HIPAA Compliance Checklist for NC Healthcare Practices 2026

Posted: March 27, 2026 to Compliance.

HIPAA Compliance for North Carolina Healthcare Practices in 2026

North Carolina healthcare practices face a unique compliance landscape. In addition to federal HIPAA requirements, NC practices must navigate state-specific data protection laws, the NC Identity Theft Protection Act (N.C.G.S. 75-65), NC medical records confidentiality statutes, and evolving standards from the NC Department of Health and Human Services. This checklist provides a practical, actionable framework for NC practices to assess and maintain HIPAA compliance in 2026.

Whether you are a solo practitioner, a multi-physician group practice, a dental office, a behavioral health provider, or an urgent care facility, the HIPAA requirements are the same. The OCR does not adjust enforcement standards based on practice size. Small practices face the same penalties as large health systems, and the OCR has explicitly stated that small practice size is not a mitigating factor in enforcement decisions.

Administrative Safeguards Checklist

Risk Analysis (45 CFR 164.308(a)(1)(ii)(A))

• Completed a comprehensive, organization-wide risk analysis within the past 12 months
• Risk analysis covers all systems, applications, and workflows that create, receive, maintain, or transmit ePHI
• Risk analysis identifies specific threats and vulnerabilities (not just a generic checklist)
• Risk levels are calculated using a consistent, documented methodology
• Risk analysis is documented and retained for a minimum of 6 years
• Risk management plan addresses identified risks with specific remediation actions, timelines, and responsible parties

Security Management Process (45 CFR 164.308(a)(1))

• Written security policies and procedures exist for every HIPAA standard
• Policies are reviewed and updated at least annually
• Sanctions policy documents consequences for workforce members who violate security policies
• Information system activity review process is documented and performed regularly

Assigned Security Responsibility (45 CFR 164.308(a)(2))

• A specific individual is designated as the HIPAA Security Officer
• A specific individual is designated as the HIPAA Privacy Officer (can be the same person)
• Roles and responsibilities are documented in writing

Workforce Security (45 CFR 164.308(a)(3))

• Workforce clearance procedures determine whether access to ePHI is appropriate before granting it
• Termination procedures include immediate revocation of all system access
• Access authorization process documents who approved access, what level, and when

Security Awareness and Training (45 CFR 164.308(a)(5))

• All workforce members receive HIPAA security training at onboarding
• Annual refresher training is provided to all workforce members
• Training covers current threats including phishing, ransomware, and social engineering
• Training completion is documented with dates and attendee records
• Security reminders are distributed periodically (email tips, posters, newsletters)
• Procedures for reporting security incidents are covered in training

Security Incident Procedures (45 CFR 164.308(a)(6))

• Written incident response plan documents identification, containment, investigation, and notification steps
• Incident response team members and contact information are current
• Breach notification procedures comply with the Breach Notification Rule
• Security incidents are documented, tracked, and reviewed for patterns

Contingency Plan (45 CFR 164.308(a)(7))

• Data backup plan documents backup frequency, location, encryption, and testing procedures
• Disaster recovery plan documents procedures for restoring access to ePHI after an emergency
• Emergency mode operation plan documents how critical ePHI operations continue during emergencies
• Contingency plans are tested at least annually
• Applications and data are prioritized in a criticality analysis

Business Associate Management (45 CFR 164.308(b)(1))

• Complete inventory of all business associates is maintained
• Signed BAAs are on file for every business associate
• BAAs include required provisions: permitted uses, safeguard requirements, breach notification obligations, termination provisions
• BAAs are reviewed and updated when regulations change or when the business relationship changes
• Cloud service providers (Microsoft 365, Google Workspace, EHR vendors) have executed BAAs

Physical Safeguards Checklist

Facility Access Controls (45 CFR 164.310(a))

• Server room or IT closet is locked and access is restricted to authorized personnel
• Visitor access to areas containing ePHI is controlled and logged
• Workstations displaying PHI are positioned to prevent unauthorized viewing (privacy screens where needed)
• Facility security plan documents physical access controls for all locations

Workstation Use (45 CFR 164.310(b))

• Policies specify appropriate use of workstations that access ePHI
• Automatic screen lock activates after 15 minutes or less of inactivity
• Workstations in patient areas log off when unattended

Device and Media Controls (45 CFR 164.310(d))

• Procedures for disposal of hardware and electronic media containing ePHI (certified data destruction)
• Procedures for reuse of media including data wiping before redeployment
• Inventory of all devices that store ePHI including mobile devices and removable media

Technical Safeguards Checklist

Access Control (45 CFR 164.312(a))

