Minimum HIPAA IT Compliance Checklist
for Businesses in Northern Virginia, DC & Maryland
The HIPAA IT Compliance Checklist
Risk Analysis (Your First and Most Critical Step)
- Document all systems handling ePHI
- Map data flows across your environment
- Identify threats, vulnerabilities, and controls
- Assign likelihood and impact ratings
- Update whenever your environment changes
Key Insight: HIPAA is risk-based — if you skip this step, nothing else matters.
Access Controls
- Unique user accounts (no shared logins)
- Role-based access to limit exposure
- Automatic session timeouts
- Multi-Factor Authentication (MFA) everywhere
- Immediate offboarding when employees leave
In DMV-based healthcare environments, poor access control is one of the leading causes of breaches.
Encryption Requirements
- Data in transit: TLS 1.2+ (HTTPS, secure email)
- Data at rest: AES-256 encryption
- Devices: Full disk encryption + MDM
- USB/Media: Encrypt or prohibit
- Email: Encrypted email solutions only
Unencrypted email is still one of the most common HIPAA violations in Virginia and DC.
Audit Logging
- Track who accessed what and when
- Log failed login attempts
- Monitor privilege changes
- Retain logs for at least 6 years
- Ensure logs cannot be altered or deleted
Endpoint Security
- Install antivirus / EDR on all systems
- Keep OS and applications patched
- Enable full disk encryption
- Enforce screen lock within 15 minutes
- Restrict personal device usage without MDM
Network Security
- Business-grade firewall with documented rules
- Network segmentation (separate ePHI systems)
- Secure Wi-Fi (no public access to ePHI)
- VPN required for remote access
- Disable unused ports/services
This is where many small businesses in Maryland and Northern Virginia fall short.
Backup & Disaster Recovery
- Automated encrypted backups
- Offsite or cloud storage
- Annual restore testing
- Defined RTO and RPO
- Business continuity plan
Vendor & Third-Party Management
- Business Associate Agreements (BAA) required
- Applies to cloud, email, backup, IT providers
- Verify vendor security practices
- Review contracts regularly
Incident Response Plan
- Define breach vs security incident
- 60-day notification rule starts at discovery
- Preserve forensic evidence
- Assign response roles (legal, reporting)
IT Staff Responsibilities
- Annual HIPAA training (documented)
- Background checks for sensitive roles
- Written sanctions policy
- Designated Security Officer
Priority Order for Businesses Starting from Scratch
- Risk Analysis
- MFA Everywhere
- Encryption
- Access Control & Offboarding
- Audit Logging
- Backups
- Vendor BAAs
- Policies & Training
Final Thoughts
HIPAA does not mandate specific technologies — it requires you to identify risks and implement reasonable safeguards. Your Risk Analysis is what proves compliance.
For businesses across Herndon, Reston, Fairfax, Arlington, Washington DC, and Maryland, implementing these controls correctly requires both technical expertise and regulatory understanding.
Need Help with HIPAA Compliance in the DMV?
DistrictConnects delivers cybersecurity-first HIPAA IT environments — from risk assessments to full implementation.
Connect. Secure. Empower.
Frequently Asked Questions
What Is the First Step in HIPAA IT Compliance?
The first step is a documented risk analysis identifying systems, threats, and vulnerabilities.
Is MFA Required for HIPAA?
While not explicitly mandated, MFA is considered a critical safeguard and strongly recommended.
Do All Vendors Need a BAA?
Yes, any vendor that accesses or processes ePHI must sign a Business Associate Agreement.