Why HIPAA IT Compliance Matters More Than Ever
If you run a medical practice, dental office, physical therapy clinic, or any healthcare-related business in the Raleigh-Durham area, HIPAA compliance isn't optional — it's existential.
The HHS Office for Civil Rights (OCR) has dramatically increased enforcement. In 2025 alone, OCR settled or imposed penalties totaling over $12 million. And it's not just hospitals getting fined — **small practices with 10–50 employees are increasingly targeted** because they're more likely to have gaps.
The average healthcare data breach now costs **$10.9 million** (IBM Cost of a Data Breach Report). Even a small breach affecting 500 patients triggers mandatory OCR notification, state attorney general reporting, media disclosure, and costly remediation.
The good news: most HIPAA IT requirements are straightforward to implement with the right IT partner. This checklist covers everything your practice needs.
The HIPAA IT Compliance Checklist
Use this as a working checklist. If you can't check every box, those are the gaps your IT provider should be addressing.
Access Controls
Access controls ensure only authorized people can access protected health information (PHI). This is the most fundamental technical safeguard.
•[ ] **Unique user accounts** — Every employee has their own login. No shared accounts, ever. If three front-desk staff share one login, you can't track who accessed what.
•[ ] **Role-based access** — Staff only see the PHI they need for their job. The receptionist shouldn't have the same access as the physician.
•[ ] **Strong passwords** — Minimum 12 characters, complexity requirements, no reuse. Use a [password checker](/tools/password-checker) to verify strength.
•[ ] **Multi-factor authentication (MFA)** — Required on all systems that access PHI: EHR, email, cloud storage, VPN. This is the single most effective security control available.
•[ ] **Automatic session lockout** — Workstations lock after 5–10 minutes of inactivity. Adjust for clinical workflow — screen lock, not full logout.
•[ ] **Access termination** — Documented process to revoke all access immediately when an employee leaves. Within hours, not days.
•[ ] **Physical access controls** — Server rooms locked. Workstations in patient areas positioned so screens aren't visible to the waiting room. Clean desk policy enforced.
Encryption
Encryption makes data unreadable to anyone without the decryption key. HIPAA doesn't technically "require" encryption, but the safe harbor provision means encrypted data breaches don't require notification — making encryption functionally mandatory.
•[ ] **Data at rest** — Full-disk encryption on all workstations and laptops (BitLocker for Windows, FileVault for Mac). Encrypted databases for EHR systems.
•[ ] **Data in transit** — TLS 1.2+ for all network communications. HTTPS for all web-based applications. Encrypted email for sending PHI (not regular Gmail/Outlook without encryption add-ons).
•[ ] **Mobile devices** — All phones and tablets that access PHI must be encrypted with remote wipe capability. This includes personal devices if you allow BYOD.
•[ ] **Removable media** — USB drives containing PHI must be encrypted. Better yet: block USB storage on workstations entirely. Data should move through encrypted, audited channels.
•[ ] **Backup encryption** — All backup data encrypted both in transit and at rest. [Backup systems](/services/backup) should use AES-256 encryption at minimum.
Audit Logging & Monitoring
HIPAA requires you to know who accessed PHI, when, and what they did with it. You can't just implement security controls — you must prove they're working.
•[ ] **EHR access logs** — Your electronic health record system should log every access with user ID, timestamp, patient record accessed, and action taken.
•[ ] **Email audit logging** — Enabled on Microsoft 365 or Google Workspace. Tracks who sent what to whom, including attachments.
•[ ] **File access logging** — Any shared drives or cloud storage containing PHI should log access events.
•[ ] **Network monitoring** — Firewall logs, intrusion detection, and anomaly alerting. Your IT provider should be reviewing these regularly, not just collecting them.
•[ ] **Log retention** — HIPAA requires maintaining audit logs for 6 years. Ensure your logging systems retain data for at least that long.
•[ ] **Regular log review** — Logs are useless if nobody reads them. Your IT provider should review logs for anomalies at least weekly.
Network Security
Your network is the perimeter. Everything flows through it — patient data, billing info, insurance claims. If the network isn't secure, nothing is.
•[ ] **Business-grade firewall** — Not a consumer router. A properly configured firewall with intrusion detection/prevention (IDS/IPS). Ubiquiti, Fortinet, or similar enterprise-grade equipment.
