HIPAA Compliance Checklist for St. Louis Medical Practices

by Jon Lober | NOC Technology

Getting ready for a HIPAA Audit?

Your practice manager just got an email from HHS. There's a compliance audit scheduled for 90 days from now. Do you know where your Business Associate Agreements are? When was your last risk assessment? Who's your official Privacy Officer?


If those questions made your stomach drop, you're not alone. Most St. Louis medical practices we work with have the same reaction. HIPAA compliance feels overwhelming because it touches everything (technology, training, policies, vendors) and the penalties for getting it wrong start at $100 per violation and scale up to $1.5 million per category.


Here's the good news:  HIPAA compliance is predictable. The requirements haven't changed dramatically in years, so you can work through them systematically.


The HIPAA Compliance Checklist

Our checklist breaks HIPAA into five sections. Work through each one, check off what you have, and flag what you're missing. For a comprehensive checklist (and for more satisfying check-offs!) download the free PDF version here.


Privacy Rule Compliance Checklist

The Privacy Rule controls how you use and share protected health information (PHI). It's about policies, patient rights, and who can access what.


Business Associate Agreements on File

  • IT provider
  • Billing company
  • EHR/EMR vendor
  • Transcription service
  • Answering service
  • Shredding company
  • Cloud storage providers


Patient Rights Documentation

  • Notice of Privacy Practices posted and available online
  • Written process for patients to request or amend records
  • Written process for accounting of disclosures
  • Authorization forms available for non-standard disclosures


Access Controls

Not everyone in your practice needs access to everything.

  • Role-based access defined
  • EHR access levels match job responsibilities
  • Terminated employee access revoked within 24 hours


Security Rule Compliance Checklist

The Security Rule focuses on electronic PHI (ePHI). This is where technology and IT practices matter most.


Technical Safeguards

  • All ePHI encrypted at rest
  • All ePHI encrypted in transit
  • Automatic logoff enabled on all workstations
  • Unique user IDs for every employee
  • Strong password policy enforced
  • Multi-factor authentication (MFA) enabled
  • Antivirus/endpoint protection on all devices
  • Firewall configured and monitored
  • Audit logs enabled for ePHI access


Backup and Recovery

  • Daily, encrypted, tested backups of all ePHI systems
  • Backups stored offsite or in HIPAA-compliant cloud
  • Recovery time objective (RTO) documented
  • Recovery point objective (RPO) documented


Physical Security

  • Server room locked with restricted key/badge access
  • Workstations positioned to prevent screen visibility from public areas
  • Paper PHI secured in locked cabinets after hours
  • Visitor sign-in required for non-patient visitors
  • Security cameras covering entry points (with appropriate retention policies)
  • Mobile devices (laptops, tablets) encrypted and password-protected
  • Mobile device remote wipe capability enabled


Breach Notification Readiness Checklist

When (not if) something goes wrong, you need to respond fast. HHS requires notification within 60 days of discovering a breach.


Incident Response Plan

  • Written incident response plan
  • Plan reviewed and updated annually
  • Incident response team identified
  • After-hours contact procedures documented


Notification Procedures

  • Patient notification letter template
  • HHS notification process
  • Media notification process
  • Attorney General notification requirements


Detection Capabilities

  • Network monitoring
  • Failed login attempt alerts
  • After-hours access alerts
  • Email security monitoring
  • Endpoint detection and response (EDR)


Administrative Safeguards Checklist

Administrative safeguards are the policies, procedures, and people that hold everything together.


Risk Assessment

  • Formal risk assessment completed within past 12 months covering all ePHI
  • Identified risks documented with severity ratings
  • Remediation plan created for high-priority risks; progress tracked


Policies and Procedures

  • Written HIPAA policies exist and are accessible to staff, covering all requirements
  • Policies reviewed and updated annually
  • Policy changes communicated to all staff
  • Policy acknowledgment signed by all employees


Designated Roles

  • Privacy Officer designated by name
  • Security Officer designated (can be same person in small practices)
  • Backup contacts identified if primary officers are unavailable
  • Officers have completed HIPAA training specific to their role


Workforce Training

  • All employees complete HIPAA training (including email and physical security and practice-specific scenarios) at hire with annual refresher
  • Training completion documented and retained
  • Sanctions policy documented for HIPAA violations


Ongoing Compliance Checklist

Compliance isn't a one-time project. These items keep you current.


