HIPAA Compliance Checklist for Los Angeles Businesses
This HIPAA compliance checklist turns the federal Security Rule into plain action items an LA medical or dental practice can verify with its IT provider without a law degree.
We built it from the HHS Security Rule text, not a vendor brochure. Every item below is mapped to its source at the U.S. Department of Health and Human Services (HHS) so you can check the wording yourself.
It matters more here than the federal baseline suggests. California layers its own medical-privacy law, the Confidentiality of Medical Information Act (CMIA), on top of HIPAA. A Los Angeles practice answers to two rulebooks at once, plus a state breach-notice law.
Who this is for: small LA health care businesses (solo physicians, dental groups, therapy and behavioral-health practices, clinics, and billing companies) and the outside vendors that handle their data.
First: get a risk analysis
The Security Rule starts with one thing. HHS calls a written risk analysis the foundation of the entire rule (45 CFR 164.308(a)(1)(ii)(A)).
Federal regulators cite a missing or shallow risk analysis in enforcement actions more than almost any other failure. If your practice has none, start there before anything else on this page.
HHS and the Office of the National Coordinator publish a free assessment tool for small practices. Get the Security Risk Assessment Tool from HealthIT.gov.
The Security Rule checklist
The Security Rule sorts safeguards into three groups: administrative, physical, and technical. Each row pairs the requirement with a question you can put to your IT provider today.
One note on wording: HHS marks some items "required" and others "addressable." Addressable does not mean optional. You either implement it or document why an equal alternative works (HHS Security Rule summary).
Administrative safeguards (45 CFR 164.308)
| Requirement | Ask your provider | HHS rule |
|---|---|---|
| Run a written risk analysis and fix what it finds | "Show me the last risk analysis, its date, and the fix list." | 164.308(a)(1) |
| Name one person accountable for security | "Who is our named Security Official?" | 164.308(a)(2) |
| Give each user only the access they need; cut it fast when staff leave | "How fast is access revoked after someone is terminated?" | 164.308(a)(3)–(4) |
| Train staff on phishing, passwords, and safe handling | "Show me training records and the last phishing-test result." | 164.308(a)(5) |
| Keep a written plan for security incidents | "Show me the incident-response plan." | 164.308(a)(6) |
| Back up health data and test that it restores | "What is the date of the last successful restore test?" | 164.308(a)(7) |
Physical safeguards (45 CFR 164.310)
| Requirement | Ask your provider | HHS rule |
|---|---|---|
| Control who can physically reach servers and network gear | "Who can get into the server room or wiring closet?" | 164.310(a) |
| Lock screens and place workstations so records are out of view | "Do workstations auto-lock and sit out of public sight?" | 164.310(b)–(c) |
| Track, wipe, and safely dispose of drives, laptops, and phones | "Show me the device inventory and the wipe/disposal log." | 164.310(d) |
Technical safeguards (45 CFR 164.312)
| Requirement | Ask your provider | HHS rule |
|---|---|---|
| Give every user a unique login and automatic logoff | "Does each person have a unique ID, and do sessions time out?" | 164.312(a) |
| Log who opens health records, and review the logs | "Is access to records logged and actually reviewed?" | 164.312(b) |
| Protect records from improper change or deletion | "How are records protected from tampering?" | 164.312(c) |
| Verify identity before granting access | "Is multi-factor sign-in on for email and remote access?" | 164.312(d) |
| Encrypt health data in transit and on devices | "Are laptops, phones, and email encrypted?" | 164.312(e) |
Your IT provider must sign a BAA
Any IT company that can see or touch electronic health information is a business associate under HIPAA. It must sign a Business Associate Agreement (BAA) before it works on your systems (45 CFR 164.308(b) and 164.314(a); HHS business associate guidance).
The test is simple. A provider that will not sign a BAA cannot lawfully manage a covered practice's IT. We treat a refusal as disqualifying.
What Los Angeles practices also owe
The Security Rule is one piece. Three more sit next to it for an LA business:
- The HIPAA Privacy Rule governs how you use and share health information, and patients' rights to their own records (HHS).
- The HIPAA Breach Notification Rule sets who you must notify, and how fast, after a breach (HHS).
- The California CMIA, the state's medical-privacy law, adds duties on top of HIPAA and carries its own penalties (California Civil Code § 56 et seq.). California's data-breach law can apply on top of the federal one.
For a covered practice in LA, HIPAA is the floor, not the ceiling.
How to check a provider against this list
Bring the checklist to any shortlist call and ask for evidence, not assurances: the date of the last risk analysis, the last restore test, training records, and a signed BAA.
See our guide on how to choose a managed IT provider for the full question set, and the IT guide for LA healthcare and clinics for the practice-specific version.
Frequently asked
Does HIPAA apply to small businesses?
Yes. HIPAA has no small-business exemption, so a solo practice follows the same Security Rule as a hospital. If you are a covered health care provider, a health plan, or a business associate that handles electronic health information, your size does not change the obligation (HHS).
What are the 5 basic rules of HIPAA?
The five core rules are the Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the Omnibus Rule. This checklist covers the Security Rule, the safeguards that protect electronic health information (HHS).
Sources
- HHS: HIPAA Security Rule
- HHS: Summary of the Security Rule (required vs. addressable)
- HHS: Business associate contracts
- HHS: Breach Notification Rule
- HealthIT.gov: Security Risk Assessment Tool
- California Civil Code § 56 et seq.: Confidentiality of Medical Information Act
Related
- Up: IT compliance for LA businesses
- SOC 2 for LA businesses
- CMMC for LA defense and aerospace
- IT for LA healthcare and clinics
- Compare LA managed IT providers, and confirm each can show the safeguards this checklist requires