AEAsk Erik
Computer Services
541-359-3111Book Assessment
Resources
ChecklistJune 10, 20254 min read

HIPAA IT Compliance Checklist for Dental and Medical Practices

A practical HIPAA Security Rule IT checklist for dental and medical practices. Covers technical safeguards, access controls, audit logs, backup, Business Associate Agreements, and risk assessment.

The HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). This checklist focuses on the IT and technology requirements most relevant to dental and medical practices.

This is a practical implementation guide, not legal advice. Consult your healthcare attorney for complete HIPAA compliance guidance.


Risk Analysis (Required)

  • ★ Formal Security Risk Analysis completed and documented
  • Risk analysis identifies all systems that create, receive, maintain, or transmit ePHI
  • Risk analysis updated when significant environment changes occur (new software, new location, staff changes)
  • Risk management plan documented with assigned owners and timelines

Note: The Security Risk Analysis is the foundation of HIPAA compliance. HHS has found that nearly every investigated breach involved a failure to conduct an adequate risk analysis.


Access Controls (Required)

  • ★ Unique user accounts for every staff member — no shared logins
  • Automatic logoff after 10–15 minutes of inactivity on clinical workstations
  • Strong password policy enforced (minimum 12 characters)
  • Multi-factor authentication (MFA) for any remote access to clinical systems
  • Role-based access — staff access only the ePHI required for their job function
  • Terminated employee access removed on last day of employment
  • Emergency access procedure documented (how to access ePHI if primary systems are down)

Audit Controls (Required)

  • ★ Audit logging enabled on practice management software (Dentrix, Eaglesoft, Carestream, etc.)
  • Operating system audit logs enabled and retained
  • Logs reviewed periodically for unauthorized access attempts
  • Log retention policy documented (minimum 6 years recommended)
  • Audit log access restricted — logs cannot be modified by regular users

Integrity Controls (Addressable)

  • Anti-malware / Endpoint Detection & Response (EDR) on all clinical workstations
  • File integrity monitoring for systems storing ePHI
  • Controls in place to verify ePHI has not been improperly altered or destroyed

Transmission Security (Addressable)

  • ★ TLS/SSL encryption for all ePHI transmitted over networks
  • Patient-facing portals use HTTPS
  • Encrypted email for any ePHI sent via email (or documented patient authorization for unencrypted)
  • No ePHI sent via unencrypted SMS text message
  • Remote access via encrypted VPN or Zero Trust — not open RDP

Device and Workstation Security

  • ★ Full-disk encryption on all laptops and portable devices storing ePHI
  • All operating systems current and patched (no Windows 10 after Oct 2025)
  • Practice management software and third-party software current
  • Screen locks on unattended workstations
  • Workstations positioned so patients cannot view other patients' records

Backup and Contingency (Required)

  • ★ Data backup plan documented and implemented
  • Backups run daily at minimum
  • Backup copies stored offsite or in HIPAA-compliant cloud storage
  • Backup encryption enabled
  • Backup restoration tested — can you actually recover from a backup?
  • Disaster recovery plan documented
  • Emergency mode operation plan — how does the practice operate if primary systems fail?

Business Associate Agreements (Required)

BAAs must be in place with all technology vendors who access or store ePHI:

  • ★ Practice management software vendor
  • ★ IT service provider (Ask Erik Computer Services — we maintain a BAA with all healthcare clients)
  • Cloud backup provider
  • EHR/imaging software vendor
  • Email platform (Microsoft 365 or Google Workspace for Healthcare)
  • Billing service or clearinghouse
  • Any other vendor with ePHI access

Review your BAA list annually. Verify each BAA contains the required provisions.


Staff Training (Required)

  • ★ Security awareness training for all staff at hire and annually thereafter
  • Training documented with completion records retained (6 years)
  • Phishing simulation training included
  • Training covers: password security, phishing recognition, physical security, incident reporting

Incident Response (Required)

  • Security incident response procedures documented
  • Staff know how and to whom to report a potential security incident
  • Breach notification procedures documented (60-day reporting window to HHS)
  • Incident log maintained

Documentation Retention (Required — 6 Years)

  • All policies and procedures retained
  • Risk analysis documentation retained
  • Training records retained
  • Audit log documentation retained
  • BAA copies retained
  • Incident response documentation retained

Working with Your IT Provider

Your IT provider should be executing the technical safeguards above as part of your managed IT service. Ask Erik Computer Services maintains a signed BAA with all healthcare clients, implements and documents the required technical controls, and supports your Security Risk Analysis process.

If you're not sure whether your practice's IT environment is HIPAA-compliant, book a free IT Assessment or call 541-359-3111. We serve dental and medical practices throughout Lane County.

Not sure how your environment measures up?

We review small business IT environments throughout Lane County — no cost, no pressure.

Book a Free Assessment 541-359-3111