Most dental and medical practices believe they're HIPAA compliant because they have the binder — the policies, the training sign-off sheets, the privacy notices at the front desk. Then you look at the IT side: shared logins at every operatory, a Windows machine that stopped getting updates two years ago, backups that have never been test-restored, and a practice-management vendor nobody has a signed BAA with.
The paperwork side of HIPAA gets the attention. The Security Rule — the part that governs your actual technology — is where enforcement actions and breach settlements consistently land. Here's the practical checklist, organized the way the rule itself is: administrative, physical, and technical safeguards.
One disclaimer up front: this is practical IT guidance, not legal advice. Your compliance obligations depend on your specific situation — involve a healthcare attorney or compliance consultant for the full picture.
Start here: the risk analysis
A written, current security risk analysis is the foundation the entire Security Rule builds on — and its absence is among the most-cited findings in OCR enforcement actions. It's exactly what it sounds like: a documented inventory of where electronic protected health information (ePHI) lives in your practice, what threatens it, and what you're doing about each threat.
If you've never done one, or yours predates your last major system change, this is item one. Everything below feeds it.
Technical safeguards: the IT checklist
- Unique logins for every user. No shared “frontdesk” account, no generic operatory login. HIPAA requires the ability to trace access to an individual — shared credentials make that impossible and are the single most common gap we find in practices.
- Role-based access. The hygienist, the biller, and the office manager need different slices of the record. Everyone-sees-everything is a finding waiting to be written.
- Automatic logoff. Screens in operatories and at the front desk lock after a short idle period. Simple, required, and routinely missing.
- Encryption at rest. Every device that touches ePHI — servers, workstations, laptops, phones — encrypted. This one has a superpower: under the Breach Notification Rule, properly encrypted data that's lost or stolen generally isn't a reportable breach. A stolen unencrypted laptop is a reportable event with your practice's name on it; a stolen encrypted one is a hardware loss.
- Encryption in transit. ePHI moves encrypted or it doesn't move: secure email or portal for patient communication (regular email doesn't qualify), VPN or equivalent for remote access, TLS on anything web-facing.
- Multi-factor authentication on email, remote access, and cloud systems. Not explicitly named in a rule written in 2003, but expected by every auditor, insurer, and breach investigator in 2026 — and cyber insurance applications now ask about it directly.
- Audit logging. Your practice-management and imaging systems should log who accessed what, and someone should be able to produce those logs on request.
- Supported, patched systems. An operating system past end-of-support (Windows 10 joined that list in October 2025) cannot be defended and is an automatic finding. Patching everything else needs to be systematic, not seasonal.
Backups and disaster recovery
The Security Rule explicitly requires a data backup plan, a disaster recovery plan, and an emergency-mode operation plan. In practice that means: encrypted backups following the 3-2-1 pattern with an offsite immutable copy, documented test restores on a schedule, and a written answer to “how do we see schedules and charts if the server is down at 8 a.m. Monday?”
Ransomware turns this from compliance box-checking into survival: OCR treats a ransomware event involving ePHI as a presumptive breach, and your ability to demonstrate intact backups and a clean recovery materially changes both the clinical and regulatory outcome.
Physical safeguards
- Server and network equipment behind a locked door — not the supply closet everyone's key opens. (Electronic access control gives you the entry log that makes auditors smile.)
- Monitors positioned or filtered so patients at the desk can't read other patients' information.
- A documented process for disposing of old drives and devices — wiped or destroyed, with certificates. The used copier you returned off-lease has a hard drive full of scans.
- An inventory of every device that touches ePHI, including the laptops that go home.
Business associate agreements (BAAs)
Every vendor that touches your ePHI needs a signed BAA: practice management, imaging, cloud storage, email provider, billing service, answering service — and your IT provider. An MSP with admin access to systems holding patient data is a business associate, full stop. If your current IT company hasn't signed one (or doesn't know what one is), that tells you something important about their fit for healthcare clients.
The five gaps we find most often in practices
Shared logins, no current risk analysis, unencrypted devices, untested backups, and missing BAAs. If you fix only five things this quarter, fix those — they cover the majority of real-world exposure.
Training and the human layer
Most healthcare breaches start with a person, not a firewall: a phished password, a misdirected email, a lost laptop. Security awareness training is required by the rule, but the practices that fare best treat it as a habit — short quarterly sessions plus phishing simulations — rather than an annual video everyone clicks through.
Making it manageable
None of this requires enterprise budgets — it requires somebody owning it continuously: patching verified, logs kept, restores tested, documentation current, new hires onboarded with the right access and departing staff removed the same day. That's precisely what a healthcare-literate IT partner does, and it's how we run compliance & risk services for practices across Metro Detroit: HIPAA-aligned policies, the technical safeguards above, and audit-ready documentation — so the next time someone asks for your risk analysis, it's a PDF away, not a scramble.