HIPAA compliance is one of those topics that every medical practice knows is important but few have fully addressed from a technology standpoint. After conducting technology assessments for medical and dental practices across Ocala, The Villages, and Gainesville, we consistently find the same gaps. This checklist covers the technology requirements every North Central Florida medical practice should have in place.
Understanding HIPAA's Technical Safeguards
HIPAA's Security Rule requires covered entities to implement technical safeguards that protect electronic protected health information — ePHI. These aren't suggestions. They're federal requirements with penalties ranging from $100 to $50,000 per violation.
Access Controls Checklist
Every workstation and device that accesses patient data should require a unique username and password — no shared logins. Multi-factor authentication should be enabled on all cloud systems including your EHR, email, and Microsoft 365. Automatic screen lock should activate after no more than 15 minutes of inactivity on any workstation in your practice. User access should be reviewed and updated whenever an employee joins, changes roles, or leaves your practice.
Audit Controls Checklist
Your EHR system should log who accessed which patient records and when. Your network should log authentication events and access to systems containing ePHI. These logs should be retained for a minimum of six years and reviewed periodically. You should be able to produce these logs if requested during an OCR audit.
Device and Workstation Security Checklist
Every computer, laptop, and tablet that accesses patient data should have full disk encryption enabled. Advanced endpoint protection should be installed and actively monitored on all devices. Any portable device that contains or accesses ePHI should be tracked and managed with the ability to remotely wipe it if lost or stolen.
Email and Communication Checklist
Standard email is not HIPAA compliant for transmitting ePHI without additional encryption. If your practice sends patient information via email you need either a HIPAA-compliant email encryption solution or a secure patient portal. Email should have anti-phishing and malware scanning enabled since healthcare is one of the most targeted industries for phishing attacks.
Backup and Recovery Checklist
Patient data must be backed up regularly with tested recovery procedures. Backups should be stored in a secure location separate from your primary systems. You should have a documented disaster recovery plan that specifies how you would restore patient data and resume operations after a ransomware attack or hardware failure.
Business Associate Agreements
Every vendor that handles ePHI on your behalf — including your IT company — must sign a Business Associate Agreement. If your current IT provider has never asked you to sign a BAA, that is a compliance gap that needs to be addressed immediately. Simply IT signs a BAA with every medical practice client.
Staff Training Checklist
All employees who handle patient data must receive regular security awareness training. This should include recognizing phishing emails, proper password hygiene, device security, and what to do if they suspect a breach. Training should be documented with completion records retained for audit purposes.
If you're not certain your practice is fully compliant, Simply IT conducts HIPAA security risk assessments for medical practices across North Central Florida. Contact us for a free technology assessment.
