Skip to main content Skip to main content
(443) 741-0823 Free Quote
Compliance

HIPAA IT Compliance Checklist for Medical Practices in Maryland & Virginia

January 8, 2026 · 7 min read · Metro Point IT Services

HIPAA compliance starts with your IT infrastructure. For medical practices, dental offices, and clinics throughout Maryland and Virginia, ensuring your technology meets HIPAA Security Rule requirements is not optional — it's a legal obligation backed by fines of up to $1.9 million per violation category per year.

Technical Safeguards Checklist

  • Encryption at rest and in transit — All devices storing PHI must encrypt data. All data transmitted (email, file sharing, EHR access) must use TLS 1.2 or higher.
  • Access controls and unique user IDs — Every staff member must have a unique login. Shared passwords are a HIPAA violation. Role-based access limits who can view what records.
  • Automatic logoff — Workstations must lock automatically after a period of inactivity (typically 10-15 minutes).
  • Audit logs — Systems must log who accessed PHI, when, and what they did. Logs must be retained and reviewable.
  • Multi-factor authentication — Required for remote access and any cloud systems storing PHI, including Microsoft 365.
  • Backup and disaster recovery — Encrypted backups with tested restoration procedures. Backup media must also be encrypted.

Administrative Safeguards Checklist

  • Annual Security Risk Assessment documented and on file
  • Written security policies and procedures
  • Staff security awareness training (documented annually)
  • Business Associate Agreements with all technology vendors
  • Incident response plan for breach detection and notification

Need a HIPAA Security Risk Assessment?

Metro Point IT performs full HIPAA assessments for medical practices in Maryland and Virginia.

Schedule Free Assessment

Who Does HIPAA Apply To?

HIPAA applies to two categories of organizations: Covered Entities (healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses) and Business Associates (any vendor or service provider that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity). For the purposes of this checklist, we're focused on medical practices, dental offices, physical therapy clinics, and other healthcare providers in Maryland and Virginia.

If your practice uses electronic health records (EHR), processes insurance claims electronically, uses cloud-based practice management software, communicates with patients via email or text, or stores any patient information digitally — HIPAA applies to your IT systems and the IT vendors you work with.

Business Associate Agreements (BAAs)

Every IT vendor who accesses, stores, or processes patient data on your behalf must sign a Business Associate Agreement. This includes your managed IT provider, EHR vendor, cloud backup provider, email provider (Microsoft or Google must sign a BAA for HIPAA use), and any other technology service that touches patient data. If a vendor refuses to sign a BAA, you cannot legally use their service for systems containing PHI.

$10.9M

average cost of a healthcare data breach (IBM, 2023)

$100–$50K

HIPAA penalty range per violation

60 days

notification deadline for breaches affecting 500+ patients

80%

of breaches involve external attackers — not just insider threats

Technical Safeguard Checklist

The HIPAA Security Rule requires covered entities to implement reasonable and appropriate technical safeguards to protect electronic PHI. Here's the practical checklist:

Physical Safeguard Checklist

Physical safeguards are often overlooked but are explicitly required by HIPAA:

Administrative Safeguard Checklist

Administrative safeguards are the policies, procedures, and training requirements:

Maryland and Virginia-Specific Considerations

In addition to federal HIPAA requirements, Maryland and Virginia have state-specific laws that interact with HIPAA:

Maryland: The Maryland Personal Information Protection Act (MPIPA) has breach notification requirements that in some cases are stricter than HIPAA's. Maryland also has specific protections for mental health records that go beyond HIPAA's requirements.

Virginia: Virginia's Consumer Data Protection Act (CDPA) creates additional rights for patients regarding their data and requires covered businesses to conduct data protection impact assessments for high-risk processing activities. Virginia also has specific regulations for mental health and substance abuse records.

Free HIPAA IT Assessment

Metro Point IT provides free HIPAA IT assessments for medical practices in Maryland and Virginia. We review your technical, physical, and administrative safeguards and provide a written report identifying gaps. There's no obligation — we give honest findings regardless of whether you become a client. Call (443) 741-0823 to schedule.

Related Articles

Industry

Healthcare IT Services — HIPAA Compliance for Maryland & Virginia

Security

5 Cybersecurity Habits Every DC-Area Business Needs

Services

Cybersecurity Services for DMV Businesses

Written by

Metro Point IT Editorial Team

CompTIA A+ & Network+ Certified  |  Microsoft 365 Solutions Expert  |  DMV IT Specialists

The Metro Point IT team consists of certified IT professionals with hands-on experience supporting businesses across Maryland, Virginia, and Washington DC. Our technicians hold CompTIA, Microsoft, and compliance-specific certifications.

Explore More

Our IT Services

Industries We Serve

Service Areas