Healthcare data breaches are not slowing down – and neither are the penalties. In 2026, HIPAA enforcement has only intensified, with fines starting at $137 per violation and scaling into the millions for willful neglect. For medical practices, dental offices, and healthcare organizations across Central Florida, the question is no longer whether you need compliant IT – it is whether your current setup can survive an audit.
This checklist covers every IT safeguard the Department of Health and Human Services (HHS) expects you to have in place. Use it to evaluate your own infrastructure, identify gaps, and take action before a breach forces your hand.
Administrative Safeguards Checklist
Administrative safeguards are the policies and procedures that govern how your organization handles protected health information (PHI). These are the foundation of HIPAA compliance and the first area auditors examine.
Risk Assessment
- Conduct a thorough Security Risk Assessment (SRA) at least annually
- Document all systems that store, process, or transmit ePHI
- Identify vulnerabilities in your network, applications, and physical environment
- Assign risk levels and create a remediation plan with deadlines
- Retain all assessment documentation for a minimum of six years
Workforce Training
- Provide HIPAA security awareness training to all employees upon hire
- Conduct refresher training at least annually
- Train staff on phishing recognition, password hygiene, and social engineering tactics
- Document all training sessions with attendance records and content covered
- Include role-specific training for employees with elevated access to ePHI
Access Management
- Implement role-based access controls – staff should only access the minimum PHI required for their job
- Maintain a current list of all users with access to ePHI systems
- Revoke access immediately upon termination or role change
- Review access privileges quarterly
- Enforce unique user IDs for every individual – no shared logins
Incident Response Plan
- Maintain a written incident response plan that covers data breaches, ransomware, and system failures
- Define clear roles and responsibilities for your response team
- Establish notification procedures that meet the 60-day breach reporting requirement
- Test your incident response plan with tabletop exercises at least once per year
- Document every security incident, regardless of size, and the corrective actions taken
Technical Safeguards Checklist
Technical safeguards are the technology-based protections that secure ePHI across your network. These controls must work together to prevent unauthorized access, detect anomalies, and ensure data integrity.
Access Controls
- Require multi-factor authentication (MFA) on all systems containing ePHI
- Enforce strong password policies – minimum 12 characters with complexity requirements
- Implement automatic session timeouts after periods of inactivity
- Deploy emergency access procedures for critical situations
- Use single sign-on (SSO) where possible to reduce credential sprawl
Audit Controls
- Enable logging on all systems that store or process ePHI
- Monitor and review audit logs regularly for unauthorized access attempts
- Retain audit logs for a minimum of six years
- Deploy a Security Information and Event Management (SIEM) solution or managed detection service
- Set up automated alerts for suspicious activity patterns
Integrity Controls
- Implement mechanisms to verify that ePHI has not been altered or destroyed improperly
- Use checksums or digital signatures for data integrity verification
- Protect against malware with managed endpoint protection across all devices
- Validate data integrity during electronic transmission
Encryption – At Rest and In Transit
- Encrypt all ePHI at rest using AES-256 or equivalent standard
- Encrypt all ePHI in transit using TLS 1.2 or higher
- Secure email communications with encryption – unencrypted email containing PHI is one of the most common violations (learn more about email security)
- Encrypt all portable devices including laptops, tablets, and USB drives
- Maintain and document your encryption key management procedures
Physical Safeguards Checklist
Physical safeguards protect the actual hardware, facilities, and media that house ePHI. These controls are frequently overlooked in IT assessments but remain a core HIPAA requirement.
Facility Access Controls
- Restrict physical access to server rooms, network closets, and data centers
- Implement badge access, key card systems, or biometric controls for sensitive areas
- Maintain visitor logs for all restricted areas
- Install security cameras in areas where ePHI is stored or processed
- Review physical access logs on a regular schedule
Workstation Security
- Position monitors so PHI is not visible to unauthorized individuals
- Enable automatic screen locks on all workstations
- Prohibit the use of personal devices for accessing ePHI unless managed under a BYOD policy
- Secure all workstations with cable locks or within locked offices
Device and Media Disposal
- Wipe or destroy all hard drives, SSDs, and removable media before disposal
- Use NIST SP 800-88 compliant data sanitization methods
- Maintain a documented chain of custody for all disposed media
- Obtain certificates of destruction from disposal vendors
The 3 Most Common HIPAA IT Failures
After working with healthcare practices across Central Florida, we see the same three failures come up repeatedly. These are the gaps most likely to trigger a violation or enable a breach.
1. No Verified Backup and Disaster Recovery Plan
Many practices assume their backups are working but have never tested a full restoration. When ransomware hits or a server fails, they discover their backups are incomplete, corrupted, or months out of date. A compliant backup and disaster recovery strategy includes automated backups, offsite replication, and regular restore testing.
2. Unencrypted Email Containing PHI
Sending patient information over standard email remains one of the most common – and most preventable – HIPAA violations. Every email system handling PHI must enforce encryption in transit and at rest. If your staff can send a patient record as a plain-text email, your practice is exposed.
3. No Access Logging or Audit Trail
Without proper audit controls, you cannot prove who accessed what data and when. In the event of a breach investigation, HHS will ask for access logs. If you cannot produce them, the assumption is that unauthorized access went undetected – and the penalties reflect that.
How iTech Plus Helps You Stay Compliant
HIPAA compliance is not a one-time project – it is an ongoing process that requires the right technology, the right policies, and a team that understands healthcare IT from the inside out. At iTech Plus, we provide HIPAA-compliant IT services built specifically for medical practices, dental offices, and healthcare organizations in Central Florida.
Our approach includes:
- Annual Security Risk Assessments that satisfy HHS requirements and give you a clear remediation roadmap
- Managed endpoint protection and email security to close the most common attack vectors
- Encrypted backup and disaster recovery with documented restore testing
- Access control management including MFA deployment, role-based permissions, and audit logging
- Ongoing compliance monitoring so you are never caught off guard by an audit or a breach
We handle the technology so your team can focus on patient care – without worrying about whether your IT will hold up under scrutiny.
Get a Free IT Assessment
Not sure where your practice stands? Our free IT assessment evaluates your current infrastructure against HIPAA requirements and identifies the gaps that put you at risk. There is no obligation – just a clear picture of what needs attention and a plan to address it.
Request your free IT assessment today and take the first step toward full HIPAA compliance in 2026.
