HIPAA IT Requirements Checklist for 2025

HIPAA compliance isn't optional for healthcare IT teams, but the requirements are scattered across hundreds of pages of federal regulations. Most IT administrators at clinics, practices, and small health systems know they need to be compliant — they just need a clear checklist of what that actually means for their day-to-day technology operations.

This checklist distills the HIPAA Security Rule's technical requirements into actionable items your IT team can verify, implement, and document. Each section maps directly to a HIPAA safeguard category, with specific steps you can take today.

Understanding HIPAA's IT Requirements

The HIPAA Security Rule (45 CFR Part 164) establishes three categories of safeguards for electronic protected health information (ePHI): administrative, physical, and technical. While all three matter, the technical safeguards are where IT teams spend most of their time.

The key distinction in HIPAA is between required and addressable specifications. Required means you must implement it, period. Addressable means you must assess whether it's reasonable and appropriate — and if you decide not to implement it, you must document why and what alternative you're using instead.

In practice, most addressable specifications should be implemented. "Addressable" does not mean "optional" — the OCR has made this clear in multiple enforcement actions.

1. Access Controls (Required)

Access controls are the foundation of HIPAA technical compliance. Every system that stores, processes, or transmits ePHI must restrict access to authorized users only.

• Unique user identification — Every person who accesses ePHI must have a unique identifier. No shared accounts, no generic logins. This applies to EHR systems, file servers, email, and any system that touches patient data.
• Emergency access procedures — Document how authorized users access ePHI during emergencies (system outages, disasters). This includes break-glass procedures for EHR systems and backup access methods.
• Automatic logoff — Workstations and applications must automatically lock or log off after a period of inactivity. Industry standard is 15 minutes for workstations, shorter for clinical terminals in shared spaces.
• Encryption and decryption — Implement a mechanism to encrypt and decrypt ePHI. This is addressable, but given the current threat landscape and available technology, it's effectively required.
• Role-based access — Users should only access the minimum ePHI necessary for their job function. A billing clerk doesn't need access to clinical notes. A nurse doesn't need access to billing records.

IT action item: Audit every system that contains ePHI. Verify that each has unique user IDs, automatic logoff configured, and role-based access controls. Document emergency access procedures for each system. Tools like governed execution can enforce these controls automatically, logging every access decision for audit purposes.

2. Audit Controls (Required)

HIPAA requires mechanisms to record and examine activity in systems that contain or use ePHI. This is one of the most commonly failed areas during OCR audits.

• System activity logging — Enable audit logs on every system that handles ePHI. This includes EHR systems, file servers, email servers, VPN concentrators, Active Directory, and cloud services.
• Log retention — HIPAA requires documentation retention for 6 years. Your audit logs should be retained for at least this long, though many organizations choose longer periods.
• Log review — Logs are useless if nobody reads them. Establish a regular schedule for reviewing audit logs. Weekly reviews of access logs, immediate review of security events.
• Login attempt tracking — Record successful and failed login attempts. Multiple failed attempts should trigger alerts. This helps detect unauthorized access attempts and compromised credentials.
• ePHI access tracking — Track who accessed what patient records and when. Most EHR systems have this built in, but verify it's enabled and that logs are being retained.

IT action item: Inventory every system handling ePHI and verify audit logging is enabled. Configure centralized log collection (SIEM or log aggregator). Set up automated alerts for suspicious activity. Document your log review procedures and schedule. A compliance dashboard can centralize this monitoring and flag gaps before an auditor finds them.

3. Integrity Controls (Addressable)

You must protect ePHI from improper alteration or destruction. This means ensuring that data hasn't been changed or deleted without authorization.

• Data integrity mechanisms — Implement checksums, digital signatures, or other mechanisms to verify that ePHI hasn't been altered in transit or at rest.
• Error correction procedures — Document procedures for identifying and correcting data integrity errors. This includes backup verification and data validation processes.
• Database integrity — EHR databases should have referential integrity constraints. Regular integrity checks should be part of your maintenance schedule.

IT action item: Enable integrity checking on file systems and databases storing ePHI. Verify that your backup system performs integrity checks during backup and restore operations. Test restore procedures quarterly.

4. Transmission Security (Required)

Any ePHI transmitted over a network must be protected against unauthorized access. This applies to internal networks, internet connections, VPNs, and wireless networks.

• Encryption in transit — All ePHI transmitted over any network should be encrypted. Use TLS 1.2 or higher for web traffic, encrypted email for patient communications, and VPN for remote access.
• Integrity controls for transmission — Verify that ePHI is not modified during transmission. TLS handles this automatically, but verify it's properly configured on all endpoints.
• Wireless security — If your practice uses WiFi, ensure WPA3 (or WPA2 Enterprise at minimum) is configured. Separate guest WiFi from clinical networks. Disable WEP entirely.
• Fax and eFax — Traditional fax over phone lines is generally considered secure. eFax services that transmit via email or internet must use encryption. Verify your eFax provider is HIPAA compliant and has a BAA in place.
• Email encryption — Any email containing ePHI must be encrypted. Options include TLS between mail servers, S/MIME, or encrypted email gateways.

IT action item: Audit all network connections that carry ePHI. Verify TLS configuration on web servers and email servers. Test VPN encryption. Review wireless security settings. Ensure eFax services have signed BAAs.

5. Encryption at Rest (Addressable)

While technically addressable, encrypting ePHI at rest is considered a best practice and is effectively required by modern standards. The OCR has consistently emphasized encryption in enforcement guidance.

