HIPAA IT Checklist for Dental & Medical Offices in California
A practical HIPAA-aligned IT checklist for California dental and medical practices — the exact controls auditors look for.
HIPAA is enforced — and California adds CMIA on top
California dental and medical practices have to satisfy HIPAA and the Confidentiality of Medical Information Act (CMIA). Fines are per-record, and OCR audits are up in 2025–2026.
The 15-point IT checklist
- Signed BAAs with every vendor that touches PHI (M365, Google, backup, MSP, imaging)
- Full-disk encryption on every workstation and laptop
- MFA on every clinical system and email account
- Automatic screen lock ≤ 10 minutes
- Unique named user accounts (no shared logins)
- Immediate offboarding checklist (24 hrs from termination)
- Encrypted email option (Virtru, M365 Message Encryption)
- Backups with quarterly restore tests
- Audit logs retained ≥ 6 years
- Network segmentation (clinical VLAN separate from guest / IoT)
- Patched practice-management software (Dentrix, Eaglesoft, Open Dental, Athena)
- EDR / endpoint security on every device
- Wi-Fi with WPA3 or WPA2-Enterprise
- Written Security Risk Analysis (SRA) updated annually
- Documented incident response plan
Common findings in California audits
- Shared login for the front-desk PC
- Unencrypted USB drives used for X-rays
- BAAs missing with the cloud imaging vendor
- No documented SRA in the past 12 months
- Text messages containing patient names
Free HIPAA IT gap assessment
The Network Guy 209 supports dental and medical offices across Manteca, Stockton, Tracy, Modesto and Sacramento. We'll run a free HIPAA IT gap assessment against the OCR audit protocol.
Frequently Asked Questions
Do we need a BAA with our MSP?
Yes — any vendor that could access PHI needs a signed Business Associate Agreement, including your IT provider, cloud backup vendor, email host, and imaging software vendor.
How often is a Security Risk Analysis required?
HIPAA requires an SRA at least annually and after any major change to systems or workflows. California OCR audits routinely ask for the last three years.
Need reliable IT support for your business?
The Network Guy 209 provides Managed IT Services, Cybersecurity, Cloud Solutions, Microsoft 365, Network Installation, Server Management, Data Backup, Disaster Recovery, and Website Development for businesses throughout Manteca, Stockton, Tracy, Lathrop, Ripon, Modesto, Lodi, Sacramento, the Bay Area, and across California.
Managed IT & cybersecurity experts serving Manteca, Stockton, Modesto, Tracy and the Central Valley.
Related Articles
Ransomware Protection for Small Businesses: A 2026 Playbook
A practical, non-hype guide to stopping ransomware before it encrypts your files — controls, backup strategy, and what to do in the first 60 minutes of an attack.
Phishing Attacks: 8 Signs Every Employee Should Recognize
A one-page phishing awareness guide you can share with your whole team — with real 2026 examples.
Get more IT insights like this
Monthly tips on cybersecurity, Microsoft 365, and small-business IT — written for Central Valley owners.