• Each user has a unique identifier (no shared logins)
• Emergency access procedures are documented for critical ePHI systems
• Automatic logoff is configured for EHR and other ePHI systems
• ePHI is encrypted at rest on all systems (full-disk encryption on all computers)
• Multi-factor authentication is enabled for remote access and all cloud-based ePHI systems
• Role-based access controls limit ePHI access to minimum necessary for job functions

Audit Controls (45 CFR 164.312(b))

• Audit logging is enabled on all systems containing ePHI
• Logs record who accessed what PHI, when, and from where
• Logs are reviewed regularly for suspicious activity
• Log retention meets regulatory requirements (minimum 6 years for HIPAA documentation)

Integrity (45 CFR 164.312(c))

• Mechanisms protect ePHI from improper alteration or destruction
• Data integrity verification is performed during electronic transmission

Transmission Security (45 CFR 164.312(e))

• ePHI transmitted over networks is encrypted (TLS 1.2 or higher)
• Email containing PHI uses encryption (TLS, S/MIME, or portal-based)
• VPN or encrypted connections are required for remote access to ePHI systems
• Wireless networks are encrypted (WPA3 or WPA2-Enterprise)

NC-Specific Considerations

NC Identity Theft Protection Act

North Carolina law (N.C.G.S. 75-65) requires businesses to notify affected NC residents of security breaches involving personal information "without unreasonable delay." Unlike HIPAA's 60-day limit, NC law does not specify a maximum timeline but does require notification to the NC Attorney General's office if more than 1,000 individuals are affected. Comply with whichever timeline is more stringent.

NC Medical Records Confidentiality

NC General Statutes Chapter 130A and Chapter 90 contain additional confidentiality protections for mental health records, substance abuse treatment records, HIV/AIDS information, and genetic information. These state protections may be more stringent than HIPAA's Privacy Rule, and when they are, the more protective standard applies.

NC Telehealth Regulations

NC expanded telehealth provisions significantly during and after the COVID-19 pandemic. Practices offering telehealth services must ensure their platform has a BAA, sessions are encrypted end-to-end, patient consent is documented, and recordings (if any) are stored with the same protections as other ePHI.

2026 Regulatory Updates Affecting NC Practices

• HIPAA Security Rule NPRM: The proposed rule would make many "addressable" specifications required, including mandatory encryption, MFA, network segmentation, and 72-hour system restoration capability. NC practices should begin preparing now.
• HIPAA Privacy Rule changes: Updated reproductive health information protections require updated policies and workforce training.
• Information Blocking Rule: ONC's information blocking provisions continue to evolve, affecting how practices share patient health information with other providers and patients.

Common HIPAA Violations in NC Healthcare Practices

Based on OCR enforcement data and our experience working with NC healthcare practices, these are the most frequently encountered compliance deficiencies in the Research Triangle and broader NC market:

• No formal risk analysis: The single most common deficiency. Many small practices rely on their EHR vendor's security certifications rather than conducting their own organization-wide risk analysis. Your vendor's SOC 2 or HITRUST certification does not satisfy your risk analysis obligation.
• Insufficient BAA coverage: Practices frequently use cloud services, IT support companies, billing services, or communication platforms without BAAs. Every vendor that accesses PHI requires a signed BAA before any PHI is shared.
• Outdated or missing policies: Practices with policies purchased as a template packet years ago that have never been customized or updated. Policies must reflect your actual operations and be updated when your environment changes.
• No regular training: Providing training only at onboarding without annual refresher training. HIPAA requires periodic training, and the OCR expects at minimum annual training for all workforce members.
• Inadequate access controls: Shared login credentials, lack of automatic logoff, no MFA for remote access, and excessive access permissions that violate the minimum necessary standard.
• Missing audit log review: HIPAA requires regular review of information system activity. Most practices enable audit logging but never review the logs, defeating the purpose of the control.

Technology Requirements for NC Healthcare Practices in 2026

Beyond the checklist items above, NC healthcare practices need to address several technology-specific HIPAA requirements that have become critical in 2026.

EHR Security Configuration

Your Electronic Health Record system is the primary repository for ePHI and must be configured securely. Key EHR security requirements include enabling audit logging for all user access and record modifications, configuring role-based access that limits each user to the minimum records and fields necessary for their job function, setting automatic logoff timers appropriate for each workstation type (shorter in patient areas, longer in private offices), enabling two-factor authentication for remote EHR access, and implementing break-the-glass procedures for emergency access that generate alerts and require documented justification.