Annual Reviews

  •  Risk assessments, BAA inventory, policies, training, etc. scheduled and updated annually


Staying Current

  • Monitor HHS guidance for updates
  • Track Missouri-specific requirements


Documentation Retention

  • HIPAA-related documents (included training records, incident reports, BAAs) retained for 6 years minimum


What to Do Next

You now have a complete HIPAA compliance roadmap. Some items on this list are quick wins (posting your Notice of Privacy Practices, for example). Others take time and investment (implementing MFA across all systems, conducting a formal risk assessment).


Start with the Administrative Safeguards section this week. Make sure you have a designated Privacy Officer and Security Officer. Confirm your risk assessment is current. Those two items are what HHS auditors check first.


If you find gaps (and most practices do), prioritize based on risk. Missing encryption on a laptop that leaves the building is more urgent than updating your visitor log.


Need help identifying where your practice stands? NOC Technology works with medical practices across the St. Louis metro area.

Frequently Asked Questions

How often should we review this HIPAA compliance checklist? +
Review the full checklist annually at minimum. HHS requires annual risk assessments, and most items on this list should be verified at least once a year. For high-risk areas (access controls, backup testing, training), quarterly reviews are better. Many St. Louis practices tie their HIPAA review to their fiscal year or their malpractice insurance renewal.
Which checklist items are most critical if we're starting from scratch? +
Start with three things: designate a Privacy Officer and Security Officer, complete a formal risk assessment, and inventory your Business Associate Agreements. These are the first items HHS auditors request. After that, focus on encryption (laptops, email, backups) and workforce training. Everything else builds on this foundation.
Who should own HIPAA compliance - IT or administration? +
Administration owns HIPAA compliance, not IT. The Privacy Officer and Security Officer should be practice leadership or a designated compliance manager. IT implements the technical controls, but the policies, training, and oversight belong to administration. In small practices, the office manager often serves as both Privacy and Security Officer with IT support.
What if we find gaps when we go through the checklist? +
Finding gaps is the point. Document what you find, prioritize by risk level, and create a remediation timeline. HHS doesn't expect perfection, but they do expect documented efforts to identify and fix problems. A practice with known gaps and a remediation plan is in better shape than one that never looked. Address high-risk items (missing encryption, no risk assessment) first.
Does this checklist cover everything HHS requires? +
This checklist covers the core requirements most medical practices need. It addresses Privacy Rule, Security Rule, and Breach Notification requirements. Specialty practices (behavioral health, research-involved, multi-state operations) may have additional requirements. Use this as your foundation and consult with a HIPAA compliance specialist if your practice has unique circumstances.
Should we hire external help to complete this checklist? +
It depends on your internal resources. Many practices can work through administrative items internally but need IT support for technical controls and risk assessments. External help is valuable for the formal risk assessment, penetration testing, and implementing security controls. A managed IT provider with healthcare experience can handle most technical requirements while you focus on policies and training.
Is there a downloadable version of this checklist? +
Download a PDF version of this checklist that you can print and use during your compliance review.

Business Associate Agreements: IT Provider Checklist

By Jon Lober March 18, 2026
Learn what belongs in a Business Associate Agreement with your IT provider. Use this BAA checklist to verify HIPAA compliance before signing any contract.
meeting IT regulatory compliance

5 Signs Your Business Has a Compliance Gap

By Jon Lober March 17, 2026
Think your business is compliant? These 5 hidden gaps put St. Louis companies at risk of fines, downtime, and lost trust. Learn where to look before it’s too late.

Would Your Backups Actually Save Your Business?

By Jon Lober March 6, 2026
The Answer May Surprise you
More Articles