HIPAA IT compliance means protecting electronic protected health information (ePHI) with administrative, physical, and technical safeguards under the HIPAA Security Rule. The foundation is a documented risk analysis, followed by access controls, encryption, audit logging, backups, and a tested breach-response plan.
What does HIPAA require from IT?
The HIPAA Security Rule requires covered entities and their business associates to protect ePHI through three categories of safeguards: administrative, physical, and technical. It is deliberately flexible — it tells you what to achieve, not which product to buy — which is why a documented risk analysis is the starting point for everything else.
The HIPAA IT compliance checklist
Administrative safeguards
- Security risk analysis — a documented assessment of risks to ePHI. This is explicitly required (45 CFR 164.308) and is the most common audit finding when missing.
- Risk management plan — remediation for the risks you identified, with owners and dates.
- Workforce training — regular security-awareness and phishing training for everyone who touches ePHI.
- Business Associate Agreements (BAAs) — signed with every vendor that handles ePHI, including your IT provider and cloud services.
Technical safeguards
- Access controls — unique user IDs, role-based access, and multifactor authentication.
- Encryption — ePHI encrypted in transit and at rest. Encryption is an addressable specification, but for most providers it is the reasonable choice — and encrypted data may qualify for breach safe harbor.
- Audit logging — records of who accessed ePHI and when, reviewed regularly.
- Automatic logoff and endpoint protection on devices that access ePHI.
Physical safeguards and resilience
- Facility and device controls — physical access limits, plus media disposal that sanitizes data (consistent with NIST SP 800-88).
- Backups and disaster recovery — tested, recoverable backups of ePHI with a documented recovery plan.
- Breach-response plan — procedures aligned to the Breach Notification Rule so you can detect, contain, and report an incident on time.
What happens if you are not compliant?
Beyond the risk of a breach itself, HIPAA violations carry tiered civil penalties and can trigger corrective-action plans. More practically, a missing or stale risk analysis is the issue regulators cite most often — and it is one of the easiest to fix with a partner.
How Splashwire helps healthcare organizations
Splashwire is versed in the regulations that impact healthcare IT. We deliver risk assessments, access control and encryption, monitoring, and disaster recovery, and we sign a BAA as your partner. See our healthcare IT services and cybersecurity program.
This checklist is general guidance, not legal advice. Consult qualified counsel for your specific obligations.
Frequently asked questions
A documented security risk analysis. It is explicitly required by the HIPAA Security Rule (45 CFR 164.308) and is the most common audit finding when it is missing or out of date.
Encryption is an "addressable" specification, meaning you must implement it or document a reasonable alternative. For most providers, encrypting ePHI in transit and at rest is the reasonable choice and can support breach safe harbor.
Yes. Any vendor that creates, receives, maintains, or transmits ePHI on your behalf — including your IT and cloud providers — must sign a Business Associate Agreement.