Email Security

Email remains one of the most common vectors for both PHI breaches and phishing attacks. NC practices should implement email encryption for all messages containing PHI (using TLS, portal-based encryption, or S/MIME), advanced threat protection that filters phishing emails and malicious attachments, data loss prevention rules that detect and block PHI in outbound emails to non-approved recipients, email retention policies that comply with both HIPAA and NC medical records retention requirements, and regular phishing simulation exercises that test staff awareness and provide targeted training for those who fail.

Mobile Device Management

Healthcare workers increasingly use smartphones and tablets to access EHR, secure messaging, and other ePHI systems. Every mobile device that accesses ePHI must be enrolled in a Mobile Device Management (MDM) solution that enforces device encryption, screen lock requirements, remote wipe capability, and app management. The MDM solution must be covered by a BAA. Personal devices (BYOD) accessing ePHI require MDM enrollment with at minimum containerized access that separates work data from personal data.

Cloud and SaaS Security

Most NC practices now use cloud services including Microsoft 365 or Google Workspace for email, cloud-based practice management and scheduling, telehealth platforms, patient portal systems, and cloud-based backup. Each cloud service that processes ePHI requires a BAA, proper access configuration, and inclusion in your risk analysis. Do not assume that the cloud provider's security certifications satisfy your HIPAA obligations. You remain responsible for configuring the services securely, managing user access, and monitoring for unauthorized use.

HIPAA Documentation Requirements

HIPAA requires that compliance documentation be maintained for a minimum of six years from the date of creation or the date when it was last in effect, whichever is later. This documentation requirement is one of the most frequently violated and most easily preventable HIPAA provisions.

Required Documentation Inventory

Every NC healthcare practice should maintain the following documentation:

• Risk analysis and risk management plan: Updated annually and after significant changes. Include the methodology used, all identified risks, risk ratings, and remediation plans with status tracking.
• Policies and procedures: Written policies covering every HIPAA standard applicable to your practice. Each policy should include a version number, effective date, approval signature, and review history.
• Training records: Documentation of all security awareness training including dates, content covered, trainer identification, and signed attendance sheets or completion records from your LMS.
• Business Associate inventory and BAAs: A list of all business associates with signed BAAs on file. Include the date executed, services provided, and next review date.
• Incident reports: Documentation of all security incidents, whether or not they constitute reportable breaches. Include the four-factor risk assessment for each incident.
• Access authorization records: Documentation of who approved access for each workforce member, what systems and access levels were granted, and the date of authorization.
• Contingency plan test results: Records of backup verification tests, disaster recovery tests, and emergency mode operation drills.
• System activity reviews: Records showing that audit logs were reviewed, who reviewed them, when, and any findings or actions taken.

Documentation Storage and Organization

Store compliance documentation in a secure, organized system that allows quick retrieval. Many practices use a combination of encrypted cloud storage (with a BAA) for digital documents and locked filing cabinets for physical records. Organize documentation by HIPAA standard (Administrative Safeguards, Physical Safeguards, Technical Safeguards) or by category (policies, training, risk analysis, incidents, BAAs) and maintain a master index that allows you or an auditor to locate any document quickly.

Annual HIPAA Compliance Calendar for NC Practices

Use this calendar to schedule recurring compliance activities throughout the year:

• January: Begin annual risk analysis process. Review and update the business associate inventory. Submit small breach reports to HHS for the prior calendar year (for breaches affecting fewer than 500 individuals).
• February-March: Complete risk analysis. Update risk management plan based on findings. Review and update all policies and procedures.
• April: Conduct annual workforce security awareness training. Test backup restoration procedures.
• May-June: Conduct physical security walkthrough of all locations. Review and test disaster recovery plan. Update contingency plan based on any environmental changes.
• July: Conduct quarterly access review (revoke terminated employee access, verify role-based access alignment). Review BAAs for any needed updates based on regulatory changes.
• August-September: Conduct simulated phishing exercise. Review and update incident response plan. Verify that new equipment and systems added during the year are covered by the risk analysis.
• October: Conduct quarterly access review. Review audit logs for the past quarter. Update system inventory and network diagrams.
• November-December: Plan security awareness training content for the next year. Budget for compliance activities. Review any pending remediation items from the risk management plan.

NC Healthcare Practice Resources

North Carolina healthcare practices have access to several resources for HIPAA compliance support:

• NC HIPAA Administrative Simplification Coalition: Industry group providing education and resources for NC healthcare organizations
• NC Department of Health and Human Services: State-level guidance on healthcare regulations that interact with HIPAA
• HHS Office for Civil Rights: Federal enforcement agency that provides free guidance documents, FAQs, and the Security Risk Assessment Tool at hhs.gov/hipaa
• NIST: Publications including SP 800-66 (HIPAA Security Rule guidance) and the Cybersecurity Framework that provides a structured approach to security implementation

Frequently Asked Questions