HIPAA is one of those regulations everyone in healthcare has heard of but few medical practices have actually mapped to their IT environment. The result: a lot of NY practices believe they're compliant because they have antivirus and a password policy, then discover during an audit or breach that they're missing the basics.
This is a working checklist of what HIPAA actually requires from the IT side, what we see auditors flag most often, and what to fix before your next risk assessment. It's based on the Security Rule (45 CFR § 164.302-318) and a decade of supporting medical practices across Manhattan, Long Island, and Northern NJ.
What HIPAA actually requires from IT
HIPAA's Security Rule defines three categories of safeguards: administrative, physical, and technical. The IT department owns most of the technical safeguards and contributes to the administrative ones. Here's the breakdown:
The non-negotiable requirements
- Access controls — unique user IDs, automatic logoff, encryption and decryption procedures
- Audit controls — hardware, software, and procedural mechanisms to record activity in systems handling ePHI
- Integrity controls — protection against improper alteration or destruction of ePHI
- Transmission security — encryption for ePHI in transit
- Risk analysis — accurate and thorough assessment of vulnerabilities (this is the one most practices skip)
- Risk management — measures sufficient to reduce risks to a reasonable level
- Sanction policy — workforce members who don't comply face documented consequences
- Information system activity review — regular review of audit logs, access reports, security incident tracking
Notice what's missing from this list: HIPAA does not require a specific antivirus product. It does not require a specific firewall brand. It does not require cloud vs. on-premises. What it requires is that your controls are reasonable and appropriate for your specific risk environment — and that you can document why you chose them.
The practical checklist
Run through these as a self-assessment. Items marked "common gap" are issues we find in most practices we onboard.
Access control (Section 164.312(a))
- ✅ Unique user IDs: Every staff member has their own account. No shared "frontdesk@" or "doctor@" logins. Common gap: shared accounts in EHR systems are surprisingly persistent.
- ✅ Automatic logoff: Workstations lock after 5-10 minutes of inactivity. Mobile devices encrypted and PIN-protected. Common gap: workstation timeout policies inconsistent across the practice.
- ✅ Role-based access: Front desk can't access clinical notes; clinical staff can't access billing. Documented and enforced in the EHR.
- ✅ Emergency access procedure: Documented way to grant access during emergencies (e.g., the lead physician is unreachable but a patient is in crisis).
Audit controls (Section 164.312(b))
- ✅ Access logging enabled: Your EHR logs who accessed which patient record and when. Logs are retained for at least 6 years.
- ✅ Log review process: Someone actually reviews logs periodically — monthly is typical. Common gap: logs are generated but never reviewed.
- ✅ Workstation activity logging: Windows event logs collected centrally (SIEM or simpler log aggregator).
- ✅ Network activity logging: Firewall logs, VPN access logs, and authentication logs are collected and retained.
Integrity (Section 164.312(c))
- ✅ Backup verification: Backups are tested — not just configured. Common gap: backups run nightly but no one has done a test restore in two years.
- ✅ Database integrity checks: Your EHR vendor verifies database integrity. You have a contact at the vendor for restore support.
- ✅ Patch management: OS and EHR patches applied on a documented schedule (critical patches within 72 hours; routine within 30 days).
- ✅ Anti-malware: Endpoint protection deployed on all workstations and servers, including the receptionist's computer running Windows.
Transmission security (Section 164.312(e))
- ✅ Encryption in transit: All ePHI transmission uses TLS 1.2 or higher. This includes email containing PHI (which means secure messaging via the patient portal, not standard email).
- ✅ VPN for remote access: Telehealth providers connecting from home use VPN with MFA, not just RDP to the office.
- ✅ Encrypted email when needed: If you exchange PHI via email with referrals or labs, you have an encrypted email solution (e.g., Microsoft Purview Message Encryption, Proofpoint Encryption, Virtru). Common gap: gmail.com or yahoo.com personal accounts used for PHI exchange. This is a breach waiting to happen.
- ✅ WiFi separation: Patient WiFi is on a separate VLAN from staff WiFi. Staff WiFi uses WPA2-Enterprise or WPA3.
Physical safeguards
- ✅ Server room security: Server closet locked. Access logged. Visitors escorted. Common gap: server in unlocked closet near reception.
- ✅ Workstation positioning: Front-desk monitors angled away from patients in waiting area. Privacy filters on monitors visible from hallways.
