HIPAA Compliance Checklist: Technical Safeguards Every Healthcare Practice Needs

HIPAA compliance isn't optional for healthcare organizations, and the technical safeguard requirements are more precise than most practices realize. OCR audits and enforcement actions consistently find the same gaps. Here's what to prioritize.

Encryption (Required)

All devices storing Protected Health Information (PHI) must be encrypted — workstations, laptops, servers, and mobile devices. Encryption is the single most effective control for preventing PHI disclosure if hardware is lost or stolen. Unencrypted laptops have triggered multi-million dollar HIPAA settlements.

Unique User Identification (Required)

Every person accessing systems that touch PHI must have their own unique login. Shared credentials make audit logs meaningless and violate the Access Control standard. This applies to EHR systems, email, and any clinical application.

Audit Controls (Required)

Your systems must log who accessed what data and when. These logs must be retained per your policies and reviewed periodically. This is both a compliance requirement and your early-warning system for insider threats.

Email Security (Addressable)

Unencrypted email containing PHI violates HIPAA. Either use an encrypted email solution, a HIPAA-compliant patient portal, or establish policies that prohibit sending PHI via standard email. Microsoft 365 with proper configuration satisfies this requirement.

Multi-Factor Authentication (Addressable)

MFA is now considered an addressable HIPAA requirement by most compliance attorneys, and the HHS Cybersecurity Performance Goals explicitly include it. It should be enabled for all systems accessing PHI — including your EHR, email, and remote access solutions.

Business Associate Agreements

Any vendor that handles PHI on your behalf — including your IT provider, cloud backup service, and billing company — must sign a Business Associate Agreement (BAA) before you share any data with them. An unsigned BAA is a direct HIPAA violation, regardless of how the data is handled.

Annual Risk Assessment

The HIPAA Security Rule requires a documented risk assessment at least annually, or when significant changes occur. This isn't a checkbox exercise — it's the foundation of your entire compliance program.

If you're unsure how your practice stands on any of these, a third-party security assessment is the fastest way to find out — before an auditor does it for you.