Healthcare IT Compliance

Medical Practice IT Compliance Checklist for Medical Practices in 2026

This checklist covers the 22 IT compliance controls that medical practices, dental offices, and small healthcare clinics need in 2026 โ€” organized into six categories: Governance & Policies, Risk Assessment, Workforce Training, PHI Handling, Vendor & BAA Management, and Audit & Monitoring. Each item includes a one-line description and the specific regulatory reason it matters for healthcare. Run through it with your compliance lead, check off what you've done, and flag what you haven't.

๐Ÿ“‹
Governance & Policies
4 items ยท HIPAA Administrative Safeguards foundation
Maintain an active BAA inventory policy for every PHI vendor
Why it matters: 45 CFR 164.308(b)(1) requires Business Associate Agreements with every vendor that touches PHI. A documented inventory policy โ€” with renewal dates and primary owner assignments โ€” is what OCR asks for first when investigating a breach that started with a vendor.
Have a written information security program policy (not just a Word doc)
Why it matters: 45 CFR 164.316(b)(1) requires policies and procedures in writing. "We follow NIST" isn't a program โ€” you need a HIPAA-specific info sec policy with named approver, version date, scope statement, and distribution list. Most practices that get fined have policies that exist but never get reviewed.
Review and update all compliance policies at least annually
Why it matters: HIPAA expects policies to be reviewed as the environment changes โ€” new EHR modules, new state breach laws, new workforce realities. An annual review with a documented sign-off demonstrates active governance. Stale policies with 2019 dates are an OCR red flag.
Designate a HIPAA Security Officer and Privacy Officer (named, accountable)
Why it matters: 45 CFR 164.308(a)(2) requires designation of a security official and 164.530(a)(1) a privacy official. In small practices these are often the same person โ€” that's fine โ€” but the role has to be named and accountable. OCR enforcement actions repeatedly cite "no designated responsible party" as a finding.
๐Ÿ›ก๏ธ
Risk Assessment
3 items ยท The single most-cited HIPAA Security Rule requirement
Complete a documented risk analysis per 45 CFR 164.308(a)(1)(ii)(A)
Why it matters: Risk analysis is the most-cited deficiency in OCR enforcement actions โ€” by a wide margin. Your risk analysis must be specific to your practice's actual systems, threats, and vulnerabilities. A template with 2018 dates and no PHI asset detail won't survive an audit. NIST 800-30 is the standard framework.
Maintain an active PHI asset inventory (systems, locations, flows)
Why it matters: You cannot perform a risk analysis without knowing what PHI lives where. Document every system that stores, processes, or transmits PHI โ€” including shadow IT like a Dropbox account a departing clinician forgot about. Update the inventory any time a system is added or retired.
Run a refreshed threat model after any major change (new EHR module, M&A, breach)
Why it matters: 45 CFR 164.308(a)(1)(ii)(B) requires risk management in response to environmental changes. A new telehealth platform, a second office, or โ€” especially โ€” a near-miss phishing incident all reset your threat profile. Practices that re-baseline only on an annual cadence miss these trigger events.
๐ŸŽ“
Workforce Training
3 items ยท Required training under 45 CFR 164.530(b)
Run HIPAA onboarding training before any new hire accesses PHI
Why it matters: 45 CFR 164.530(b)(1) requires training "within a reasonable time" of workforce members accessing PHI. Practices that grant EHR access on day one and train "next week" are non-compliant the moment access begins. Keep training records with date, trainer, materials covered, and individual sign-off.
Conduct annual HIPAA refresher training for all staff
Why it matters: 45 CFR 164.530(b)(2) explicitly requires periodic refresher training. "We trained them once in 2022" is not periodic. Documented annual training โ€” with attestation that each staff member completed it โ€” is what closes this finding. Pair it with policy updates so the training reflects current procedures.
Run phishing simulations at least quarterly with documented results
Why it matters: Phishing is the top initial attack vector in healthcare breaches. Simulations do two things: surface who needs more training, and create a paper trail demonstrating active awareness effort. "We trained annually" plus quarterly simulations is exactly the pattern OCR wants to see when reviewing awareness programs.
๐Ÿ”
PHI Handling
4 items ยท HIPAA Technical Safeguards for the data itself
Enforce the minimum necessary standard across all PHI access