- ✅ Device disposal: Drives wiped (DoD-grade) or physically destroyed when retired. Certificate of destruction retained. Common gap: old computers sit in storage for years; no disposal record.
- ✅ Mobile device management: Practice-issued phones/tablets are MDM-enrolled and remotely wipeable. BYOD devices that touch ePHI are also managed.
Administrative (the IT-adjacent parts)
- ✅ Risk analysis documented: Within the last 12 months. This is the single most commonly skipped item, and the first thing OCR (the HIPAA enforcement agency) asks for in an audit.
- ✅ Risk management plan: Findings from risk analysis have documented remediation plans with timelines.
- ✅ Business Associate Agreements (BAAs): Every vendor that touches ePHI has a signed BAA. Common gap: BAAs missing for IT vendors, EHR vendors, cloud backup vendors, even Microsoft (yes, you need one for M365).
- ✅ Workforce training: Annual HIPAA training documented, signed by each employee. Records retained.
- ✅ Incident response plan: Written procedure for handling potential breaches, who decides, who notifies, on what timeline.
What auditors actually look for
If OCR audits you (and they audit ~200 practices per year, randomly and post-breach), here's what they ask for first:
- Your most recent risk analysis document
- Your risk management plan and evidence of remediation
- BAA inventory with sample BAAs
- Workforce training records
- Incident response plan and evidence of testing
- Audit log review records
- Encryption documentation (what's encrypted, how, when)
Notice what's NOT first on the list: your firewall rules, your antivirus, your backup software. Auditors care about documentation and process more than tooling. A practice with average tools and excellent documentation passes; a practice with great tools and no documentation fails.
Common findings in NY medical practices
Issues we find most often when onboarding new medical clients in NYC, Long Island, and Northern NJ:
1. Risk analysis is stale or missing entirely
HIPAA requires a risk analysis. Most practices either never did one or did one in 2017 and haven't updated since. OCR has specifically called this out as the #1 violation across recent enforcement actions.
2. BAA gaps
The IT vendor before us had no BAA. The cloud backup vendor's BAA is from 2019 and references the wrong entities. The MSP signed a generic agreement that doesn't actually qualify as a BAA. We find BAA issues in roughly 70% of new medical clients.
3. Email is the elephant in the room
Front-desk staff regularly email PHI to specialists, insurance companies, and patients. Most practices have no encrypted email solution. Some use gmail.com personal accounts for "convenience." This is a violation that's easy to fix and rarely fixed.
4. Remote access is informal
Physicians log in from home via TeamViewer, AnyDesk, or RDP without MFA. Telehealth providers screen-share patient information over Zoom standard accounts (not Zoom for Healthcare). Remote access architecture needs to be documented and tightened.
5. Workstations aren't encrypted
BitLocker (Windows) or FileVault (Mac) should be enabled on every device that touches ePHI. We find practices where front-desk and exam-room workstations are unencrypted. If one is stolen, that's a reportable breach.
6. Audit logs exist but aren't reviewed
Your EHR has audit logs. Nobody looks at them. HIPAA requires "regular review" — typically monthly. We see practices that have generated 5+ years of logs that nobody has opened. If a former employee was viewing celebrity patient records, you wouldn't know.
What to do this week
If you're a NY medical practice and you've never done a formal HIPAA IT assessment, here's a realistic 30-day plan:
- Week 1: Inventory every system that touches ePHI. EHR, PM, billing, scheduling, fax, email, backup. Make a list with vendor name.
- Week 1: Pull BAAs for each vendor. Note which are missing or outdated.
- Week 2: Run a risk analysis. Either use NIST 800-66 as a framework or hire an MSP/consultant. Don't skip this.
- Week 3: Address the obvious gaps. BitLocker on workstations. MFA on email and EHR. Encrypted email solution. WiFi separation.
- Week 4: Document everything. Risk analysis, remediation plan, incident response plan, workforce training schedule.
This won't make you bulletproof. It will get you out of the worst-finding territory and give you a defensible position if you're audited or breached.
If you want help
We do HIPAA-focused IT for medical practices across the NY/NJ metro. That includes risk analysis, gap remediation, BAA review, audit log monitoring, and workforce training coordination. We're not auditors — for formal audit attestation, you'd work with a third-party audit firm — but we prepare you and document everything they'll ask for.
If you want to talk through your specific situation, call 866-252-1860 or use our contact page. Our cybersecurity services page has more on the broader security program; the IT security services page covers the network-engineering side.
