The 2025 HIPAA Security Checklist: 12 Controls Every Medical Practice Must Have in Place

HIPAA enforcement has shifted. The Office for Civil Rights is no longer waiting for breach reports—they're conducting proactive audits and issuing fines for security gaps that existed before any incident occurred. For medical practices operating with outdated IT infrastructure or incomplete security controls, the compliance deadline isn't theoretical. It's now.

This HIPAA security checklist covers the 12 technical and administrative safeguards your practice needs to demonstrate compliance. Not suggestions. Requirements.

HIPAA Security Checklist: Access Controls

1. Unique User Identification

Every person who accesses electronic protected health information must have a unique login credential. Shared accounts—even at the front desk—violate HIPAA and make audit trails meaningless.

Action Step: Audit your Microsoft 365 or Google Workspace admin console. If you see accounts like "FrontDesk@yourpractice.com" being used by multiple staff, create individual accounts immediately.

2. Automatic Session Timeout

Workstations must lock after a period of inactivity. OCR guidance suggests 2-5 minutes for clinical environments.

Action Step: Configure screen lock via Group Policy (Windows) or MDM profile (Mac). Set timeout to 3 minutes maximum for any device that displays patient information.

3. Multi-Factor Authentication

MFA is no longer optional. Any system containing PHI—EHR, email, cloud storage—must require a second authentication factor.

Action Step: Enable MFA for all users in Microsoft 365 via Security Defaults or Conditional Access. Require the Microsoft Authenticator app, not SMS codes.

Transmission Security

4. Email Encryption

Patient information sent via email must be encrypted both in transit (TLS) and at rest. Standard email fails this test.

Action Step: Verify TLS enforcement in your email provider's admin settings. For Microsoft 365, configure Outbound Connector policies to require TLS 1.2 or reject delivery. Consider Microsoft 365 Message Encryption for sensitive communications.

5. Secure File Sharing

Attachments containing PHI cannot be sent via standard email attachments. Use encrypted file sharing with access controls and audit logging.

Action Step: Implement SharePoint or OneDrive sharing links with expiration dates and "specific people" permissions rather than "anyone with the link."

Audit Controls

6. Access Logging

You must be able to demonstrate who accessed what patient records and when. This requires unified audit logging across all systems.

Action Step: Enable Unified Audit Log in Microsoft 365 Compliance Center. Set retention to minimum 180 days (365 days recommended). Configure alerts for unusual access patterns.

7. Regular Log Review

Logs are useless without review. Establish a documented process for weekly or monthly audit log review.

Action Step: Create a recurring calendar event for log review. Document findings—even "no anomalies detected"—in a compliance log. This documentation becomes evidence during audits.

Integrity Controls

8. Malware Protection

All systems must have current anti-malware protection with automatic updates and real-time scanning.

Action Step: If using Microsoft 365 Business Premium, enable Microsoft Defender for Business across all endpoints. Configure automatic signature updates and weekly full scans.

9. Patch Management

Unpatched systems are the most common attack vector. You must have a documented patching process with defined timelines.

Action Step: Enable automatic Windows updates for security patches. For managed environments, deploy patches within 14 days of release for critical vulnerabilities, 30 days for others.

Physical and Administrative Safeguards

10. Workstation Security

Physical access to workstations displaying PHI must be restricted. Screens should not be visible to patients or unauthorized personnel.

Action Step: Audit workstation placement. Install privacy screens on monitors in reception areas. Ensure workstations are positioned so screens face away from patient areas.

11. Workforce Training

All staff must receive HIPAA security awareness training at hire and annually thereafter. Training must be documented.

Action Step: Implement a security awareness training platform (KnowBe4, Proofpoint, or similar). Schedule annual training with completion tracking and attestation.

12. Incident Response Plan

You must have a documented plan for responding to security incidents, including breach notification procedures.

Action Step: Create a written incident response plan that includes: who to contact, how to contain the incident, breach assessment criteria, notification timelines, and documentation requirements.

The Risk Assessment Requirement

Beyond these 12 controls, HIPAA requires a documented Security Risk Assessment—not once, but annually or whenever significant changes occur to your IT environment.

This assessment must identify threats, vulnerabilities, and the likelihood and impact of potential breaches. It must be documented and retained.

A checklist is not a risk assessment. If your IT provider handed you a checklist and called it compliant, you have a documentation problem.

Your Compliance Documentation Matters

During an OCR audit, you won't be asked "Are you secure?" You'll be asked "Prove it."

Every control in this checklist requires documentation: policies, configuration evidence, training records, and audit logs. The practice that can produce a binder of organized compliance evidence responds to audits with confidence. The practice that scrambles to reconstruct documentation responds with legal counsel.

Start with one section. Document what you have. Identify what you're missing. Build from there.

Need help identifying gaps in your HIPAA compliance posture? DigitalHarbor offers a HIPAA Security Assessment that documents your current state, identifies deficiencies, and provides a prioritized remediation roadmap. Contact us for a no-obligation consultation.