HIPAA Compliance Checklist for NC Healthcare Practices

Posted: March 6, 2026 to Compliance.

HIPAA Compliance Checklist: A Practical Guide for North Carolina Healthcare Practices

Healthcare practices across North Carolina face an increasingly hostile cybersecurity landscape. Ransomware attacks against hospitals and clinics have surged, and the Department of Health and Human Services Office for Civil Rights (HHS OCR) continues to ramp up enforcement actions. In 2025 alone, OCR settled or imposed penalties exceeding $20 million for HIPAA violations, and the trend shows no sign of slowing down.

As a published author on HIPAA compliance and a cybersecurity consultant who has worked with healthcare organizations in the Triangle and across North Carolina for more than 23 years, I wrote this checklist to give practice administrators, office managers, and IT directors a clear roadmap for achieving and maintaining HIPAA compliance in 2026.

Who Must Comply with HIPAA

HIPAA applies to two categories of organizations. Covered Entities include healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Business Associates are organizations that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Covered Entity. If your organization falls into either category, every requirement in this checklist applies to you.

Common Business Associates that NC healthcare practices overlook include IT service providers, cloud hosting companies, electronic health record vendors, billing services, shredding companies, and even answering services that take patient messages. Every Business Associate must have a signed Business Associate Agreement (BAA) on file.

The Three HIPAA Rules

HIPAA compliance rests on three foundational rules. Each one must be fully addressed in your compliance program.

The Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule establishes standards for how PHI can be used and disclosed. It gives patients rights over their health information, including the right to obtain copies, request corrections, and receive an accounting of disclosures. Your Notice of Privacy Practices must be current, publicly posted, and provided to every patient at their first visit.

The Security Rule (45 CFR Part 164, Subpart C)

The Security Rule focuses specifically on electronic PHI (ePHI). It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit. This is where most healthcare practices have the largest gaps.

The Breach Notification Rule (45 CFR Part 164, Subpart D)

The Breach Notification Rule requires you to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI. Breaches affecting 500 or more individuals must be reported to HHS within 60 days and posted on the HHS Breach Portal. Smaller breaches must be logged and reported annually.

Administrative Safeguards Checklist

Administrative safeguards account for more than half of all HIPAA Security Rule requirements. These are the policies, procedures, and management processes that govern your compliance program.

Security Management Process (Section 164.308(a)(1))

• Conduct a comprehensive risk analysis that identifies all ePHI, all threats and vulnerabilities, and the likelihood and impact of each risk
• Implement a risk management plan that reduces identified risks to a reasonable and appropriate level
• Apply sanctions against workforce members who violate security policies
• Review information system activity regularly through audit logs, access reports, and security incident tracking

The risk analysis is the cornerstone of HIPAA compliance and the most frequently cited deficiency in OCR investigations. It must be thorough, documented, and updated at least annually or whenever significant changes occur in your environment.

Assigned Security Responsibility (Section 164.308(a)(2))

• Designate a Security Officer responsible for developing and implementing security policies and procedures
• Document the Security Officer appointment in writing
• Ensure the Security Officer has adequate authority, resources, and training

Workforce Security (Section 164.308(a)(3))

• Implement procedures for authorizing workforce member access to ePHI based on job role
• Establish workforce clearance procedures including background checks where appropriate
• Implement termination procedures that revoke access immediately upon separation

Information Access Management (Section 164.308(a)(4))

• Establish policies for granting access to ePHI through a workstation, program, or process
• Implement role-based access controls tied to job functions
• Review and modify user access rights periodically and when job roles change

Security Awareness and Training (Section 164.308(a)(5))

• Provide security awareness training to all workforce members upon hire and at regular intervals
• Conduct phishing simulation exercises at least quarterly
• Train staff on password management best practices
• Educate staff on recognizing and reporting security incidents
• Include malicious software protection awareness in training

Security Incident Procedures (Section 164.308(a)(6))

• Implement policies and procedures to identify, respond to, and mitigate security incidents
• Document all security incidents and their outcomes
• Establish clear escalation paths and reporting procedures

Contingency Plan (Section 164.308(a)(7))

• Establish a data backup plan with defined frequency and verification procedures
• Create a disaster recovery plan that ensures ePHI availability after a disruption
• Develop an emergency mode operations plan for critical business processes
• Test and revise contingency plans at least annually
• Assess the criticality of applications and data to prioritize recovery efforts

Business Associate Contracts (Section 164.308(b)(1))

