Free Resource

HIPAA Compliance Checklist for Louisiana Medical & Dental Practices

The specific HIPAA Security Rule requirements every Louisiana medical and dental practice must satisfy — administrative, physical, and technical safeguards. Plus the most-commonly-cited violations in OCR audits.

Why every Louisiana medical and dental practice needs this

HIPAA isn't a checkbox compliance — it's an ongoing operational discipline. OCR (the federal Office for Civil Rights) audits practices ranging from small dental offices to large hospital systems. The fines per breach range from $50,000 to $1.5M+ depending on scope and the practice's compliance posture at the time of the breach.

This checklist covers the specific HIPAA Security Rule requirements that medical and dental practices must satisfy, organized by what auditors actually look for. Use it to assess your current state and identify gaps before a breach (or audit) forces the issue.

Administrative safeguards (§164.308)

  • Annual Security Risk Assessment (SRA). The single most important compliance document. Identifies risks to ePHI in your environment and documents mitigation strategies. Required annually; in practice many practices don't have a current one.
  • Written information security policies. Privacy Policy, Security Policy, Breach Notification Policy. Must be specific to your practice — generic templates don't count.
  • Workforce security training. Annual training for all employees on HIPAA basics, breach prevention, incident reporting. Document completion.
  • Access management. Documented procedure for granting, modifying, and revoking access to ePHI based on role.
  • Information access management. Role-based access controls — front desk shouldn't see clinical notes; clinical staff shouldn't see billing AR.
  • Security incident procedures. Written procedure for detecting, responding to, and reporting security incidents.
  • Contingency plan. Data backup plan, disaster recovery plan, emergency mode operation plan. Tested at least annually.
  • Periodic evaluations. Document that you've reviewed and updated your security posture in response to environmental or operational changes.
  • Business Associate Agreements (BAAs). Every vendor with access to PHI must have a signed BAA. EHR vendor, IT provider, cloud backup, secure messaging — anyone touching PHI.

Physical safeguards (§164.310)

  • Facility access controls. Locks, keys, badges, alarm systems. Documented procedures for granting and revoking facility access.
  • Workstation use and security. Workstations that access ePHI must be positioned so screens aren't visible to unauthorized people. Automatic screen lock after inactivity.
  • Device and media controls. Disposal procedures for old hardware (must wipe or destroy media), backup procedures for portable devices, accountability for who has what device.

Technical safeguards (§164.312)

  • Access controls. Unique user identification, automatic logoff, encryption and decryption of ePHI.
  • Audit controls. System logs showing who accessed what ePHI when. Reviewed periodically to detect suspicious activity.
  • Integrity controls. Mechanisms to ensure ePHI hasn't been improperly altered or destroyed.
  • Person or entity authentication. Verify identity of users — typically password + MFA for clinical accounts.
  • Transmission security. Encrypt ePHI in transit. Email containing PHI must be encrypted or sent through a secure portal.

The most-commonly-cited HIPAA violations in OCR audits

  1. No current Security Risk Assessment. Most frequently cited. Either not done, or done years ago and not updated.
  2. Missing Business Associate Agreements. Common with cloud vendors that the practice signed up for without realizing PHI access was involved.
  3. Inadequate access controls. Shared logins, no MFA on admin accounts, terminated employees still in active directory.
  4. No documented incident response. When a breach happens, the practice has no procedure to follow — increasing both the damage and the regulatory exposure.
  5. Unencrypted devices and email. Laptops without encryption, email with PHI in the body rather than secure portal.
  6. Inadequate workforce training. Generic videos that don't address practice-specific risks.

Frequently asked questions

What's the typical fine for a HIPAA violation?

Tiered based on intent. Did Not Know: $100-$50,000 per violation, $25,000-$1.5M annual cap. Reasonable Cause: $1,000-$50,000 per violation. Willful Neglect (Corrected): $10,000-$50,000 per violation. Willful Neglect (Not Corrected): $50,000 per violation, $1.5M annual cap. Plus state-level fines and civil litigation.

Do I need a Security Risk Assessment every year, or is once enough?

Required annually under the Security Rule (45 CFR §164.308(a)(1)(ii)(A)). In practice many practices have outdated ones — OCR audits frequently find SRAs that are years old. Annual is the standard; some larger practices do it more frequently when the environment is changing.

Can we do the HIPAA compliance work ourselves or do we need outside help?

Possible to do internally with significant time investment and HIPAA-specific knowledge. Most practices benefit from outside help because the documentation requirements are specific and the policies need expert review. Our healthcare engagements include the full HIPAA program — annual SRA, written policies, BAA management, training, ongoing controls.

What's the difference between Privacy Rule and Security Rule?

Privacy Rule (§164.500-534) covers WHEN PHI can be used or disclosed. Security Rule (§164.302-318) covers HOW electronic PHI must be protected technically. Both apply; this checklist focuses on the Security Rule (the technical controls). Practices need policies for both.

Got questions about your specific situation?

Schedule a free 15-minute discovery call. We'll walk through your specific environment, answer questions about what's covered in this guide, and tell you what (if anything) actually needs to change. No sales pitch.

Schedule a Free Discovery Call →

Related resources