HIPAA Computer Compliance Checklist: Step-by-Step Guide to Securing Workstations, Laptops, and Servers

Use this HIPAA computer compliance checklist to harden workstations, laptops, and servers that handle electronic protected health information (ePHI). Each step maps to core Security Rule safeguards and turns policy into practical, verifiable actions.

Work through the sections in order. Apply role-based access control, create a complete audit trail, and enforce data-at-rest encryption alongside smart session timeout policies. The result is measurable risk reduction and defensible ePHI risk management.

Implement Access Control Measures

Restrict ePHI to only those who need it. Build access on least privilege with role-based access control (RBAC), unique user IDs, and multifactor authentication across endpoints, servers, and remote access paths.

Design access end-to-end: from user onboarding to periodic recertification and rapid revocation. Eliminate shared accounts, segregate admin from standard roles, and protect “break-glass” emergency access with strong oversight.

• Define roles and permissions for every system that stores or transmits ePHI; implement RBAC through directory groups and SSO.
• Issue unique user IDs; prohibit shared logins; bind service accounts to least-privilege scopes and vault their credentials.
• Require MFA for VPN, SSO, privileged actions, and remote administration.
• Standardize joiner–mover–leaver workflows with same-day provisioning and immediate deprovisioning.
• Use just-in-time privileged access and session recording for admin tasks; monitor and approve all break-glass use.
• Run access reviews quarterly for high-risk systems and at least semiannually for others; remediate excess rights promptly.

Establish Audit Controls

Implement mechanisms that record and examine activity in systems containing ePHI. Your audit trail must reliably answer who accessed what, when, from where, and what they did—including read, change, export, print, and administrative actions.

Centralize logs, protect them from tampering, and review them on a schedule. Use alerts for high-risk behaviors, and retain evidence according to policy (many organizations align with HIPAA’s 6-year documentation retention).

• Enable detailed logging on EHRs, file servers, databases, endpoints, email, VPN, RDP/SSH, VDI, and cloud services.
• Capture successful and failed authentications, privilege changes, configuration edits, data exports, and print events.
• Send logs to a SIEM; normalize, correlate, and baseline activity patterns to detect anomalies.
• Synchronize time across all systems (e.g., NTP) to preserve audit trail integrity.
• Protect logs with immutable or WORM storage; restrict access and maintain chain-of-custody.
• Review alerts daily, triage weekly, and perform management-level trend reviews monthly with documented outcomes.
• Retain logs per policy and legal counsel; ensure your retention plan supports investigations and regulatory inquiries.

Ensure Data Encryption

Encrypt ePHI in transit and at rest. Although encryption is an “addressable” HIPAA specification, it is expected when reasonable and appropriate. Prefer FIPS-validated modules and modern, peer-reviewed algorithms.

Plan for the full lifecycle: keys, certificates, rotation, backups, and media. Standardize data-at-rest encryption and enforce strong TLS for every network path that touches ePHI.

• Enable full-disk encryption on laptops and workstations (e.g., BitLocker, FileVault, LUKS) with pre-boot protection and escrowed recovery keys.
• Apply data-at-rest encryption on servers: database TDE, filesystem/volume encryption, encrypted VM disks, and storage-level encryption.
• Use TLS 1.2+ (prefer TLS 1.3) for all ePHI traffic; disable weak ciphers; consider mTLS for admin and service-to-service channels.
• Encrypt backups at rest and in transit; periodically test restores to verify decryptability and integrity.
• Prohibit unencrypted portable media; if permitted, enforce mobile device encryption and hardware-encrypted drives with strict custody controls.
• Manage keys in a KMS/HSM; rotate routinely, limit access by role, and log every administrative action.
• Standardize on strong suites (e.g., AES-256 for data-at-rest encryption, SHA-256+ for hashing) and document exceptions with compensating controls.

Configure Automatic Logoff

Prevent unattended sessions from exposing ePHI. Set session timeout thresholds appropriate to the environment, balancing clinical workflow with security. Require re-authentication for sensitive actions and after inactivity.

Apply automatic logoff at the OS, application, and remote-access layers. Where continuous presence is essential, deploy tap-to-unlock or proximity badges with short locks to maintain speed and safety.

• Enforce OS screen locks on workstations and laptops after 5–15 minutes of inactivity; require password, PIN, or biometric to resume.
• Set application/web session timeout (e.g., 15–30 minutes, risk-based) and force re-auth for ePHI exports, orders, or admin changes.
• Configure VPN, RDP, SSH, and VDI idle timeouts with automatic disconnect and session limit policies.
• For shared or kiosk workstations, use fast user switching, badge authentication, and immediate screen lock on badge removal.
• Document any exceptions with compensating controls (e.g., privacy screens, staffed areas) and review them at least annually.

