Skip to content

Blog/July 9, 2026

HIPAA IT compliance for small clinics: the 12-item checklist

A plain-English HIPAA IT checklist for small medical and dental practices, focused on the technical controls auditors actually ask about.

By William Galvin

Founder, Green Desert IT

HIPAA compliance for small clinics is not as scary as vendors make it sound. The Security Rule specifies a handful of “administrative, physical, and technical safeguards” — most of them common sense. The problem is that small clinics often skip the boring technical ones because nobody’s forcing them to check the box, and then something bad happens and OCR knocks.

Here’s the practical, technical-controls checklist we walk through with dental and medical practices during onboarding. It’s not the whole HIPAA rule — it’s the IT-side items an auditor will ask about first.

1. Signed Business Associate Agreements (BAAs) with every vendor touching PHI

Includes: your MSP, your EMR/EHR vendor, your cloud email provider (M365 or Google), your backup vendor, your telephony/fax vendor, your billing system, and anyone else. If they touch PHI, you need a BAA on file. This one gets missed most often.

2. Access controls with unique user IDs

Every person who touches the system has their own login. No shared “reception” or “front-desk” accounts. Same rule for the EMR, for M365/Google, for the file server, for anything else. Ex-employees get disabled the day they leave.

3. Multi-factor authentication (MFA) on everything

Email, EMR, VPN, remote access, cloud services. Not just for admins — everyone. Text/SMS MFA is fine as a baseline; app-based (Authenticator, Duo, hardware key) is better.

4. Encrypted endpoints and backups

BitLocker on Windows, FileVault on Mac. Automatic, verified, and enforced by policy — not “we told everyone to turn it on.” Backups encrypted at rest and in transit. If you can’t produce evidence of encryption on a specific laptop, it’s not in compliance.

5. EDR on every device

Endpoint Detection and Response, not legacy antivirus. Auditors have started asking about this specifically because ransomware attacks on clinics have exploded. If your provider is still selling you “antivirus,” you’re two years behind.

6. Managed backup with restore testing

Backup runs daily, retention is at least 30 days, off-site copy exists, restores are actually tested monthly. If your provider can’t produce a restore-test log, you effectively have no backups.

7. Documented incident response plan

Written procedure for what happens when there’s a suspected breach: who’s called, containment timeline, notification obligations under the HIPAA Breach Notification Rule (60 days for individual notification), and whom you notify externally. This lives in a folder, not somebody’s head.

8. Audit logging enabled — and reviewed

M365, Google Workspace, and your EMR should all be logging access events. Somebody looks at the logs periodically — quarterly at minimum — for anomalies (a user accessing records they shouldn’t, an unusual number of downloads, off-hours activity). If logs exist but nobody reads them, that’s a finding.

9. Physical security at the office

Workstation screens face away from patient areas. Screens auto-lock after a few minutes of inactivity. Server closet is locked. Portable drives with PHI stay in the building (or don’t exist). Basic — but auditors will ask about all of it.

10. Phishing awareness training

Real training, not a video played once a year. Simulated phishing tests with measurement — you should be able to see click-through rates trend down over time. Attackers get into clinics via email 8 times out of 10.

11. Third-party risk documented

You have a list of every vendor with PHI access, their BAAs on file, and a periodic review (annual is fine) that they’re still worth trusting. This is one of the boring administrative items that turns into a finding when it’s missing.

12. HIPAA Risk Analysis on file, updated annually

The Security Rule requires a formal risk analysis, and the analysis needs to be updated as your environment changes. This is a written document. Most clinics either don’t have one or have one from 2019 that doesn’t reflect the M365 migration and remote work reality.

What to do this month

Pick the three items above that you’re least sure about. Get them documented — not just done, but documented so you could show them to an auditor. If you can only pick three:

  1. BAAs on file for every vendor — often a 20-minute audit that reveals two missing agreements.
  2. MFA enabled everywhere — often the highest-impact single control.
  3. Backup restore testing — the one that matters most when things go wrong.

If you want a HIPAA-focused readiness review that gives you a written gap analysis and a prioritized fix list, book a call. We work with clinics in Tucson and Minneapolis and know what the state boards, insurance carriers, and OCR actually ask.

#cybersecurity#hipaa#healthcare#compliance

Ready to make IT boring again?

Book a 20-minute intro call. We'll tell you within that call whether we're a fit.