HIPAA IT Compliance Checklist for Medical Practices in Maryland & Virginia
January 8, 2026 · 7 min read · Metro Point IT Services
HIPAA compliance starts with your IT infrastructure. For medical practices, dental offices, and clinics throughout Maryland and Virginia, ensuring your technology meets HIPAA Security Rule requirements is not optional — it's a legal obligation backed by fines of up to $1.9 million per violation category per year.
Technical Safeguards Checklist
- Encryption at rest and in transit — All devices storing PHI must encrypt data. All data transmitted (email, file sharing, EHR access) must use TLS 1.2 or higher.
- Access controls and unique user IDs — Every staff member must have a unique login. Shared passwords are a HIPAA violation. Role-based access limits who can view what records.
- Automatic logoff — Workstations must lock automatically after a period of inactivity (typically 10-15 minutes).
- Audit logs — Systems must log who accessed PHI, when, and what they did. Logs must be retained and reviewable.
- Multi-factor authentication — Required for remote access and any cloud systems storing PHI, including Microsoft 365.
- Backup and disaster recovery — Encrypted backups with tested restoration procedures. Backup media must also be encrypted.
Administrative Safeguards Checklist
- Annual Security Risk Assessment documented and on file
- Written security policies and procedures
- Staff security awareness training (documented annually)
- Business Associate Agreements with all technology vendors
- Incident response plan for breach detection and notification
Need a HIPAA Security Risk Assessment?
Metro Point IT performs full HIPAA assessments for medical practices in Maryland and Virginia.
Schedule Free AssessmentWho Does HIPAA Apply To?
HIPAA applies to two categories of organizations: Covered Entities (healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses) and Business Associates (any vendor or service provider that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity). For the purposes of this checklist, we're focused on medical practices, dental offices, physical therapy clinics, and other healthcare providers in Maryland and Virginia.
If your practice uses electronic health records (EHR), processes insurance claims electronically, uses cloud-based practice management software, communicates with patients via email or text, or stores any patient information digitally — HIPAA applies to your IT systems and the IT vendors you work with.
Business Associate Agreements (BAAs)
Every IT vendor who accesses, stores, or processes patient data on your behalf must sign a Business Associate Agreement. This includes your managed IT provider, EHR vendor, cloud backup provider, email provider (Microsoft or Google must sign a BAA for HIPAA use), and any other technology service that touches patient data. If a vendor refuses to sign a BAA, you cannot legally use their service for systems containing PHI.
Technical Safeguard Checklist
The HIPAA Security Rule requires covered entities to implement reasonable and appropriate technical safeguards to protect electronic PHI. Here's the practical checklist:
- ☐ Access Controls: Unique user IDs for every employee accessing PHI systems. Shared logins are a HIPAA violation. Password complexity requirements enforced technically (not just in policy)
- ☐ Automatic Logoff: Workstations and EHR sessions must automatically log off after a period of inactivity (typically 15-20 minutes)
- ☐ Encryption at Rest: Hard drive encryption (BitLocker for Windows, FileVault for Mac) on all workstations and laptops. A lost or stolen encrypted laptop does not constitute a HIPAA breach
- ☐ Encryption in Transit: TLS encryption for all email containing PHI, web-based systems must use HTTPS. Never email patient information from an unencrypted provider
- ☐ Audit Controls: System activity logs for all access to EHR and systems containing PHI. Logs must be retained and reviewed regularly
- ☐ Multi-Factor Authentication: MFA on all EHR systems, Microsoft 365/email, and remote access (VPN). Not strictly required by HIPAA text but considered a best practice and increasingly required by cyber insurers
- ☐ Endpoint Protection: Antivirus/EDR on all workstations and servers. Signatures current, alerts monitored
- ☐ Patch Management: All workstations, servers, and network equipment kept current with security patches
- ☐ Backup and Recovery: Daily encrypted backups of all systems containing PHI with tested restore procedures documented
Physical Safeguard Checklist
Physical safeguards are often overlooked but are explicitly required by HIPAA:
- ☐ Workstation Security: Workstations accessing PHI must be positioned to prevent unauthorized viewing (patient-facing screens turned away from waiting areas)
- ☐ Server/Networking Equipment: Servers and network equipment secured in locked rooms or cabinets with access limited to authorized personnel
- ☐ Visitor Control: Procedure for escorting visitors in areas where PHI may be visible
- ☐ Device Disposal: Documented procedure for secure disposal of hard drives and devices that contained PHI (DOD-standard wiping or physical destruction)
- ☐ Mobile Device Policy: Policy covering personal devices (BYOD) that access PHI — must include remote wipe capability and encryption requirements
Administrative Safeguard Checklist
Administrative safeguards are the policies, procedures, and training requirements:
- ☐ Security Officer: Designated HIPAA Security Officer responsible for security policy — required for all covered entities regardless of size
- ☐ Workforce Training: Annual HIPAA training for all staff with access to PHI, documented with employee sign-off
- ☐ Risk Analysis: Documented risk analysis identifying threats to PHI — required and frequently cited in enforcement actions as missing
- ☐ Risk Management Plan: Written policies addressing identified risks, reviewed and updated annually
- ☐ Sanctions Policy: Written policy on consequences for workforce members who violate HIPAA policies
- ☐ Incident Response Procedure: Written procedure for identifying, responding to, and documenting security incidents and potential breaches
Maryland and Virginia-Specific Considerations
In addition to federal HIPAA requirements, Maryland and Virginia have state-specific laws that interact with HIPAA:
Maryland: The Maryland Personal Information Protection Act (MPIPA) has breach notification requirements that in some cases are stricter than HIPAA's. Maryland also has specific protections for mental health records that go beyond HIPAA's requirements.
Virginia: Virginia's Consumer Data Protection Act (CDPA) creates additional rights for patients regarding their data and requires covered businesses to conduct data protection impact assessments for high-risk processing activities. Virginia also has specific regulations for mental health and substance abuse records.
Free HIPAA IT Assessment
Metro Point IT provides free HIPAA IT assessments for medical practices in Maryland and Virginia. We review your technical, physical, and administrative safeguards and provide a written report identifying gaps. There's no obligation — we give honest findings regardless of whether you become a client. Call (443) 741-0823 to schedule.
Related Articles
Written by
Metro Point IT Editorial Team
CompTIA A+ & Network+ Certified | Microsoft 365 Solutions Expert | DMV IT Specialists
The Metro Point IT team consists of certified IT professionals with hands-on experience supporting businesses across Maryland, Virginia, and Washington DC. Our technicians hold CompTIA, Microsoft, and compliance-specific certifications.