Access Controls — Who Can Access Patient Data?

The HIPAA Security Rule requires covered entities to implement technical policies ensuring only authorized persons access electronic protected health information (ePHI). Your IT checklist should confirm: Every user has a unique login — no shared accounts. Access to ePHI is limited to the minimum necessary for each role (role-based access controls). Privileged administrative access is separate from day-to-day user accounts. Automatic logoff is configured on workstations that access ePHI (typically after 15 minutes of inactivity). Multi-factor authentication is implemented for systems containing ePHI, particularly for remote access. Access is promptly terminated when employees leave or change roles.

Encryption — Protecting ePHI at Rest and in Transit

Encryption is an addressable HIPAA implementation specification — which means you must implement it or document why you’ve determined it’s not reasonable and appropriate for your situation. In practice, the case for not encrypting is hard to make in 2025. Your checklist: Full-disk encryption is enabled on all laptops and workstations (BitLocker for Windows, FileVault for Mac). Portable storage devices (USB drives, external hard drives) are encrypted if used with ePHI. Email containing ePHI is sent using encrypted email — not standard unencrypted email. Data transmitted over your network is encrypted (TLS for web applications, VPN for remote access). Backup media is encrypted.

Audit Logging — Tracking Who Accessed What

HIPAA requires audit controls — hardware, software, or procedural mechanisms that record and examine activity in systems that contain ePHI. Your checklist: Audit logging is enabled in your EHR/practice management system, capturing user access to patient records. Access logs for your network and systems are collected and retained (minimum 6 years per HIPAA). Your IT provider or internal team reviews audit logs for anomalous access patterns. A process exists for investigating suspicious access to patient records. Audit log integrity is protected — logs should not be modifiable by the users being audited.

Business Associate Agreements — Covering Your Vendors

Every vendor who creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate and requires a signed BAA before you share ePHI with them. Your checklist: You have signed BAAs with your EHR vendor, cloud storage provider, IT support company (this should be SpaceTown IT!), billing service, transcription service, IT helpdesk, cloud backup provider, and any other vendor who touches ePHI. BAAs are current — not expired or unsigned. You have a process for ensuring new vendors are evaluated for BA status before ePHI is shared.

Risk Assessment — The Foundation of HIPAA Compliance

The HIPAA Security Rule requires a current, documented risk analysis — and OCR specifically looks for this during audits and breach investigations. Your checklist: A formal risk analysis has been completed within the past 12 months, identifying threats and vulnerabilities to ePHI, assessing current controls, and quantifying residual risk. A risk management plan addresses identified risks with prioritized remediation actions. The risk analysis is documented and stored appropriately. Your IT provider and compliance team are working together to address identified gaps.