Jasco Technology

Jasco Technology

HIPAA Compliance Checklist: What Your IT Provider Should Be Doing

Not sure if your IT provider is keeping you HIPAA compliant? Use this checklist to evaluate the technical safeguards, access controls, encryption, and audit logging your IT partner should have in place.

Contact UsExplore Industries

HIPAA Compliance Checklist: What Your IT Provider Should Be Doing

If your business handles protected health information (PHI), HIPAA compliance isn't optional — it's the law. But here's what many healthcare and dental practices in Las Vegas don't realize: your IT provider plays a critical role in whether you're actually compliant or just think you are.

A surprising number of IT companies will say they "support HIPAA" without implementing the specific technical safeguards the regulation requires. This checklist will help you evaluate whether your current IT provider — or one you're considering — is truly keeping your practice compliant.

Understanding HIPAA's Technical Safeguard Requirements

HIPAA's Security Rule requires covered entities and their business associates to implement three categories of safeguards: administrative, physical, and technical. Your IT provider is primarily responsible for the technical safeguards, though they should support all three.

The technical safeguards aren't suggestions. They're required controls that must be documented, implemented, and regularly reviewed. Here's what your IT provider should be doing across each major area.

Access Controls

Access controls ensure that only authorized individuals can access electronic PHI (ePHI). Your IT provider should implement:

  • Unique user identification — Every person who accesses systems containing ePHI must have a unique login. No shared accounts, no generic "front desk" logins.
  • Role-based access control (RBAC) — Staff should only have access to the data they need for their specific job function. A billing coordinator doesn't need access to clinical imaging systems.
  • Automatic logoff — Workstations must lock after a defined period of inactivity (typically 5–15 minutes). This is especially important in clinical settings where computers are in shared spaces.
  • Multi-factor authentication (MFA) — While not explicitly required by the original HIPAA text, MFA is now considered a best practice and is increasingly expected by auditors and cyber insurance providers.
  • Emergency access procedures — There must be a documented process for accessing ePHI during an emergency when normal access methods are unavailable.

Red Flag

If your IT provider hasn't set up individual accounts for every staff member or hasn't implemented automatic screen locks on clinical workstations, your access controls have serious gaps.

Encryption

Encryption is one of the most important — and most frequently mishandled — aspects of HIPAA compliance.

  • Data at rest — All devices that store ePHI (servers, workstations, laptops, external drives) must use full-disk encryption. BitLocker for Windows and FileVault for Mac are standard solutions.
  • Data in transit — ePHI transmitted over networks must be encrypted. This includes email (TLS encryption), file transfers (SFTP or encrypted cloud storage), and remote access (VPN with AES-256 encryption).
  • Email encryption — Standard email is not HIPAA compliant. Your provider should implement encrypted email solutions for any messages containing patient information.
  • Mobile devices — If staff access email or patient data from smartphones or tablets, those devices need encryption and mobile device management (MDM) policies.

Why This Matters

Under HIPAA's Breach Notification Rule, if an encrypted device is lost or stolen, it's not considered a reportable breach. If an unencrypted device is lost, you're required to notify every affected patient, HHS, and potentially the media. Encryption is your best protection against breach notification requirements.

Audit Logging and Monitoring

HIPAA requires that you maintain logs of who accessed ePHI, when, and what they did with it. Your IT provider should have:

  • System audit logs — Logs tracking login attempts (successful and failed), file access, and changes to permissions on all systems containing ePHI.
  • Log retention — HIPAA requires policies and documentation to be retained for six years. Your audit logs should be stored securely for at least this duration.
  • Regular log review — Logs are useless if nobody looks at them. Your IT provider should review audit logs regularly — ideally using automated tools that flag suspicious activity like after-hours access or bulk data downloads.
  • Security Information and Event Management (SIEM) — For larger practices, a SIEM solution aggregates logs from multiple systems and uses correlation rules to detect potential security incidents in real time.

Risk Assessments

This is the single most important HIPAA requirement — and the one most commonly neglected.

