Securafy Knowledge Base

HIPAA Security Rule Checklist for Ohio Healthcare Organizations

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). For Ohio medical practices, dental offices, behavioral health providers, and their vendors, HIPAA compliance is not a point-in-time audit — it is a continuous program. This checklist covers the key requirements OCR auditors examine and the technical controls your IT partner must maintain.

Administrative Safeguards Checklist

Security Officer designated — named individual responsible for HIPAA security program
Risk analysis completed — documented assessment of threats to ePHI confidentiality, integrity, and availability
Risk management plan — documented program to reduce risks identified in the analysis
Workforce training — documented HIPAA security training for all staff with access to ePHI
Access management policy — written procedures for granting, modifying, and revoking access to ePHI systems
Incident response procedures — written plan for identifying, responding to, and reporting security incidents
Business Associate Agreements (BAAs) — executed with all vendors who access ePHI on your behalf

Technical Safeguards Checklist

Unique user identification — every user who accesses ePHI systems has a unique identifier (no shared accounts)
Automatic logoff — sessions terminate after defined periods of inactivity
Encryption in transit and at rest — ePHI encrypted using AES-256 in storage and TLS 1.2+ in transmission
Audit controls — all access to ePHI systems logged and reviewable
Multi-factor authentication — required for all remote access and recommended for all ePHI system access
Backup and disaster recovery — tested, documented, and capable of restoring ePHI within defined recovery time objectives
Patch management — all systems with access to ePHI on a documented, enforced patching schedule

Physical Safeguards Checklist

Facility access controls — documented procedures for authorizing physical access to systems containing ePHI
Workstation security — all workstations with ePHI access in physically secure locations with clear-screen policies
Device and media controls — documented procedures for handling portable devices and media containing ePHI, including remote wipe capability

What Ohio OCR Auditors Look For

OCR investigations following a breach typically focus first on whether a formal, documented risk analysis was completed — and whether your security controls reflected its findings. The most common finding in Ohio healthcare breach investigations is absence of a documented risk analysis, or a risk analysis that is years old and does not reflect the current environment.

Key fact: A HIPAA fine of $100,000–$1.9 million per violation category can result from a single breach. Ohio Safe Harbor provides an affirmative legal defense, but only if you maintained a recognized security framework before the incident.

Frequently Asked Questions

What is the difference between HIPAA Privacy Rule and Security Rule?

The HIPAA Privacy Rule governs the use and disclosure of all Protected Health Information (PHI) in any form. The HIPAA Security Rule specifically governs electronic PHI (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect it.

Does a dental practice need to comply with HIPAA?

Yes. Dental practices are covered entities under HIPAA because they create, receive, and transmit PHI. All administrative, physical, and technical safeguards of the HIPAA Security Rule apply, including risk analysis, encryption, access controls, audit logging, and Business Associate Agreements with vendors.

How often must a HIPAA risk analysis be updated?

HIPAA requires risk analyses to be conducted and updated regularly — at a minimum, annually, and whenever significant operational or environmental changes occur. OCR investigators have cited outdated risk analyses (those more than 12–18 months old) as evidence of non-compliance.

What is a Business Associate Agreement and when is it required?

A Business Associate Agreement (BAA) is a written contract required when a covered entity shares ePHI with a vendor or contractor (business associate) who creates, receives, maintains, or transmits ePHI on the covered entity's behalf. This includes IT providers, cloud storage vendors, billing services, and any other company that touches ePHI.

HIPAA Security Rule Checklist for Ohio Healthcare Organizations

Administrative Safeguards Checklist

Technical Safeguards Checklist

Physical Safeguards Checklist

What Ohio OCR Auditors Look For

Frequently Asked Questions

What is the difference between HIPAA Privacy Rule and Security Rule?

Does a dental practice need to comply with HIPAA?

How often must a HIPAA risk analysis be updated?

What is a Business Associate Agreement and when is it required?

Ready to Protect Your Business?