Administrative Safeguards Checklist

Administrative safeguards are the policies, procedures, and management controls that govern how your practice handles ePHI. They're often overlooked in favor of technical controls, but they're the foundation the Security Rule is built on.

  • Risk analysis completed and documented within the last 12 months
  • Security officer designated and documented in writing
  • Workforce training on HIPAA Security Rule completed and logged
  • Written security policies and procedures in place and reviewed annually
  • Access management procedures for granting, modifying, and revoking system access
  • Sanctions policy for workforce violations documented and communicated
  • Contingency plan in place (backup, disaster recovery, emergency mode)

Physical Safeguards Checklist

Physical safeguards address the physical access to systems that store or process ePHI — often overlooked in small practices.

  • Workstation use and security policies define who can use which devices and under what conditions
  • Automatic screen lock (15 minutes or less) enabled on all workstations
  • Workstations not visible to patients in waiting areas or reception
  • Server and network equipment in a locked room or cabinet with access log
  • Device and media controls: formal procedure for hardware disposal and reuse
  • Record of hardware movement (laptops, external drives) that contain ePHI

Technical Safeguards Checklist

Technical safeguards are the IT controls that directly protect ePHI in your systems. These are where most small practices have the most gaps.

  • Unique user IDs assigned — no shared login credentials for any system
  • Multi-factor authentication (MFA) enforced on EHR, email, and remote access
  • Automatic session logoff configured in EHR and workstations
  • Email encryption for any ePHI transmitted outside the practice network
  • Encryption at rest on all devices containing ePHI (laptops, workstations, backup drives)
  • Audit logs enabled and reviewed in your EHR system
  • Network firewall in place with access controls documented

Business Associate Agreements Checklist

A Business Associate Agreement (BAA) is required with any vendor that creates, receives, maintains, or transmits ePHI on your behalf — including IT vendors. Missing BAAs are one of the most commonly cited HIPAA violations in small practice audits.

  • IT managed services provider: BAA signed and on file
  • EHR/practice management software vendor: BAA signed and on file
  • Cloud backup or storage provider: BAA signed and on file
  • Email hosting provider (if transmitting ePHI): BAA signed and on file
  • Billing company or clearinghouse: BAA signed and on file
  • Any transcription or remote services vendor: BAA signed and on file
  • BAA inventory maintained and reviewed annually

Need Help Getting Your Ohio Practice Into Compliance?

We provide HIPAA Security Rule assessments, signed Business Associate Agreements, and ongoing HIPAA-aligned IT support for medical and dental offices throughout Canton and Northeast Ohio.

HIPAA IT Support → Healthcare IT → Dental Practices →