  • Annual risk assessment — HIPAA requires covered entities to conduct a thorough risk assessment at least annually. This should identify vulnerabilities in your systems, evaluate the likelihood and impact of threats, and document the measures in place to mitigate each risk.
  • Remediation plans — Identifying risks isn't enough. You need a documented plan to address each identified vulnerability, with timelines and responsible parties.
  • Risk assessment documentation — The assessment itself must be documented and retained. If HHS investigates your practice, the first thing they'll ask for is your most recent risk assessment.

What a Proper Risk Assessment Covers

Your IT provider should evaluate:

  • Network security (firewalls, segmentation, wireless security)
  • Endpoint security (antivirus, EDR, patching)
  • Physical security (server room access, workstation placement)
  • Backup and disaster recovery
  • Vendor and third-party risk
  • Staff training and awareness
  • Incident response procedures

If your IT provider has never conducted or assisted with a formal risk assessment, they are not providing HIPAA-compliant IT support — regardless of what else they've implemented.

Business Associate Agreements (BAAs)

Any vendor that accesses, stores, transmits, or could reasonably come into contact with ePHI is a business associate under HIPAA. This includes your IT provider.

  • Your IT provider must sign a BAA — This agreement establishes their obligations for protecting ePHI and their liability in the event of a breach. If your IT company hasn't signed a BAA with your practice, you have a compliance gap right now.
  • Cloud vendor BAAs — Your IT provider should also ensure that all cloud services used in your environment (Microsoft 365, cloud backup providers, cloud-hosted practice management software) have appropriate BAAs in place.
  • Subcontractor agreements — If your IT provider uses subcontractors who may access your systems, those subcontractors also need BAAs.

Backup and Disaster Recovery

HIPAA requires a contingency plan that includes:

  • Data backup plan — Regular, automated backups of all ePHI with encryption.
  • Disaster recovery plan — Documented procedures for restoring access to ePHI after an emergency (hardware failure, ransomware, natural disaster).
  • Testing — Backup and recovery procedures must be tested regularly. A backup that has never been tested is not a backup — it's a hope.
  • Offsite/cloud storage — Backups should be stored in a geographically separate location to protect against local disasters.

Security Awareness Training

Your IT provider should facilitate:

  • Regular staff training — HIPAA requires workforce training on security policies and procedures. Best practice is quarterly training with annual refreshers.
  • Phishing simulations — Regular simulated phishing campaigns to test and reinforce email security awareness.
  • New hire training — Security training should be part of every new employee's onboarding process.
  • Documentation — Training completion must be documented and retained.

Questions to Ask Your IT Provider

Use these questions to evaluate whether your current IT provider is truly HIPAA-capable:

  1. Have you signed a Business Associate Agreement with our practice?
  2. When was our last formal risk assessment, and can I see the report?
  3. Are all workstations and laptops encrypted?
  4. How long do you retain our audit logs?
  5. How often do you test our backup and disaster recovery procedures?
  6. What happens if we experience a breach — do you have an incident response plan for our practice?
  7. Do you provide security awareness training for our staff?
  8. Are you using enterprise-grade security tools (EDR, email filtering, SIEM) or consumer-grade antivirus?

If your provider can't answer these questions clearly and confidently, it may be time to find a provider who specializes in HIPAA-compliant IT.

How Jasco Technology Handles HIPAA Compliance

At Jasco Technology, we've supported healthcare and dental practices across Las Vegas for over 11 years. HIPAA compliance isn't an add-on for us — it's built into our standard managed IT service for covered entities.

We conduct annual risk assessments, implement and manage encryption across all endpoints, maintain audit logs with proper retention, provide security awareness training, and sign BAAs with every healthcare client. Our partnerships with Microsoft, Dell, and Cisco ensure we're using enterprise-grade tools — not consumer shortcuts.

Ready to find out if your practice is truly HIPAA compliant? Contact Jasco Technology today for a free HIPAA readiness assessment. Call us at 702-850-4357 or email letstalk@jasconv.com — we'll identify gaps before an auditor does.

Ready to stop worrying about IT?

Tell us what you are dealing with — slow response times, security gaps, surprise invoices, or an IT provider you have outgrown. We will show you what a real IT partnership looks like.

Contact Us
702-850-4357
Email us