Everyone that works in a healthcare setting, even if they do not work with patients directly.
Healthcare organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is an act that outlines the compliance expectations for the protection of health information, including transmission and management.
Healthcare organizations must comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HITECH falls under the HIPAA umbrella in that it expands to include additional modernized legislation that broadens the scope of health information security and protection.
Asset & Data Management
Do you maintain a complete list of all devices and systems that store, process, or send electronic protected health information (ePHI)?
Do you train all employees, even non-clinical staff, on how to properly use systems that handle ePHI?
Is your data encrypted when stored and when sent between systems or apps?
Are you using secure communication tools to send health data (email, apps, messages)?
Network & Cybersecurity Measures
Do you have an IT person or vendor securing your network devices (e.g. routers, computers) with proper firewalls, antivirus, and encryption?
Are access controls in place so only the right people can view or change patient information?
Are regular security assessments performed to check for weaknesses?
Do you follow the HIPAA Security Rule for securing electronic protected health information (ePHI)?
Data Disposal & Media Handling
Are you following NIST SP 800-88 guidelines for wiping and disposing of old computers, hard drives, USBs, and other storage devices?
Is all patient data removed securely before equipment is recycled or thrown away?
Do you track where electronic devices go, and who is responsible for them?
Audit Trails & Monitoring
Do you keep logs of who accesses patient data and what they do with it?
Are those audit records retained for the time required by your organization's policy and applicable laws?
Can you detect if ePHI has been changed or tampered with during transmission?
Incident Response & Breach Readiness
Do you know where to find your data breach notification procedures?
Is there a process for identifying, reporting, and responding to security incidents?
Are team members supervised or authorized to access patient data based on their job roles?
Access Control & User Management
Does every user have a unique username or ID for logging in to systems with patient information?
Are policies in place to manage user access, and remove it when staff leave or change roles?
Are software systems set up to limit access only to people who need it for their job?
Removable Media & Device Movement
Do you have rules in place for USB drives, CDs, or external hard drives used to store or move patient data?
Do you document the movement of any devices or hardware that contains patient information inside and outside the office?
Why This Checklist Matters
This isn’t just about following rules — it’s about protecting your patients and your practice. HIPAA and HITECH are serious laws, and violations can lead to fines, lawsuits, and loss of trust.
Use this as a quarterly self-check, and consider printing it for your compliance binder or sharing it with your office manager and IT provider.
We know how difficult it can be in the current landscape with increasing auditory burden on small offices.
If you're in need of some help in the NY/NJ area, please click here to see how SnoLabs can help.