Whether you're a single-chair office in Ellicott City or a four-operatory practice off Columbia Gateway, the HIPAA expectations for your technology are the same. Here are the ten things you should be able to answer "yes" to today. If you can't, none of them are hard to fix — but all of them are expensive to ignore.

The ten-point check

  1. You have a current, documented Security Risk Analysis. Performed or reviewed in the last year, not filed away in 2019. It's the foundation everything else sits on.
  2. Every workstation and laptop is encrypted. BitLocker on Windows, FileVault on Mac. If a front-desk PC or a doctor's laptop walks out the door, encryption is the difference between "a lost device" and "a reportable breach."
  3. Multi-factor authentication is on everything that matters. Email, your practice-management cloud login, remote access, your Microsoft 365 or Google Workspace. A stolen password alone shouldn't open your patient data.
  4. Backups are offsite, encrypted, and actually tested. A backup you've never restored from is a guess. Ransomware's whole business model is betting your backup doesn't work.
  5. Workstations and servers are patched on a schedule. Not "when someone gets around to it." Most breaches exploit vulnerabilities that were patched months earlier.
  6. You're running real endpoint protection, monitored centrally. Built-in antivirus that nobody watches isn't a security program. Someone should see the alert.
  7. Staff have had HIPAA security-awareness training in the last 12 months. Your team is the most-targeted part of your network. One click on a convincing invoice is all it takes.
  8. You have a signed Business Associate Agreement with every vendor that touches patient data — including your IT provider. (More on that here.)
  9. Old patient data and old devices are disposed of properly. The hard drive in a retired computer or copier can still hold ePHI. "Threw it in the dumpster" has triggered six-figure settlements.
  10. You have a written incident-response and breach-notification plan. When something goes wrong at 8:55 a.m. with a full schedule, you want a plan, not a panic.
  11. Access is role-based, and it's removed the day someone leaves. The hygienist who quit in March should not still have a login in June.

Why "my nephew handles the computers" doesn't clear the bar

None of the items above are exotic. The problem is that they're nobody's explicit job in most small practices — so they drift. The antivirus license lapses. The backup quietly fails for three months. The former employee's account lingers. A generalist who fixes printers when you call isn't watching any of this between calls.

HIPAA doesn't expect a five-person practice to run like a hospital. It expects you to know your risks and manage them — continuously, and on paper.

The local angle

Being in Howard County matters more than it sounds. When a server needs hands on it, a provider in Columbia can drive over — not dial a national help desk in another time zone and schedule a callback. Proximity is part of your continuity plan.

Want this as a one-pager? Our free 10-point HIPAA quick-check PDF is the same list in printable form — bring it to your next team meeting.