HIPAA Security Rule Checklist for Ohio Healthcare Organizations

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). For Ohio medical practices, dental offices, behavioral health providers, and their vendors, HIPAA compliance is not a point-in-time audit — it is a continuous program. This checklist covers the key requirements OCR auditors examine and the technical controls your IT partner must maintain.

Administrative Safeguards Checklist

• Security Officer designated — named individual responsible for HIPAA security program
• Risk analysis completed — documented assessment of threats to ePHI confidentiality, integrity, and availability
• Risk management plan — documented program to reduce risks identified in the analysis
• Workforce training — documented HIPAA security training for all staff with access to ePHI
• Access management policy — written procedures for granting, modifying, and revoking access to ePHI systems
• Incident response procedures — written plan for identifying, responding to, and reporting security incidents
• Business Associate Agreements (BAAs) — executed with all vendors who access ePHI on your behalf

Technical Safeguards Checklist

• Unique user identification — every user who accesses ePHI systems has a unique identifier (no shared accounts)
• Automatic logoff — sessions terminate after defined periods of inactivity
• Encryption in transit and at rest — ePHI encrypted using AES-256 in storage and TLS 1.2+ in transmission
• Audit controls — all access to ePHI systems logged and reviewable
• Multi-factor authentication — required for all remote access and recommended for all ePHI system access
• Backup and disaster recovery — tested, documented, and capable of restoring ePHI within defined recovery time objectives
• Patch management — all systems with access to ePHI on a documented, enforced patching schedule

Physical Safeguards Checklist

• Facility access controls — documented procedures for authorizing physical access to systems containing ePHI
• Workstation security — all workstations with ePHI access in physically secure locations with clear-screen policies
• Device and media controls — documented procedures for handling portable devices and media containing ePHI, including remote wipe capability

What Ohio OCR Auditors Look For

OCR investigations following a breach typically focus first on whether a formal, documented risk analysis was completed — and whether your security controls reflected its findings. The most common finding in Ohio healthcare breach investigations is absence of a documented risk analysis, or a risk analysis that is years old and does not reflect the current environment.

Frequently Asked Questions

What is the difference between HIPAA Privacy Rule and Security Rule?

The HIPAA Privacy Rule governs the use and disclosure of all Protected Health Information (PHI) in any form. The HIPAA Security Rule specifically governs electronic PHI (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect it.

Does a dental practice need to comply with HIPAA?

Yes. Dental practices are covered entities under HIPAA because they create, receive, and transmit PHI. All administrative, physical, and technical safeguards of the HIPAA Security Rule apply, including risk analysis, encryption, access controls, audit logging, and Business Associate Agreements with vendors.

How often must a HIPAA risk analysis be updated?

HIPAA requires risk analyses to be conducted and updated regularly — at a minimum, annually, and whenever significant operational or environmental changes occur. OCR investigators have cited outdated risk analyses (those more than 12–18 months old) as evidence of non-compliance.

What is a Business Associate Agreement and when is it required?

A Business Associate Agreement (BAA) is a written contract required when a covered entity shares ePHI with a vendor or contractor (business associate) who creates, receives, maintains, or transmits ePHI on the covered entity's behalf. This includes IT providers, cloud storage vendors, billing services, and any other company that touches ePHI.