· ·

HIPAA IT Compliance Checklist for SMBs in Healthcare

TechKnowledgey, Inc. Reading Time: 4 minutes

HIPAA applies to doctors, dentists, orthodontists, and many other offices that handle patient data and protected health information (PHI). The bar is lower than most people think, which is why small practices often get caught off guard.

A common mistake is assuming your EHR “being in the cloud” makes you HIPAA compliant by default. Your data is still subject to HIPAA regulations no matter where it lives. If it’s cloud-based, you’re one stolen username and password away from exposure. If someone compromises one workstation, they can use that access to get into the cloud portal, too.

And as of the time of writing, HIPAA’s overhaul of their 2013 Omnibus Rule proposed several changes to what’s required of providers. The biggest structural change would see less flexibility and more requirements put onto providers of all sizes.

When security measures are weak, the bill can land on you, not the cloud provider. That can mean regulatory fines, mandated notifications, legal costs, and a reputation hit that lasts longer than the incident. That’s why prevention is almost always cheaper than cleanup.

With that in mind, here are our thoughts on a HIPAA IT compliance checklist.

  1. Start With A Cybersecurity Audit Mindset
  2. Edge Protection
  3. Endpoint Protection
  4. Identity Protection
  5. Data Protection
  6. Physical Safeguards
  7. Policies, Training, And Incident Response

The HIPAA IT Compliance Checklist

HIPAA updates like the Omnibus Rule increased expectations around business associate agreements (BAAs) and accountability, so vendor management is not optional. Remember, your IT provider, cloud backup vendor, and billing software all need BAAs.

1) Start With A Cybersecurity Audit Mindset

  • Schedule a yearly cybersecurity audit (or more often after major changes).
  • Document your risk assessments, then create a remediation plan with owners and due dates.
  • Keep evidence. Policies, screenshots, logs, and vendor reports prove due diligence.

2) Edge Protection (Firewall And Inbound Traffic)

This is a perimeter that supports network security best practices.

  • Use a business-grade firewall with intrusion prevention.
  • Block known bad regions if your practice does not need them.
  • Filter DNS to stop common malware domains.
  • Segment guest Wi-Fi from business systems.

Bonus tip: If you get hit with ransomware attacks, strong edge controls can keep one device’s weakness from turning into a company-wide event.

3) Endpoint Protection (Laptops, Desktops, Tablets)

Endpoints are where many compromises start. This is also where “cloud confidence” breaches happen. If someone hacks one computer, they can often reach your cloud-based systems.

  • Patch operating systems and key apps quickly.
  • Use EDR (Endpoint Detection & Response) with monitored alerting.
  • Encrypt drives on all devices that touch patient data.
  • Remove local admin rights for everyday users.

4) Identity Protection (Logins, MFA, Least Privilege)

  • Turn on MFA everywhere, especially for EHR, email, and remote access.
  • Enforce strong passwords and use a password manager.
  • Use role-based access so staff only see what they need.
  • Review access monthly and remove access the same day someone leaves.

5) Data Protection (PHI Handling, Backups, Safe Sharing)

  • Identify where protected health information (PHI) exists: EHR, email, scans, shared drives, backups.
  • Encrypt PHI at rest and in transit when you transmit PHI.
  • Use secure sharing tools, not personal email or consumer file links.
  • Back up critical systems and test restores, not just “backup jobs succeeded.”

6) Physical Safeguards (Office And Facility Controls)

  • Restrict access to facilities where servers, routers, or paper records live.
  • Lock screens automatically.
  • Use secure shredding for printed documents.
  • Set visitor policies for areas where PHI may be visible.

7) Policies, Training, And Incident Response

  • Train staff on phishing and safe handling of patient data.
  • Create clear procedures for onboarding, offboarding, and lost devices.
  • Maintain an incident response playbook so you can contain threats and recover quickly with less downtime.

What HIPAA Expects

At a high level, HIPAA requires you to protect electronic and paper records and to document what you did. The HIPAA Security Rule requires risk assessments (often called “risk analysis” in HIPAA guidance) and follow-through, where you address the gaps you find.

HIPAA also expects the right mix of administrative physical and technical safeguards. That includes policies and training, locked-down spaces, and technical controls that reduce real-world risk.

Specific to Indiana

HIPAA is federal, but Indiana adds a layer of breach notification rules (specifically IC 24-4.9) that affect many businesses handling personal information. Indiana’s Attorney General provides breach guidance and a reporting pathway for businesses. Indiana also hosts HIPAA information for providers through the state’s Medicaid program site.

Next Steps For Private Practices

Perform a cybersecurity assessment to confirm you have adequate controls and compliance mechanisms in place. Then correct deficiencies ASAP.If you want a faster path to HIPAA readiness, TechKnowledgey can help you tighten edge, endpoint, identity, and data protections, document your controls for audits, and reduce the chance of ransomware attacks and costly compliance fallout. Reach out and schedule your cybersecurity assessment to get a clear, prioritized plan to protect patient data and keep your practice running.

Share This Post:

Similar Posts