TheNetworkGuy209 logo
Cybersecurity

HIPAA IT Checklist for Dental & Medical Offices in California

A practical HIPAA-aligned IT checklist for California dental and medical practices — the exact controls auditors look for.

The Network Guy 209
7 min read
July 6, 2026
Share

HIPAA is enforced — and California adds CMIA on top

California dental and medical practices have to satisfy HIPAA and the Confidentiality of Medical Information Act (CMIA). Fines are per-record, and OCR audits are up in 2025–2026.

The 15-point IT checklist

  1. Signed BAAs with every vendor that touches PHI (M365, Google, backup, MSP, imaging)
  2. Full-disk encryption on every workstation and laptop
  3. MFA on every clinical system and email account
  4. Automatic screen lock ≤ 10 minutes
  5. Unique named user accounts (no shared logins)
  6. Immediate offboarding checklist (24 hrs from termination)
  7. Encrypted email option (Virtru, M365 Message Encryption)
  8. Backups with quarterly restore tests
  9. Audit logs retained ≥ 6 years
  10. Network segmentation (clinical VLAN separate from guest / IoT)
  11. Patched practice-management software (Dentrix, Eaglesoft, Open Dental, Athena)
  12. EDR / endpoint security on every device
  13. Wi-Fi with WPA3 or WPA2-Enterprise
  14. Written Security Risk Analysis (SRA) updated annually
  15. Documented incident response plan

Common findings in California audits

  • Shared login for the front-desk PC
  • Unencrypted USB drives used for X-rays
  • BAAs missing with the cloud imaging vendor
  • No documented SRA in the past 12 months
  • Text messages containing patient names

Free HIPAA IT gap assessment

The Network Guy 209 supports dental and medical offices across Manteca, Stockton, Tracy, Modesto and Sacramento. We'll run a free HIPAA IT gap assessment against the OCR audit protocol.

Frequently Asked Questions

Do we need a BAA with our MSP?

Yes — any vendor that could access PHI needs a signed Business Associate Agreement, including your IT provider, cloud backup vendor, email host, and imaging software vendor.

How often is a Security Risk Analysis required?

HIPAA requires an SRA at least annually and after any major change to systems or workflows. California OCR audits routinely ask for the last three years.

Free IT Assessment

Need reliable IT support for your business?

The Network Guy 209 provides Managed IT Services, Cybersecurity, Cloud Solutions, Microsoft 365, Network Installation, Server Management, Data Backup, Disaster Recovery, and Website Development for businesses throughout Manteca, Stockton, Tracy, Lathrop, Ripon, Modesto, Lodi, Sacramento, the Bay Area, and across California.

TN9
Written by
The Network Guy 209

Managed IT & cybersecurity experts serving Manteca, Stockton, Modesto, Tracy and the Central Valley.

Related Articles

Get more IT insights like this

Monthly tips on cybersecurity, Microsoft 365, and small-business IT — written for Central Valley owners.