Map PHI and ePHI
Identify where patient information lives across EHR systems, dental software, email, shared folders, backups, scanners, billing platforms, and vendor portals.
Free HIPAA compliance checklist
Use this practical checklist to review administrative safeguards, technical safeguards, physical safeguards, evidence, vendors, backups, access control, and recurring HIPAA security readiness for healthcare and dental practices.
A HIPAA checklist is useful only when it becomes assigned work, evidence, remediation, and recurring review. Use this sequence to move from PHI discovery to defensible security controls.
Identify where patient information lives across EHR systems, dental software, email, shared folders, backups, scanners, billing platforms, and vendor portals.
Name accountable owners for administrative, technical, and physical safeguards so access, training, evidence, and remediation have clear responsibility.
Review MFA, role-based access, audit logs, encryption, endpoint protection, backups, secure disposal, workstation controls, and facility access.
Organize policies, risk analysis notes, training records, BAAs, screenshots, access reviews, incident procedures, and remediation decisions.
Prioritize exposed remote access, shared accounts, missing MFA, unmanaged devices, weak backup recovery, and unclear breach response steps.
Repeat the checklist after staff changes, software changes, vendor changes, security incidents, audit requests, and major Microsoft 365 or endpoint updates.
This checklist is for initial guidance only and does not replace a professional cybersecurity audit, HIPAA compliance assessment, penetration test, or legal/compliance review.
The checklist should connect HIPAA Security Rule concepts to the systems and workflows that actually touch PHI in the practice.
Confirm risk analysis, security management, assigned responsibilities, workforce training, access authorization, sanctions, vendor oversight, incident response, and contingency planning.
Review unique user IDs, MFA where available, access control, audit logs, encryption decisions, secure transmission, endpoint protection, and remote access controls.
Check facility access, workstation placement, screen privacy, device inventory, equipment disposal, backup media protection, and server/network equipment access.
Validate Business Associate Agreements, vendor access paths, support accounts, backup vendors, cloud services, billing partners, shredding providers, and incident notice expectations.
HIPAA readiness improves when the practice can show what was reviewed, who owns each safeguard, what risks were found, and what was fixed.
Ali Hassani brings 25+ years of IT, cybersecurity, compliance, infrastructure, Microsoft 365, Azure, network security, and audit-readiness experience to help healthcare and dental organizations turn HIPAA checklist findings into practical security improvements.
After using the checklist, continue with a more complete HIPAA security review, safeguards matrix, or guided readiness conversation.
Use the HIPAA Security Readiness Assessment to turn checklist answers into a practical readiness score and priority list.
Use the HIPAA Security Rule Safeguards Matrix when you need a more detailed administrative, physical, and technical control view.
For cloud and identity risk, review Microsoft 365 Security Audit Services and Azure Cloud Security Audit Services.
For a guided review, use Request a HIPAA Readiness Review.
No. A checklist is a useful starting point, but HIPAA readiness also requires risk analysis, evidence, assigned ownership, remediation, training, vendor review, and recurring validation.
Start with PHI/ePHI locations, user access, MFA, backups, audit logs, endpoint protection, vendor access, Business Associate Agreements, and incident response procedures.
No private consultant can remove a covered entity's legal responsibility. OC Security Audit can help assess readiness, document risks, improve safeguards, and prepare evidence for a stronger compliance posture.