HIPAA has been federal law since 1996. Every medical practice in Queens โ€” and across the country โ€” has had nearly three decades to get compliant. Yet HHS's Office for Civil Rights consistently finds that the majority of practices they audit have significant gaps, particularly in technical safeguards.

The reason isn't ignorance of HIPAA's existence. It's that most practices have implemented compliance theater โ€” they've signed a business associate agreement with their EHR vendor and called it done. That's not compliance. That's one checkbox out of roughly sixty.

This checklist focuses specifically on the technical safeguard requirements where OCR audits find the most violations โ€” and where breaches actually occur.

1. Risk Analysis: The Foundation Everything Else Rests On

The single most cited HIPAA violation in OCR enforcement actions is failure to conduct a thorough, accurate, and up-to-date risk analysis. This is not an annual checkbox โ€” it's an ongoing, documented process that must be updated whenever your technology environment changes.

A HIPAA risk analysis must identify every location where ePHI exists in your environment (including places you might not think of โ€” backup tapes, old laptops, staff personal phones used for patient communication), assess the threats and vulnerabilities to that ePHI, and document the controls in place and their effectiveness.

โš ๏ธ Common mistake: Many practices have their EHR vendor perform a "HIPAA assessment" that only covers the EHR system. This does not satisfy the risk analysis requirement โ€” it must cover your entire ePHI environment, including email, cloud storage, workstations, mobile devices, and any third-party tools your staff uses.

2. The 12 Technical Safeguards HHS Checks First

HIPAA Technical Safeguards Checklist

  • Unique user IDs โ€” every staff member has their own login; no shared accounts on any system containing ePHI
  • Automatic logoff โ€” workstations lock after a defined period of inactivity (typically 10โ€“15 minutes)
  • Encryption of ePHI at rest โ€” on workstations, servers, laptops, and portable storage devices
  • Encryption of ePHI in transit โ€” all transmission of patient data uses TLS 1.2 or higher
  • Audit logs โ€” all access to ePHI systems is logged and logs are reviewed regularly
  • Multi-factor authentication on all systems containing ePHI, including email and EHR remote access
  • Emergency access procedures โ€” documented process for obtaining ePHI during a system outage
  • Backup and recovery โ€” encrypted, tested backups with a documented and tested recovery procedure
  • Device and media controls โ€” formal procedure for sanitizing or destroying hardware containing ePHI before disposal
  • Business Associate Agreements โ€” written BAAs with every vendor who accesses, stores, or transmits ePHI on your behalf
  • Mobile device management โ€” formal policy and technical controls for any mobile device used to access ePHI
  • Workforce training โ€” documented security awareness training for all staff at hire and at least annually

3. Business Associate Agreements: You Probably Have Gaps

A Business Associate Agreement is required with any vendor or contractor who creates, receives, maintains, or transmits ePHI on your behalf. Most practices have a BAA with their EHR vendor. Many have significant gaps elsewhere.

Think through your full vendor list carefully. Your IT support company? Needs a BAA. Your billing service? Needs a BAA. Your answering service that takes patient messages? Needs a BAA. Your cloud backup provider? Needs a BAA. Your transcription service? Needs a BAA. Your email provider if you send patient information by email? Potentially needs a BAA.

The BAA requirement extends to any subcontractors those vendors use who may access ePHI. This is known as the subcontractor BAA requirement, and it's frequently overlooked.

4. Breach Notification: What You're Required to Do

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases media outlets following a breach of unsecured ePHI. The timelines are specific and non-negotiable: affected individuals must be notified within 60 days of discovery, and HHS must be notified within 60 days. Breaches affecting 500 or more individuals in a state must also be reported to prominent media.

The critical phrase is "unsecured ePHI." ePHI that was encrypted at the time of the breach using NIST-approved encryption standards is not considered "unsecured" under the rule โ€” meaning properly encrypted data that is stolen or lost does not trigger the full breach notification requirement. This is one of the most compelling practical arguments for encryption beyond just compliance: it changes the legal calculus of a breach event significantly.

Not Sure Where Your Practice Stands on HIPAA Technical Safeguards?

We provide HIPAA-focused IT assessments for Queens and NYC-area medical practices. You'll know exactly where your gaps are โ€” and what it would actually cost to close them โ€” in one free 30-minute conversation.

Book Free HIPAA IT Assessment โ†’

Call: (516) 734-1515