HIPAA Compliance Technology Checklist for Healthcare Organizations
HIPAA compliance is not optional, but the way most healthcare organizations approach it is surprisingly ad hoc. The regulation itself provides a framework (administrative safeguards, physical safeguards, technical safeguards), but translating that framework into specific technology requirements is where organizations struggle.
This checklist focuses on the technical safeguards that healthcare organizations most commonly get wrong. It’s not exhaustive; HIPAA compliance requires a comprehensive program that includes policies, training, physical security, and business associate agreements. But the technical controls are where the gap between what organizations think they have and what they actually have is widest.
This checklist comes from direct experience building HIPAA-compliant systems for healthcare billing companies, senior care operators, and an AI platform that handles protected health information for government agencies.
Access Controls
HIPAA requires that access to electronic protected health information (ePHI) be limited to authorized individuals. In practice, this means several specific technical controls.
Unique user identification. Every person who accesses systems containing ePHI must have a unique login. Shared accounts (“front desk login,” “nursing station account”) are a compliance violation. This sounds obvious, but shared credentials remain one of the most common findings in HIPAA audits.
Role-based access control. Users should only access the minimum ePHI necessary for their job function. A billing clerk doesn’t need access to clinical notes. A nurse doesn’t need access to financial records. Map each role in your organization to the specific data elements they need, and configure your systems to enforce those boundaries.
Emergency access procedures. You need a documented and tested procedure for accessing ePHI in emergency situations when normal access controls might prevent timely care delivery. This procedure should include who can authorize emergency access, how it’s logged, and how it’s reviewed after the fact.
Automatic session termination. Workstations and applications that access ePHI must lock or log out after a defined period of inactivity. The specific timeout depends on the clinical context (an OR workstation might have different requirements than a registration desk), but the default should be aggressive (5-10 minutes) with justified exceptions.
Audit Controls
HIPAA requires the ability to record and examine activity in systems containing ePHI. This means comprehensive logging that captures who accessed what data, when, and what they did with it.
System-level audit logs. Every system that stores or processes ePHI must maintain audit logs. These logs must capture login attempts (successful and failed), data access events, data modification events, and administrative actions (user creation, permission changes).
Log retention. HIPAA doesn’t specify a retention period, but six years is the generally accepted standard (matching the HIPAA document retention requirement). Ensure your logging infrastructure can store and retrieve six years of audit data.
Regular log review. Collecting logs is necessary but insufficient. Someone must actually review them. Automated alerting for suspicious patterns (unusual access times, bulk data exports, repeated failed logins) should supplement periodic manual review.
Audit log integrity. Audit logs must be protected from tampering. A bad actor who can delete or modify audit logs can cover their tracks. Store logs in a separate system from the one generating them, with restricted write access.
Transmission Security
ePHI in transit must be protected against interception.
Encryption in transit. All network communications involving ePHI must use TLS 1.2 or higher. This applies to web applications, email, API communications, VPN connections, and any other network transmission. TLS 1.0 and 1.1 are deprecated and should be disabled.
Email encryption. Standard email is not secure for transmitting ePHI. If your organization communicates ePHI via email, you need a compliant email encryption solution. Options include portal-based encryption (recipient accesses message through a secure web portal) or direct encryption (S/MIME or similar).
Wireless network security. If ePHI is accessible over wireless networks, those networks must use WPA3 (or at minimum WPA2 Enterprise with 802.1X authentication). Guest networks must be segregated from networks that carry ePHI traffic.
Data Integrity and Encryption at Rest
Encryption at rest. All storage media containing ePHI (servers, workstations, laptops, mobile devices, backup tapes) must be encrypted. Full-disk encryption with AES-256 is the standard. This is non-negotiable for any portable device.
Data integrity verification. You need mechanisms to detect unauthorized modification of ePHI. This typically means database-level checksums, file integrity monitoring for systems that store ePHI in files, and change detection for configuration files on systems that process ePHI.
Backup and recovery. Retrievable copies of ePHI must be maintained. Your backup strategy must address recovery time objectives (how quickly you can restore), recovery point objectives (how much data you can afford to lose), and backup integrity verification (confirming backups are actually restorable).
The Common Gaps
In my experience auditing healthcare technology environments, the five most common gaps are:
Shared credentials on clinical workstations. The fix is individual logins with proximity badge or biometric authentication for fast switching.
No encryption on portable devices. The fix is mandatory full-disk encryption managed through a mobile device management platform.
Audit logs that exist but are never reviewed. The fix is automated alerting for high-risk events combined with monthly manual review of access patterns.
Business associate agreements that don’t cover all vendors with ePHI access. The fix is a comprehensive vendor inventory with BAA status tracking.
Inconsistent patch management. The fix is automated patch deployment for all systems in the ePHI environment, with a defined SLA for critical security patches (24-48 hours).
Building a Compliance Program
A compliance checklist is a starting point, not a program. A sustainable HIPAA compliance program requires regular risk assessments (annually at minimum), ongoing staff training, incident response planning and testing, and continuous monitoring of the technical controls listed above.
If your organization needs help assessing its current HIPAA compliance posture or building a technology compliance program, JS Technology Solutions provides focused healthcare technology assessments that identify gaps and produce actionable remediation plans.
Jonathan Serle
Jonathan Serle is the founder of JS Technology Solutions and a senior technology consultant with 17 years of experience building software for healthcare, senior care, and mid-market organizations. He previously served as VP of Engineering at Wondersign and currently provides technical leadership for an AI operational intelligence platform serving government agencies.
Have a question about this topic? Talk to Jonathan directly.