HIPAA IT Compliance Checklist for Connecticut Dental and Medical Practices

Why HIPAA Compliance Is an IT Problem First

For Connecticut dental offices, medical practices, and specialty clinics, HIPAA is often thought of as a paperwork exercise — signed forms, notice of privacy practices, staff training binders. But the most consequential and expensive HIPAA violations almost always have an IT root cause: an unencrypted laptop stolen from a parking lot, a ransomware attack on an unsecured server, a cloud storage bucket misconfigured to allow public access.

The HHS Office for Civil Rights (OCR) has assessed penalties ranging from $50,000 to over $1.5 million per violation category, and the majority of large settlements in recent years trace back to technical failures rather than administrative oversights. A 2024 HHS OCR report found that hacking and IT incidents now account for over 70% of all large HIPAA breaches reported to OCR annually. Connecticut practices are not immune — Hartford County healthcare providers have appeared in HHS breach notification data in recent years.

This checklist is designed for Connecticut dental practices, primary care offices, specialty clinics, and any HIPAA-covered entity with 5 to 50 employees. It translates HIPAA's technical, physical, and administrative safeguard requirements into concrete IT actions.

Section 1: Administrative Safeguards

1. Conduct a Current HIPAA Security Risk Analysis

The Security Risk Analysis (SRA) is the single most-cited deficiency in OCR enforcement actions. It is not optional. Every covered entity must conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

• [ ] Identify all systems and applications that create, receive, maintain, or transmit ePHI (EHR, practice management software, email, billing, imaging systems)
• [ ] Document threats, vulnerabilities, and likelihood of harm for each system
• [ ] Document current safeguards and residual risk
• [ ] Update the SRA whenever you add new technology, change workflows, or experience a breach

2. Designate a HIPAA Security Officer

• [ ] Assign a specific person (can be the practice owner or office manager) as the HIPAA Security Officer
• [ ] Document this designation in writing
• [ ] Ensure this person has working knowledge of your IT environment or works closely with your IT provider

3. Employee Training Program

HIPAA requires workforce training on security policies and procedures. OCR expects documented, recurring training — not a one-time orientation packet.

• [ ] Train all staff on HIPAA Security Rule requirements at hire and annually thereafter
• [ ] Train staff to recognize phishing emails (the leading vector for healthcare breaches)
• [ ] Document all training with dates, attendees, and content covered
• [ ] Conduct simulated phishing tests to measure and improve staff awareness

4. Business Associate Agreements (BAAs)

Any vendor that handles ePHI on your behalf is a Business Associate and must sign a BAA before accessing your data. Common Connecticut practice vendors requiring BAAs include EHR vendors, cloud storage providers, IT support companies, billing services, and transcription services.

• [ ] Inventory all vendors with access to ePHI
• [ ] Confirm a signed BAA exists for each
• [ ] Review BAAs annually for accuracy and update when vendor services change

Section 2: Technical Safeguards

5. Access Controls and Unique User IDs

• [ ] Every staff member must have a unique login — no shared accounts
• [ ] Implement role-based access: clinical staff access patient records; billing staff access billing; no blanket admin access
• [ ] Use Active Directory or a comparable identity management system to centrally manage user accounts
• [ ] Immediately revoke access when an employee leaves the practice

6. Multi-Factor Authentication (MFA)

MFA is now a de facto HIPAA expectation. OCR's recent guidance and enforcement actions make clear that single-factor authentication for systems containing ePHI is inadequate given current threat conditions.

• [ ] Enable MFA on all email accounts (Microsoft 365 or Google Workspace)
• [ ] Enable MFA on your EHR if the platform supports it (Epic, Dentrix, Eaglesoft, Athenahealth, etc.)
• [ ] Enable MFA on VPN connections and remote desktop access
• [ ] Enable MFA on any cloud storage used for ePHI

7. Encryption — Data at Rest and In Transit

• [ ] Enable full-disk encryption (BitLocker for Windows, FileVault for Mac) on all workstations and laptops
• [ ] Encrypt any portable media (USB drives, external hard drives) containing ePHI
• [ ] Confirm your EHR and practice management software encrypt data at rest
• [ ] Use encrypted email for sending any ePHI to patients, referring physicians, or insurers (Microsoft Purview Message Encryption or equivalent)
• [ ] Ensure all data transmitted over networks uses TLS 1.2 or higher

8. Email Security

Email is the most common breach entry point for Connecticut healthcare practices. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involve a human element, and phishing via email remains the top initial access method.