• Identify all Business Associates who access, create, or store PHI on your behalf
• Execute signed BAAs with every Business Associate before sharing PHI
• Review and update BAAs when relationships or services change
• Monitor Business Associate compliance through periodic assessments

Physical Safeguards Checklist

Facility Access Controls (Section 164.310(a)(1))

• Implement physical access controls for facilities housing ePHI systems
• Establish procedures for validating a person's access to facilities based on their role
• Maintain records of physical access and repairs to security hardware
• Address facility security for remote and mobile workers

Workstation Use and Security (Sections 164.310(b) and (c))

• Establish policies specifying proper functions, manner of use, and physical environment for workstations
• Position screens to prevent unauthorized viewing of ePHI
• Implement automatic screen lock after a defined period of inactivity
• Restrict physical access to workstations that access ePHI

Device and Media Controls (Section 164.310(d)(1))

• Implement procedures for the receipt, removal, and disposal of hardware and electronic media containing ePHI
• Maintain records of hardware and media movements
• Ensure ePHI is properly erased before device reuse or disposal using NIST 800-88 compliant methods
• Encrypt all portable devices and removable media containing ePHI

Technical Safeguards Checklist

Access Control (Section 164.312(a)(1))

• Assign unique user IDs to every workforce member who accesses ePHI systems
• Implement emergency access procedures for obtaining ePHI during an emergency
• Implement automatic logoff after a defined period of inactivity
• Encrypt all ePHI at rest and in transit

Audit Controls (Section 164.312(b))

• Implement hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI
• Review audit logs regularly and investigate anomalies
• Retain audit logs for at least six years as required by HIPAA retention rules

Integrity Controls (Section 164.312(c)(1))

• Implement mechanisms to authenticate ePHI and protect it from improper alteration or destruction
• Validate data integrity following transfer or storage

Person or Entity Authentication (Section 164.312(d))

• Verify the identity of any person or entity seeking access to ePHI
• Implement multi-factor authentication for remote access to ePHI systems

Transmission Security (Section 164.312(e)(1))

• Implement security measures to guard against unauthorized access to ePHI being transmitted over electronic networks
• Encrypt all ePHI transmitted over public networks including email, VPN, and web-based EHR access

North Carolina-Specific Considerations

North Carolina healthcare practices face additional requirements beyond federal HIPAA regulations.

NC Identity Theft Protection Act (N.C.G.S. 75-61 et seq.)

This state law requires businesses that own or license personal information of NC residents to implement and maintain reasonable security procedures. It also mandates notification of security breaches to affected individuals without unreasonable delay. The notification requirements are in addition to federal HIPAA breach notification obligations.

NC Medical Records Act (N.C.G.S. 90-411)

North Carolina law requires healthcare providers to retain medical records for a minimum of 11 years from the date of the last patient encounter. For minor patients, records must be retained until the patient reaches age 30. These retention requirements often exceed the six-year HIPAA minimum and must be factored into your data backup and archival strategy.

Regional Threat Landscape

Healthcare organizations in the Research Triangle, Charlotte metro area, and Triad region are increasingly targeted by ransomware groups that specifically seek out medical practices. Small and mid-size practices are especially vulnerable because they often lack dedicated IT security staff. The NC Department of Health and Human Services has issued multiple advisories urging healthcare providers to strengthen their defenses.

Using ComplianceArmor for HIPAA Documentation

One of the biggest challenges healthcare practices face is generating and maintaining the extensive documentation HIPAA requires. Risk analyses, policies, procedures, training records, incident logs, BAA inventories, and contingency plans all need to be current, comprehensive, and readily accessible for OCR investigations.

Our ComplianceArmor platform was built specifically to solve this problem. It generates all required HIPAA documentation mapped to the specific sections and standards of the Security Rule, Privacy Rule, and Breach Notification Rule. It tracks your compliance status in real time and alerts you when policies need review or updates. For NC healthcare practices juggling patient care with regulatory obligations, it transforms HIPAA compliance from a dreaded annual project into a manageable ongoing process.

Learn more about our HIPAA compliance services or schedule a free HIPAA risk assessment to identify your compliance gaps before OCR does.

HIPAA Compliance Is Not Optional

OCR enforcement has never been more aggressive. Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. State attorneys general can also bring enforcement actions under HITECH. Beyond the financial penalties, a publicized HIPAA breach can devastate patient trust and your practice's reputation.

The good news is that compliance is achievable. Start with a thorough risk analysis, address the highest-priority gaps first, and build a sustainable compliance program that becomes part of your practice's daily operations. If you need help, Petronella Technology Group has been serving NC healthcare practices for more than 23 years and we understand the unique challenges you face.