Copper BayTech
All ResourcesCybersecurity

HIPAA Security Checklist for Sonoma County Healthcare Practices

7 min read · May 2026

HIPAA is not just a compliance checkbox — it's a minimum baseline for protecting your patients and your practice. Most small healthcare practices in Sonoma County have significant gaps, usually not from negligence but from never having had someone audit the technical side.

Disclaimer: This checklist covers technical safeguards under the HIPAA Security Rule. It is not legal advice. For full compliance assessment including administrative and physical safeguards, consult a qualified HIPAA consultant or attorney.

= Required / critical gap if missing
= Best practice

Access Controls

Unique login credentials for every staff member — no shared passwordsRequired
Multi-factor authentication (MFA) on email and practice management softwareRequired
Automatic screen lock after 5–10 minutes of inactivity
Documented process to revoke access when staff leaveRequired
Role-based access — staff only see data they need for their role

Data Protection

Encrypted hard drives on all computers that hold patient dataRequired
Encrypted email for transmitting PHI (patient health information)Required
Automated backups that run daily, stored offsite or in the cloudRequired
Backup restoration tested at least once in the past 12 monthsRequired
Business Associate Agreements (BAAs) signed with all cloud vendors

Network Security

Router firmware updated in the last 12 monthsRequired
Separate guest Wi-Fi network — patients and visitors not on your business network
Firewall enabled and configured (not just the factory default)Required
No remote desktop access without VPN or equivalent securityRequired

Devices & Software

Windows/macOS automatic updates enabled on all workstations
Antivirus/endpoint protection on all devices
Inventory of all devices that access patient data
Policy for what happens if a device is lost or stolenRequired

Documentation

Written Security Risk Analysis on file (required by HIPAA)Required
Security policies distributed to all staff
Staff training on phishing and security basics in the last year
Incident response plan — what to do if you suspect a breachRequired

The most common gaps we find

When we run security assessments for healthcare practices in Sonoma County, these four issues come up almost every time:

  • No MFA on email

    A compromised email account is the most common vector for healthcare data breaches. MFA takes 10 minutes to set up and blocks the vast majority of credential-based attacks.

  • Shared login credentials

    Multiple staff logging in with the same username and password makes it impossible to audit who accessed what — which is itself a HIPAA violation.

  • Untested backups

    Many practices have backups running — they just haven't tested whether those backups can actually be restored. A backup you've never tested is a backup you can't count on.

  • No written Security Risk Analysis

    HIPAA requires a documented risk analysis. If you've never done one, you're out of compliance regardless of how good your technical controls are.

Want a hands-on security assessment for your practice?

We run practical HIPAA-aligned security audits for small healthcare practices in Sonoma County. Most critical issues are fixed same day.

Book a Security Audit