Enforce Workstation Security

Harden endpoint configurations to reduce attack surface and prevent local ePHI exposure. Standardize builds, patch aggressively, and apply layered defenses on every workstation and laptop.

Combine technical and physical safeguards: device control, secure printing, and privacy protections in clinical and front-desk areas.

Workstations & Laptops: Checklist

• Deploy a standard image with CIS-aligned hardening; remove unnecessary software and services.
• Patch OS and applications within defined SLAs; enable automatic updates where feasible.
• Activate host firewalls and EDR/anti-malware; restrict or audit USB and peripheral access.
• Remove local admin rights; enforce application allowlisting and macro/script controls.
• Minimize local ePHI storage; redirect data to encrypted network shares or approved apps.
• Use privacy screens, cable locks, and secure locations; adopt clean-desk practices.
• Implement secure print release (badge/PIN) and purge print queues; avoid unattended output.
• Sanitize or destroy drives before reuse or disposal; verify wipe results and maintain records.

Servers: Checklist

• Harden OS and services; disable unused components; isolate management interfaces.
• Segment networks; restrict inbound/outbound traffic to approved flows; secure RDP/SSH via bastions and MFA.
• Apply timely patches and kernel/security updates; deploy EDR suitable for servers.
• Protect secrets (keys, tokens) with a vault; prohibit plaintext credentials in code or configs.
• Implement immutable or versioned backups; test restores; maintain offsite copies to counter ransomware.
• Continuously monitor configuration drift, resource anomalies, and integrity of critical files.

Manage Mobile Device Policies

Mobile devices are frequent ePHI endpoints. Enforce mobile device encryption, strong screen locks, and central management before granting access to clinical apps, email, or files.

Use MDM to verify compliance in real time, containerize corporate data, and support remote wipe. Define clear BYOD and corporate-owned standards with rapid lost/stolen reporting.

• Require MDM enrollment for any device accessing ePHI; block noncompliant devices automatically.
• Enforce mobile device encryption, screen lock with PIN/biometric, auto-lock after 2–5 minutes, and device wipe after repeated failures.
• Detect and quarantine rooted/jailbroken devices; restrict sideloading and unapproved app stores.
• Containerize data and restrict copy/paste, screenshots, and personal cloud backups for managed apps.
• Mandate timely OS and app updates; require per-app VPN or device VPN with certificate-based auth.
• Enable remote wipe of the corporate container (BYOD) or full device (COPE); require reporting of loss/theft within 24 hours.
• Maintain an asset inventory for laptops, tablets, and phones; track custody and return at separation.

Conduct Regular Risk Assessments

Make ePHI risk management a continuous process. Identify where ePHI resides and flows, analyze threats and vulnerabilities, and prioritize remediation based on likelihood and impact.

Repeat assessments at least annually and whenever systems, vendors, or workflows change. Validate that controls (access, audit trail, encryption, session timeout, and device protections) perform as intended.

• Inventory assets that store, process, or transmit electronic protected health information; map data flows.
• Evaluate administrative, physical, and technical controls; document gaps and their business impact.
• Record risks in a register with owners, due dates, and status; track mitigation to completion.
• Run vulnerability scans routinely and penetration tests periodically; fix findings within SLAs.
• Exercise incident response and backup/restore; validate RTO/RPO and evidence retention.
• Assess third parties; maintain Business Associate Agreements; review vendor security attestations.
• Deliver role-based training; reinforce phishing and data handling practices.
• Keep policies, procedures, assessments, and remediation records for at least six years.

By implementing these steps—tight access control, comprehensive audit logging, strong data-at-rest encryption, disciplined session timeout, hardened endpoints, governed mobility, and recurring assessments—you create a defensible HIPAA computer compliance posture and materially lower ePHI risk.

FAQs.

What are the key access control requirements for HIPAA?

Core requirements include unique user identification, emergency access procedures, automatic logoff, and encryption/decryption mechanisms as appropriate. Apply least privilege via role-based access control, enforce MFA for sensitive access, and review permissions on a defined schedule.

How should workstations be secured under HIPAA?

Harden and standardize builds, keep systems patched, run host firewalls and EDR, enable full-disk encryption, enforce screen locks and session timeout, restrict admin rights and USB devices, minimize local ePHI, secure printing, use privacy screens and physical locks, and sanitize drives before disposal.

What encryption standards are recommended for ePHI?

Use strong, modern cryptography with FIPS-validated modules where feasible: AES-256 for data-at-rest encryption, TLS 1.2+ (prefer TLS 1.3) with secure cipher suites for data in transit, SHA-256 or stronger for hashing, and centralized key management with routine rotation and strict access controls.

How often should risk assessments be conducted for HIPAA compliance?

Perform a comprehensive risk assessment at least annually and whenever significant changes occur—new systems, major upgrades, new vendors, mergers, or security incidents. Treat risk analysis as an ongoing program with continuous monitoring, remediation tracking, and executive review.