•[ ] **Network segmentation** — Separate your patient data network from guest Wi-Fi and IoT devices. A compromised smart TV in the waiting room shouldn't provide a path to your EHR.
•[ ] **Secure Wi-Fi** — WPA3 encryption, unique SSIDs for staff and guests, hidden SSID for clinical network. No open networks.
•[ ] **VPN for remote access** — Any staff accessing systems remotely must use an encrypted VPN. No direct RDP (Remote Desktop Protocol) exposed to the internet — this is one of the most common attack vectors.
•[ ] **Patch management** — All network devices (firewalls, switches, access points) running current firmware. Automated patching for workstations and servers.
Employee Training
The majority of healthcare data breaches involve human error — usually phishing emails. Technical controls can only do so much; your staff is the last line of defense.
•[ ] **Annual HIPAA training** — All employees, including physicians, must complete HIPAA awareness training annually. Document completion with dates and signatures.
•[ ] **Phishing simulation** — Regular simulated phishing tests to identify vulnerable staff. Follow up with targeted training for anyone who clicks.
•[ ] **Security awareness** — Ongoing reminders about social engineering, physical security (tailgating, shoulder surfing), and proper PHI handling.
•[ ] **Incident response training** — Staff should know exactly what to do if they suspect a breach: who to contact, what to document, and what NOT to do (don't try to "fix" it yourself).
•[ ] **New hire orientation** — HIPAA training before new employees access any systems. Not "within 30 days" — before access is granted.
Backup & Disaster Recovery
If ransomware encrypts your EHR system, can you recover? How long will it take? These questions must have documented, tested answers.
•[ ] **Daily automated backups** — All systems containing PHI backed up at least daily. Critical systems (EHR, billing) backed up more frequently.
•[ ] **Offsite/cloud backup** — At least one backup copy stored offsite or in the cloud, physically separated from your primary systems. This protects against fire, flood, and ransomware.
•[ ] **Backup encryption** — All backup data encrypted with AES-256 at minimum. Your backup vendor must sign a BAA.
•[ ] **Regular test restores** — Test your backups quarterly at minimum. Actually restore data and verify it's complete and usable. An untested backup is not a backup.
•[ ] **Documented recovery plan** — Written disaster recovery plan with recovery time objectives (RTOs) and recovery point objectives (RPOs). Staff should know the plan.
•[ ] **Business continuity** — Can your practice operate (even at reduced capacity) during an IT outage? Paper-based fallback procedures should be documented and accessible.
Business Associate Agreements (BAAs)
Any vendor who touches PHI needs a BAA. Period. This is one of the most commonly overlooked requirements and one of the easiest to fix.
•[ ] **IT provider (MSP)** — Your managed IT company has access to your systems and therefore to PHI. BAA required.
•[ ] **Cloud providers** — Microsoft (for Microsoft 365), Google (for Workspace), Amazon (for AWS). All offer BAAs for qualifying plans.
•[ ] **EHR vendor** — Your electronic health records provider. This should already be in place.
•[ ] **Backup/DR provider** — Whoever stores your backup data. BAA required.
•[ ] **Email service** — If using a third-party email service beyond Microsoft 365/Google Workspace.
•[ ] **Shredding/disposal** — Companies that destroy old hard drives, documents, or equipment containing PHI.
•[ ] **BAA inventory** — Maintain a master list of all business associates with signed BAAs, review dates, and contact information. Review annually.
Risk Assessment
The risk assessment is the foundation of HIPAA compliance. It's also the single most-cited deficiency in OCR investigations. **If you do nothing else on this list, do the risk assessment.**
•[ ] **Annual risk assessment** — Conducted at least annually and documented in writing. Identifies threats, vulnerabilities, and the likelihood and impact of potential breaches.
•[ ] **Risk management plan** — For every risk identified, document how you will address it: mitigate, accept, transfer, or avoid. "We'll deal with it later" is not acceptable.
•[ ] **Reassessment after changes** — New EHR system? Office move? Cloud migration? Each significant change requires a reassessment.
•[ ] **Documentation retention** — Keep risk assessment documentation for 6 years. OCR can and will ask for previous assessments during an investigation.