• [ ] Implement email filtering (Microsoft Defender for Office 365 or equivalent) to block phishing and malware
• [ ] Configure SPF, DKIM, and DMARC records for your domain to reduce spoofing
• [ ] Enable encrypted email for outbound messages containing ePHI
• [ ] Block automatic forwarding of email to external addresses

9. Endpoint Detection and Response (EDR)

• [ ] Deploy enterprise-grade EDR on all workstations and servers (Windows Defender for Business, CrowdStrike, SentinelOne)
• [ ] Ensure antivirus definitions update automatically at least daily
• [ ] Enable real-time threat monitoring with alerting to your IT team or MSP
• [ ] Run regular vulnerability scans across all endpoints

10. Patch Management

• [ ] Apply critical security patches within 30 days of release (ideally within 14 days)
• [ ] Maintain an inventory of all hardware and software versions in use
• [ ] Eliminate or isolate end-of-life operating systems (Windows 10 reaches end of life October 2025 — plan upgrades now)
• [ ] Include EHR and practice management software in your patch tracking

Section 3: Physical Safeguards

11. Workstation and Device Controls

• [ ] Position screens so patient data is not visible to other patients (waiting room, front desk)
• [ ] Enable automatic screen lock after 5–10 minutes of inactivity on all devices
• [ ] Maintain a hardware inventory of all devices that access ePHI
• [ ] Use cable locks or secure mounting for workstations in semi-public areas

12. Server Room and Network Equipment Security

• [ ] Lock server rooms and network equipment closets — access should be restricted to IT staff
• [ ] Document who has physical access to servers and network gear
• [ ] Install a UPS (uninterruptible power supply) to protect servers from power events

Section 4: Backup and Disaster Recovery

13. HIPAA-Compliant Backup

HIPAA requires covered entities to have a contingency plan, which includes data backup and disaster recovery procedures. Healthcare practices in Connecticut have experienced ransomware attacks that encrypted patient records — backups are the critical recovery mechanism.

• [ ] Follow the 3-2-1 backup rule: 3 copies of data, on 2 different media types, with 1 copy offsite or in a HIPAA-compliant cloud
• [ ] Back up EHR data, practice management data, imaging data, and email daily at minimum
• [ ] Ensure backup provider has signed a BAA
• [ ] Test restore procedures quarterly — a backup you have never tested is not a real backup
• [ ] Store at least one backup copy that is offline or immutable (cannot be encrypted by ransomware)

Section 5: Audit Controls and Documentation

14. Audit Logging

• [ ] Enable audit logging in your EHR to record who accessed, modified, or deleted patient records
• [ ] Enable Windows Security Event Logging on servers and workstations
• [ ] Retain audit logs for a minimum of 6 years (HIPAA's documentation retention requirement)
• [ ] Review audit logs periodically for anomalous access patterns

15. Incident Response and Breach Notification

• [ ] Document a written incident response plan covering breach detection, containment, investigation, and notification
• [ ] Understand HHS OCR's breach notification timeline: 60 days for individual notice; 60 days after calendar year end for breaches affecting fewer than 500 individuals (annual summary to OCR)
• [ ] For breaches affecting 500+ Connecticut residents, notify OCR and prominent local media simultaneously with individual notices
• [ ] Test your incident response plan annually with a tabletop exercise

OCR Audit Readiness

OCR conducts both reactive investigations (in response to breach reports) and proactive audits. The most important thing you can do to prepare for an OCR audit is document everything. OCR expects to see written policies and procedures, completed risk analyses, training records, BAAs, and evidence that security controls are actually implemented and operating.

Keep a HIPAA compliance binder (physical or digital) that includes your current SRA, written security policies, BAAs with all vendors, training records with dates and attendees, and documentation of any past incidents and your response.

Frequently Asked Questions

Does HIPAA require us to use a specific EHR software?

No. HIPAA does not mandate specific products. It requires that whatever technology you use implements appropriate technical safeguards. Evaluate your EHR's encryption, access controls, audit logging, and BAA availability as part of your compliance program.

Are patient emails covered by HIPAA?

Yes. Any email containing Protected Health Information (PHI) — including appointment reminders with health context, lab results, or billing information — must be transmitted securely. Standard unencrypted email does not meet HIPAA requirements for transmitting ePHI.

What happens if we have a ransomware attack and patient data is encrypted but not confirmed stolen?

Under OCR guidance, ransomware attacks are presumed to constitute a breach of unsecured PHI unless you can demonstrate a low probability that PHI was compromised. You should engage your IT provider immediately, document your investigation, and consult legal counsel about notification obligations.

How often should we update our HIPAA risk analysis?

At minimum, annually and whenever you make significant changes to your environment — adding a new EHR module, moving to cloud storage, onboarding a new billing vendor, or expanding to a new location.

Sentium Tech provides HIPAA-aligned IT support for Connecticut dental and medical practices, including security risk analysis, encryption deployment, backup solutions with signed BAAs, and ongoing security monitoring. Schedule a free IT assessment to review your current HIPAA posture and identify gaps before they become OCR findings.