HIPAA Technical Security

HIPAA Device and IT Audits

Every device that touches ePHI needs a record. It also needs encryption and the right settings. We review your devices, systems, and technical controls against 45 CFR §164.312.

What Is a HIPAA Device and IT Audit?

A device and IT audit reviews each system that stores, uses, or sends electronic protected health information. It checks your controls against the five HIPAA technical safeguard standards.

Those standards are Access Control (45 CFR §164.312(a)), Audit Controls (§164.312(b)), Integrity (§164.312(c)), Person or Entity Authentication (§164.312(d)), and Transmission Security (§164.312(e)).

Most breaches reported to HHS involve electronic records or device failures. An IT audit is a core part of your HIPAA security program.

Who Needs This

A device and IT audit fits any covered entity or business associate that cannot answer yes to: Do we know every device that touches ePHI? These situations are signs you need a review.

  • 💻
    Organizations without a formal HIPAA device inventory
  • 🔍
    Practices that use personal devices, cloud services, and office systems
  • 📈
    Growing teams that add devices or software without a clear approval process
  • 🔁
    Groups that failed, or almost failed, technical safeguard reviews
  • 🔗
    Business associates that handle ePHI across several systems

Device & IT Compliance Benchmarks

Typical findings from organizations before a structured IT audit. Your actual results will reflect your specific environment.

IT Audit Gap Distribution

Where most organizations have incomplete technical controls

5
GAP
CATEGORIES

    Technical Control Maturity

    Average maturity score by control area (0–100)

    Technical Safeguard Compliance: Before vs. After

    Typical improvement after structured IT audit and fixes

    0%
    Before
    0%
    After

    Typical 90-day post-audit improvement

    Five-Step IT Audit Process

    This process turns your devices and systems into a clear compliance picture.

    1

    Device Inventory

    Catalog each device that stores, accesses, or sends ePHI. This includes workstations, laptops, phones, servers, and network equipment.

    2

    Encryption Assessment

    Check encryption on stored data and sent data. Review every device and channel that handles protected health information.

    3

    Access Control Review

    Review how users sign in. Check role-based access, automatic logoff, and emergency access.

    4

    Audit Log Analysis

    Check log settings, log retention, and whether your team reviews audit logs on a regular schedule.

    5

    Findings Report

    Provide a clear report with device findings, risk ratings, and technical fix steps.

    IT Audit Case Study

    Scenario

    A 15-person medical practice had grown from 5 to 15 staff in two years. New laptops, tablets, and cloud services were added as needed with no formal tracking. The practice had no device inventory and was unsure which devices had encryption enabled.

    Key Gaps Found

    Four laptops had no disk encryption. Three cloud services lacked MFA. Audit logs were enabled but never reviewed. Two former employee accounts were still active. Patient data was being transmitted over unencrypted email.

    Result

    Complete device inventory established with 23 devices cataloged. All devices encrypted within 30 days. MFA enabled on all cloud services. Former employee access revoked. Encrypted email solution implemented. Quarterly audit log reviews scheduled.

    Implementation Timeline

    Most IT audits take two to three weeks. Larger teams or groups with several cloud platforms may need more time for a full inventory.

    Phase 1
    Week 1
    • Device discovery and inventory
    • Network scan
    • Cloud service list
    Phase 2
    Week 2
    • Encryption and access control testing
    • Authentication review
    • Audit log settings check
    Phase 3
    Week 3
    • Findings summary
    • Risk ratings
    • Technical fix recommendations
    • Draft report review
    Phase 4
    Week 4
    • Final report delivery
    • Fix priority list
    • Quick-win implementation support

    Most IT audits take two to three weeks. Larger teams or groups with several cloud platforms may need more time for a full inventory.

    IT Audit Patterns by Healthcare Specialty

    Audit findings differ by specialty. We tailor the review to match how your practice uses technology. These six practice types are the most common settings we audit. Each one has its own device, software, and access control risks.

    🏥

    Medical Practices

    EHR system access, multi-device workflows, lab system integrations, and referral platform security.

    🧠

    Behavioral Health

    Telehealth platform security, session recording controls, and heightened patient data sensitivity.

    🦷

    Dental Practices

    Imaging system encryption, practice management software access, and operatory workstation security.

    💊

    Pharmacies

    POS system security, medication management software, and controlled substance tracking system access.

    🔗

    Business Associates

    Multi-client data segregation, cloud infrastructure security, and remote access controls.

    📱

    Telehealth Providers

    Video platform encryption, mobile device management, and home network security verification.

    What Your IT Audit Includes

    Every engagement gives you a written record of your technical safeguard posture. These five deliverables create a clear evidence package. You can use it for internal fixes and during a HIPAA compliance review.

    Complete Device Inventory

    Each device is listed with its encryption status, OS version, access controls, and ePHI exposure level.