• Full disk encryption — All workstations, laptops, and servers that store ePHI should have full disk encryption enabled. BitLocker for Windows, FileVault for macOS.
• Database encryption — Enable transparent data encryption (TDE) on databases storing ePHI.
• Backup encryption — Backup media must be encrypted. This includes local backup drives, tape backups, and cloud backup destinations.
• Mobile device encryption — Any mobile device that accesses ePHI must have full device encryption enabled. This includes phones, tablets, and laptops used by providers.
• Removable media — USB drives, external hard drives, and other removable media containing ePHI must be encrypted. Better yet, implement a policy restricting use of removable media for ePHI.

IT action item: Enable full disk encryption on all endpoints. Verify database encryption on EHR systems. Test backup encryption. Implement mobile device management (MDM) to enforce encryption on personal devices that access ePHI.

6. Business Associate Agreements (Required)

Every vendor, contractor, or service provider that accesses, stores, or transmits ePHI on your behalf must have a signed Business Associate Agreement. This is an administrative requirement with major IT implications.

• Cloud service providers — AWS, Google Cloud, Microsoft Azure, and any SaaS application that handles ePHI needs a BAA.
• IT service providers — Your MSP, IT support vendor, or any technician who might access systems containing ePHI needs a BAA.
• Communication platforms — Email providers, messaging platforms, telehealth systems, and fax services need BAAs.
• Backup and disaster recovery — Cloud backup providers, disaster recovery services, and data center colocation providers need BAAs.
• IT management platforms — Help desk systems, remote monitoring tools, and IT asset management platforms that might encounter ePHI need BAAs. TechManager AI offers a HIPAA BAA as part of its healthcare compliance package.

IT action item: Create a complete inventory of every vendor and service that touches ePHI. Verify that each has a current, signed BAA. Review BAAs annually for adequacy. Track BAA expiration dates and renewal requirements.

7. Workforce Security (Administrative + Technical)

The administrative safeguards for workforce security have significant IT implementation requirements.

• Access provisioning — New employees should receive the minimum access necessary for their role. Document the access provisioning process for each job function.
• Access termination — When employees leave, their access must be revoked immediately. This includes EHR access, email, VPN, building access, and any other system that contains ePHI. Same-day termination is the standard.
• Access reviews — Conduct periodic reviews (quarterly recommended) of all user access to ensure permissions are still appropriate. Remove access that's no longer needed.
• Security awareness training — All workforce members must receive HIPAA security training. Document training completion. Conduct phishing simulations to test awareness.
• Sanctions policy — Document and enforce consequences for workforce members who violate security policies.

IT action item: Automate access provisioning and deprovisioning as much as possible. Implement a checklist for onboarding and offboarding that covers every ePHI-containing system. Schedule quarterly access reviews. Track training completion. AI-powered ticket resolution can help automate these workflows while maintaining full audit trails.

8. Incident Response (Required)

HIPAA requires procedures to identify, respond to, and mitigate security incidents. Healthcare IT teams need documented, tested incident response plans.

• Incident identification — Define what constitutes a security incident. Establish monitoring and alerting to detect incidents quickly.
• Response procedures — Document step-by-step response procedures for common incident types: ransomware, unauthorized access, lost/stolen devices, phishing compromise.
• Breach notification — If a breach of unsecured ePHI occurs, you must notify affected individuals within 60 days. Breaches affecting 500+ individuals must also be reported to HHS and media.
• Documentation — Document every incident: what happened, when it was discovered, what was done, and the outcome. Retain documentation for 6 years.
• Post-incident review — After each incident, conduct a lessons-learned review. Update procedures based on findings.

IT action item: Create or update your incident response plan. Test it with tabletop exercises at least annually. Ensure all IT staff know their roles during an incident. Pre-identify legal counsel and forensics resources. Read our guide on building an IT incident response plan for regulated industries.

Quick Reference: HIPAA IT Compliance Checklist

Common HIPAA IT Audit Findings

Based on OCR enforcement actions and industry audits, these are the most common IT-related findings:

1. Missing or incomplete risk analysis — The single most cited violation. You must conduct a thorough risk analysis that identifies all ePHI, threats, and vulnerabilities.
2. Lack of audit controls — Systems with ePHI that have no logging enabled, or logs that aren't reviewed.
3. Insufficient access controls — Shared accounts, overly broad permissions, no automatic logoff.
4. Missing BAAs — Using cloud services or vendors without signed agreements.
5. No encryption on portable devices — Lost or stolen unencrypted laptops and drives account for a significant percentage of reported breaches.
6. Inadequate incident response — No documented plan, or a plan that hasn't been tested.

How TechManager AI Supports HIPAA Compliance

TechManager AI is built for healthcare IT environments. Every IT action runs through governed execution — meaning each change is policy-checked against your compliance rules before it executes. The full audit trail documents every action, who initiated it, what was changed, and the outcome, giving you audit-ready documentation without manual logging.

For healthcare practices, the compliance package includes a signed HIPAA BAA, pre-configured audit controls, access provisioning workflows that enforce minimum necessary access, and a compliance dashboard that shows your HIPAA posture in real time.

Next Steps

Start by completing the checklist above. Identify gaps, prioritize them by risk, and create a remediation plan with deadlines. If you're managing IT for a healthcare practice and want automated compliance monitoring, book a demo to see how TechManager AI's governed execution and audit logging can simplify your HIPAA compliance posture.

For a deeper dive into healthcare IT compliance auditing, read our IT Compliance Audit Checklist for Healthcare.