If your business touches protected health information (PHI), HIPAA’s Security Rule expects you to protect it with real technical safeguards. This isn’t legal advice — but it is a practical IT checklist we use with healthcare clients in and around Orlando’s healthcare community.
Access & identity
- Multi-factor authentication (MFA) on every account that can reach PHI.
- Unique logins per user — no shared accounts.
- Least-privilege access, reviewed when people join, move or leave.
- Automatic screen lock and device timeouts.
Encryption
- Full-disk encryption on laptops, desktops and mobile devices.
- Encryption of PHI in transit (email, file transfer) and at rest.
Backup & recovery
- Automated, encrypted backups of clinical and business systems.
- Tested recovery — a backup you’ve never restored is a guess.
- A documented recovery objective for critical systems.
Threat protection & monitoring
- Endpoint detection & response (EDR), not just basic antivirus.
- Advanced email security against phishing and business email compromise.
- Patch management to close known vulnerabilities quickly.
- Audit logging and monitoring of access to PHI.
Process & documentation
- A Business Associate Agreement (BAA) with vendors that handle PHI.
- Security awareness training for staff.
- Written policies and an incident-response plan.
- Documentation that evidences each safeguard for audits.
How we help: our managed plans implement these safeguards by default — MFA, encryption, Acronis backup and recovery, EDR, email security and the documentation to back them up — and we’ll sign a BAA where appropriate. See healthcare IT support.
Healthcare practice in Orlando or beyond? Book a free security review and we’ll map these controls to where you are today.