiltration. The 24/7 SOC's job is to triage the alerts so the pharmacist isn't getting paged at 9 PM about a false positive.

5. Patch the operating system and third-party apps on a documented schedule

Critical OS patches within 14 days. Browser and PDF reader patches on the same cadence. If you're still running Windows 10 endpoints in 2026, see Windows 10 end-of-life: your migration timeline — an unsupported OS in a HIPAA environment is an audit finding waiting to happen.

6. Segment the network: imaging / dispensing / guest

Flat networks are a HIPAA risk. The dispensing system, the imaging devices (if any), the POS, and the public-facing guest Wi-Fi all live on separate VLANs with documented access rules. The Wi-Fi for the waiting area never touches the network that PrimeRx runs on. This is a one-time configuration on a Ubiquiti UniFi or equivalent firewall; the maintenance is minimal.

7. Encrypt at rest, encrypt in transit

BitLocker on every Windows endpoint. TLS on every connection between the workstation and the dispensing system, the wholesaler portal, the bank. M365 encrypts in transit and at rest by default; verify the EHR vendor's documentation says the same.

8. Backups: immutable, off-site, restore-tested

Backups need three properties: they capture production data, at least one copy is offline or immutable (so ransomware can't encrypt the backup along with the primary), and the restore has actually been tested in the last 90 days. "We have backups" without a tested restore is hope, not a plan. See backup is the answer; restore is the test.

9. Audit logging on PHI access

PrimeRx, QS/1, and most dispensing systems log who accessed which patient record and when. Confirm logging is on (it usually is by default), and confirm logs are retained for the period your state board requires — commonly 6 years. Review the log for anomalies once a quarter as part of the security risk assessment.

10. Workforce training and phishing simulation

Annual HIPAA training for every employee (KnowBe4, Hook Security, Curricula, or a pharmacy-specific platform). Quarterly phishing simulations with click-rate tracking. The pharmacy that gets breached almost always traces it back to a phishing click; the pharmacy that catches the phish in the test moves the click-rate down where insurers and auditors want to see it.

11. Written security risk assessment (annually)

HIPAA explicitly requires it. A risk assessment looks at the environment, identifies the threats and vulnerabilities, and documents the controls in place plus the gaps. The HHS Office of the National Coordinator publishes a free SRA tool; an MSP working with healthcare clients runs the same exercise. The output is a one- or two-page document that becomes the evidence file on audit day.

12. Incident response plan and breach notification process

A written plan: who isolates the affected system, who calls the cyber-insurance carrier (within the breach notification window in your policy), who notifies patients if 500+ records are in scope (HHS and state attorney general have specific timelines), who handles media if it comes to that. The plan exists on paper before an incident, not as an improvisation during one.

What an auditor (or wholesaler compliance team) actually asks for

1. The risk assessment from the last 12 months.
2. The list of BAAs and the signed copies on file.
3. The MFA enforcement report from Microsoft 365 (or equivalent).
4. The EDR deployment report — coverage on every endpoint.
5. The most recent restore-test log with date and time-to-restore.
6. The patching log for the last 90 days.
7. The training completion record for every employee.
8. The written incident-response plan.

If those eight evidence files are current and organized in one folder, an audit is a one-meeting conversation. If they're not, it's a several-meeting project to gather them under pressure.

How a Micro-IT pharmacy plan covers the list

For independent pharmacies on a Micro-IT plan, the technical controls (3–8 above) are built into the standard environment we deliver. PrimeRx and QS/1 experience is in-house. BAAs get signed on contract day. The risk assessment and the incident-response plan are templated and customized for each pharmacy. Quarterly business reviews update the evidence files.

The pieces that stay on the pharmacy — designating the Security Official, completing training, signing BAAs with non-MSP vendors — we make as low-friction as possible (templates, calendar reminders, signature collection). See the pharmacy IT page for the full plan structure, or get a written quote scoped to your pharmacy.

Frequently asked questions