Incident Response
It's not if a security incident happens — it's when. Having a plan means the difference between a manageable situation and a catastrophe.
•[ ] **Written incident response plan** — Step-by-step procedures for identifying, containing, investigating, and reporting security incidents.
•[ ] **Breach notification procedures** — HIPAA requires notification within 60 days of discovering a breach affecting 500+ individuals. Have the process documented before you need it.
•[ ] **Incident response team** — Designated roles: who coordinates the response, who handles communications, who works with IT, who contacts legal.
•[ ] **Forensics capability** — Your IT provider should be able to investigate incidents and preserve evidence. This is critical for both OCR reporting and potential legal proceedings.
•[ ] **Annual tabletop exercise** — Walk through a simulated breach scenario annually. Identify gaps in your plan before a real incident exposes them.
Common HIPAA IT Mistakes We See in the Triangle
After working with healthcare practices across Raleigh, Durham, Cary, and the surrounding area, these are the most common compliance gaps we find:
1. No MFA on Email
This is the biggest one. Email is the primary attack vector for healthcare breaches, and practices without MFA are sitting ducks. Enabling MFA on Microsoft 365 or Google Workspace takes 15 minutes and is the single highest-impact security improvement you can make.
2. Shared User Accounts
"Everyone uses the same login" destroys your audit trail. If you can't prove which user accessed a patient record, you can't demonstrate compliance. Every staff member needs their own credentials.
3. Personal Devices Without Controls
Physicians checking email on personal phones. Staff accessing the EHR from home laptops. Without mobile device management (MDM) and encryption requirements, every personal device is a potential breach.
4. No Tested Backups
Practices tell us "we have backups" but have never tested a restore. When ransomware hits, they discover the backups are incomplete, corrupted, or months outdated. Test your restores quarterly.
5. Missing BAAs
The practice has three cloud services touching patient data, but only signed a BAA with one of them. This is a violation even if no breach occurs.
6. No Risk Assessment
Many small practices have never conducted a formal risk assessment. This is the first thing OCR asks for during an investigation, and its absence virtually guarantees a finding of noncompliance.
7. Wi-Fi Security
Guest Wi-Fi and clinical Wi-Fi on the same network. Open Wi-Fi in the waiting room that can reach internal systems. These are basic network segmentation failures that put PHI at risk.
Worried about your security?
Get a free security assessment and find out where your vulnerabilities are.
What Your IT Provider Should Be Doing
If you have a managed IT provider, they should be handling most of the technical items on this checklist. Here's what to expect:
**Included in good managed IT for healthcare:**
•MFA deployment and management
•Endpoint encryption verification
•Patch management (OS, applications, firmware)
•24/7 monitoring with HIPAA-aware alerting
•Encrypted email and data loss prevention configuration
•Backup management with regular test restores
•Annual risk assessment support
•BAA (signed with your practice)
**Red flags that your current IT provider isn't HIPAA-ready:**
•They haven't mentioned HIPAA or asked about your compliance needs
•They don't have a BAA signed with you
•They can't tell you specifically what security tools they've deployed on your systems
•They haven't conducted or assisted with a risk assessment
•They don't test backups regularly
•They set up your Microsoft 365 but never configured security or compliance features
HIPAA Compliance Is a Process, Not a Project
The most important thing to understand: HIPAA compliance isn't a one-time project you complete and forget. It's an ongoing process that requires:
•**Regular assessments** to identify new risks
•**Continuous monitoring** to catch threats and anomalies
•**Updated training** to keep staff vigilant
•**Documentation** to prove compliance during audits
•**A responsive IT partner** who understands healthcare requirements
Get a Free HIPAA IT Assessment
Triangle Tech specializes in IT support for healthcare practices across the Raleigh-Durham Triangle. We understand the unique challenges of healthcare IT — from EHR integration to HIPAA compliance to patient data security.
If you're not sure whether your practice meets HIPAA IT requirements, we'll help you find out. Our free IT assessment includes:
•Review of your current security controls against this checklist
•Identification of critical compliance gaps
•Prioritized remediation plan with timeline and costs
•No obligation, no pressure
Schedule your free HIPAA IT assessment →
Or call us directly at [(919) 446-5484](tel:9194465484). We're local, we answer the phone, and we speak healthcare IT.