Know exactly what HIPAA asks of your IT
A free, print-friendly checklist that turns the HIPAA Security Rule into a plain-English list of IT controls, and shows who owns each one: you or your IT provider.
A free, plain-English HIPAA IT compliance checklist for small medical and dental practices. Map the Security Rule to real IT controls and see who owns each one.
What you'll get
A practical, ready-to-use resource you fill in with your own numbers and keep. No expiring trial, no strings.
What the HIPAA IT Checklist does
If you run a small practice, HIPAA can feel like a wall of legal language that never quite tells you what to actually do. The Security Rule talks about safeguards and standards, but it rarely says “turn on multi-factor authentication” or “test your backups.” That gap is where most small practices get stuck.
This checklist closes the gap. It takes the parts of the HIPAA Security Rule that touch your technology and translates them into a clear list of controls you can check off. For each one, it tells you in plain English what it means, why it matters for protected health information, and whether the work usually sits with your office or with your IT provider.
The Security Rule in plain words
Access control, audit logs, encryption, MFA, backup, and contingency planning, written so an office manager can follow them without a compliance degree.
Built for small practices
Made for the dental and medical offices that do not have a full IT team. Every item is something a 5 to 50 person practice can actually act on.
See who owns each control
A simple you-versus-your-IT-provider column so nothing falls through the cracks, and you know what to ask your vendor for.
Covers the often-missed pieces
Business associate agreements, risk assessment cadence, workforce training, and device and media controls all get their own line, not a footnote.
What is inside the checklist
- Access control: unique logins, role-based access, and automatic log-off
- Audit logs and monitoring: who touched what, and when
- Encryption at rest and in transit for devices, email, and backups
- Multi-factor authentication on email, remote access, and your practice management system
- Backup and a tested contingency plan so you can keep seeing patients during an outage
- Business associate agreements with every vendor that touches PHI
- A documented risk assessment and how often to revisit it
- Workforce training and sanction policies
- Device and media controls, including how you wipe or dispose of old hardware
- A “who owns this” column for every item, so you and your IT provider stay aligned
A checklist is a starting point, not a verdict
Want to understand whether HIPAA even applies to you?
Before you work through the controls, it helps to know what you are actually on the hook for. Our guide on whether HIPAA applies to your small practice walks through the basics in plain English, and our compliance hub covers HIPAA alongside the other rules small businesses run into.
How it works
Tell us where to send it
Fill in the short form. Just enough so we know who we're helping and can tailor any follow-up, only if you want it.
Check your inbox
We email your copy right away, and the download is yours to keep. No expiring trial, no login.
Put it to work
Use it on your own, or ask us for a second set of eyes. No pressure either way.
We do not sell your information
You get the file and an email copy for later. That is it. No third-party sharing, ever.
Real local humans built this
Vicinity is a genuinely local IT provider with people in Alaska and Hawaii who support real healthcare practices.
A working tool, not legal advice
The checklist helps you organize the conversation with your team and counsel. It is a starting point, not a substitute for professional advice.