    Technical Safeguard Assessment

    Review of access controls, audit logs, integrity controls, authentication, and transmission security.

    Encryption Status Report

    Check encryption device by device. List fix steps for any unencrypted endpoint.

    Access Control Audit

    Review user accounts, MFA status, role-based access, and former employee access.

    Remediation Action Plan

    Rank technical fixes by risk. Include setup guidance and target dates.

    Why This Approach Delivers Better Outcomes

    Technology changes faster than policies. New devices, cloud services, and integrations get added often.

    An IT audit catches gaps that daily work can miss. It gives you a current view of your HIPAA technical safeguards.

    IT audits also find quick wins. Turning on encryption, enabling MFA, or removing old user accounts can often happen the same day.

    Teams that audit their technology each year find and fix gaps before they become breaches. The cost of an audit is much lower than the cost of one breach notice.

    Common Pitfalls We Help You Avoid

    • ⚠️
      Incomplete inventory: You cannot secure devices you do not know about. Shadow IT is the leading technical audit gap.
    • ⚠️
      Encryption assumptions: Many organizations assume encryption is enabled when it is not, especially on older devices
    • ⚠️
      Audit log neglect: Having logs enabled but never reviewing them does not satisfy the audit control requirement
    • ⚠️
      Stale access: Former employees and role changes create access rights that persist long after they should have been revoked
    • ⚠️
      Personal device blindspot: BYOD policies without technical controls create unmanaged ePHI exposure on personal phones and tablets

    Tracking Progress After Your IT Audit

    Track a small set of technical metrics each month so findings turn into results.

    Measure the percent of devices inventoried, percent of devices encrypted, MFA adoption across cloud services, and stale accounts removed.

    % Devices inventoried
    % Encrypted
    % MFA enabled
    Stale accounts removed

    Keep a leadership view that shows the trend, not just one point in time. Technical controls drift quickly as new devices and services are added.

    Technical controls drift quickly. New devices get added, employees change roles, and software updates change settings. Annual IT audits keep your inventory accurate and your controls current.

    Deep-Dive Resources

    Use these guides to align IT audit findings to realistic implementation plans:

    Frequently Asked Questions

    Include every device that stores, accesses, or sends ePHI. This includes desktops, laptops, tablets, phones, servers, network equipment, storage devices, cloud services, and apps that handle patient data. The device and media controls standard at 45 CFR §164.310(d) requires policies for hardware and electronic media that contain ePHI. Your inventory should be current and complete, not estimated. After a gap analysis identifies which systems are in scope, the device inventory becomes the base for your audit.
    Encryption is an addressable implementation specification under the Security Rule. If you do not encrypt, you must document why another option is reasonable and appropriate. In practice, most reviewers expect encryption for stored data and sent data. Under 45 CFR §164.312(a)(2)(iv), encryption and decryption of ePHI is an addressable specification within the access control standard. Under 45 CFR §164.312(e)(2)(ii), encryption of ePHI in transit is also addressable. If you do not use encryption, your remediation plan must document the alternative and the reason. You must keep that documentation for at least six years.
    At least once a year. You should also review your systems after major changes, such as new software, cloud migrations, security incidents, or major updates. The HIPAA Security Rule does not set one fixed audit schedule. But 45 CFR §164.312(b) requires controls that record and examine activity in systems with ePHI. HHS guidance points to regular, documented review, not one-time setup. Quarterly reviews of access rights and audit logs are standard practice. If audit findings create open gaps, use a structured remediation plan with clear timelines.
    BYOD environments need clear rules and technical controls. When possible, use mobile device management. Confirm that personal devices have encryption, authentication, and remote wipe before they access ePHI. Under 45 CFR §164.312(a), access controls apply to any system that stores or uses ePHI. This includes personal phones and tablets used for work. The access control standard requires unique user identification, automatic logoff, and encryption where feasible. Physical safeguards under §164.310 also apply to mobile devices. A mobile device management (MDM) solution is the most practical way to enforce these rules in a BYOD environment.
    Yes. Any cloud service that stores or processes ePHI must be listed. It should have a BAA and meet HIPAA technical safeguard rules for access control, encryption, and audit logging. Cloud service providers that handle ePHI for a covered entity are business associates under HIPAA. A signed Business Associate Agreement is required before ePHI is shared. The access controls (§164.312(a)), audit controls (§164.312(b)), and transmission security (§164.312(e)) standards all apply to cloud-hosted ePHI. During an IT audit, each cloud service is reviewed for MFA, data residency, encryption, and audit logging.

    Ready to Audit Your Devices and Systems?

    We will inventory your devices, test your technical controls, and give you a clear report. You will know where you stand and what needs to change.

    Book a 30-Minute Intro

    Questions About Device and IT Audits?