Why it matters: 45 CFR 164.502(b) requires limiting PHI use, disclosure, and requests to the minimum necessary. Most practices meet this on paper but not in practice โ€” front-desk staff routinely see entire charts when they only need a scheduling field. Document role-based access boundaries and review them annually.
Encrypt PHI at rest (databases, backups, devices) AND in transit (TLS 1.2+)
Why it matters: 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii) require encryption and decryption as addressable safeguards โ€” meaning you either implement them or document why they're not reasonable and appropriate. Encryption is the single safest answer to a breach investigation: encrypted data is "not a breach" under HHS guidance.
Define and enforce a secure PHI disposal procedure (paper + e-media)
Why it matters: 45 CFR 164.310(d)(2)(i) requires media disposal procedures. Paper PHI tossed unshredded into a recycling bin and hard drives leaving with old workstations are both common breach triggers. Use cross-cut shredding (DIN 66399 P-4 or higher) and NIST 800-88 sanitization for drives.
Use HIPAA-compliant messaging for any patient communication (no SMS PHI)
Why it matters: Standard SMS is not HIPAA-compliant โ€” carriers store messages indefinitely and don't sign BAAs. Patient appointment reminders with PHI details (test results, diagnosis codes) sent via SMS are a direct violation. Use a HIPAA-compliant messaging platform with a BAA in place; keep SMS for non-PHI reminders only.
๐Ÿค
Vendor & BAA Management
4 items ยท You are liable for every PHI-handling vendor
Maintain an active BAA register with renewal dates and primary contacts
Why it matters: "We have a BAA" is not the same as "BAA is current." BAAs expire, vendors get acquired, business relationships change. An expired BAA with an active data connection is an active compliance liability โ€” and OCR treats it the same as no BAA at all. Re-paper them before renewal dates.
Conduct annual vendor security reviews for top-tier PHI vendors
Why it matters: 45 CFR 164.308(b)(1) requires due diligence on business associates. SOC 2 Type II reviews, HITRUST certifications, and security questionnaires are all acceptable evidence โ€” but you need to actually collect and review them annually. Storing a self-attested PDF from 2022 is not a review.
Verify downstream BAA flow-down for sub-contractors that handle PHI
Why it matters: 45 CFR 164.308(b)(4) requires that business associates flow down BAA obligations to their subcontractors. Your hosting BAA is meaningless unless their managed-service subcontractors also have signed BAAs. Audit the chain โ€” especially for EHR vendors, cloud-hosting providers, and lab interfaces.
Document vendor breach notification timelines and direct security contacts
Why it matters: Your BAAs should specify breach notification timelines โ€” typically 24-72 hours from discovery. OCR requires you to account for all PHI, including vendor-held. If you don't have a direct contact for your EHR vendor's security team, that's a procedural gap that could cost days in an actual incident.
๐Ÿ“Š
Audit & Monitoring
4 items ยท Demonstrates active compliance, not annual checkbox
Review EHR access logs monthly for anomalous or after-hours activity
Why it matters: 45 CFR 164.312(b) requires audit controls. Many EHRs log everything but no one ever reads the logs. Monthly review โ€” with documented findings, even if "nothing to report" โ€” separates compliant monitoring from "we have logs." Sniff out snooping before it becomes a breach notification.
Alert on failed login patterns and brute-force attempts in real time
Why it matters: A burst of failed logins against your EHR or VPN is attack-stage reconnaissance. Real-time alerting โ€” with documented response procedure โ€” is what stops the attack from progressing to credential compromise. "We'll see it in the monthly report" is too late.
Schedule an annual third-party HIPAA Compliance assessment
Why it matters: Self-assessment carries inherent blind spots. An annual third-party review โ€” even a focused-scope one โ€” produces an independent verifier stance OCR respects. Document findings, remediation, and closure dates. StrataAudit-style assessment reports serve this need well for small practices.
Maintain a documented incident response procedure with named contacts
Why it matters: 45 CFR 164.308(a)(6) requires a written contingency plan including incident response. "We call our IT guy" isn't a plan. Your IR procedure should name who makes containment decisions, who to call in the first hour, and what you disconnect first โ€” plus your OCR breach notification timeline.

Want to see how your practice stands up?

Stratavise's free technology risk assessment maps your IT compliance posture across all 22 of these controls โ€” including HIPAA governance, BAA management, and workforce training โ€” and gives you a prioritized finding report. No IT team required.

Run the Free Compliance Check → Takes under 10 minutes  ·  Instant prioritized report  ·  No signup required