The HIPAA Compliance Checklist Every LA Medical Practice Needs in 2024

HIPAA compliance isn't optional for any healthcare provider handling Protected Health Information (PHI). But it's often treated as a paperwork exercise — policies documented, boxes checked, and then largely forgotten until an audit or a breach forces the issue.

In 2023, HHS OCR settled 22 HIPAA cases for a combined $7.2 million in penalties. The majority involved relatively straightforward failures that a properly managed IT setup would have prevented. Here's what Los Angeles medical practices need to have in place.

Administrative safeguards

• Designated Security Officer responsible for HIPAA compliance
• Written policies and procedures for data access, breach response, and workforce training
• Annual security risk analysis and risk management plan
• Business Associate Agreements (BAAs) with every vendor that touches PHI — your EHR vendor, billing company, IT provider, cloud storage, email provider
• Documented workforce training — date, content, and who attended
• Sanctions policy for workforce members who violate policies

Technical safeguards

• Unique user IDs for every person accessing systems with PHI — no shared passwords
• Automatic logoff after a period of inactivity on all workstations
• Encryption of PHI at rest on all devices — laptops, tablets, phones, servers
• Encryption of PHI in transit — encrypted email, encrypted connections to EHR
• Audit logs showing who accessed what PHI and when
• Emergency access procedures for critical systems
• Multi-Factor Authentication on email and remote access tools

Physical safeguards

• Facility access controls — who can enter areas where PHI is stored or accessed
• Workstation use policies — screens positioned away from patient view
• Device and media controls — policy for disposing of old devices (wiped, not just deleted)

The items most practices miss

Based on common audit findings, the gaps we see most often are: missing BAAs with cloud vendors (Google Workspace, Dropbox, DocuSign all require signed BAAs before using with PHI), unencrypted devices (a lost laptop with unencrypted PHI is an automatic reportable breach), and outdated risk assessments (the Security Rule requires a current, accurate assessment — not one from 2019).

If your practice hasn't had a formal HIPAA risk analysis in the past 12 months, that's where to start.