HIPAA Device and IT Audits
Every device that touches ePHI needs a record. It also needs encryption and the right settings. We review your devices, systems, and technical controls against 45 CFR §164.312.
What Is a HIPAA Device and IT Audit?
A device and IT audit reviews each system that stores, uses, or sends electronic protected health information. It checks your controls against the five HIPAA technical safeguard standards.
Those standards are Access Control (45 CFR §164.312(a)), Audit Controls (§164.312(b)), Integrity (§164.312(c)), Person or Entity Authentication (§164.312(d)), and Transmission Security (§164.312(e)).
Most breaches reported to HHS involve electronic records or device failures. An IT audit is a core part of your HIPAA security program.
Who Needs This
A device and IT audit fits any covered entity or business associate that cannot answer yes to: Do we know every device that touches ePHI? These situations are signs you need a review.
-
Organizations without a formal HIPAA device inventory
-
Practices that use personal devices, cloud services, and office systems
-
Growing teams that add devices or software without a clear approval process
-
Groups that failed, or almost failed, technical safeguard reviews
-
Business associates that handle ePHI across several systems
Device & IT Compliance Benchmarks
Typical findings from organizations before a structured IT audit. Your actual results will reflect your specific environment.
IT Audit Gap Distribution
Where most organizations have incomplete technical controls
CATEGORIES
Technical Control Maturity
Average maturity score by control area (0–100)
Technical Safeguard Compliance: Before vs. After
Typical improvement after structured IT audit and fixes
Typical 90-day post-audit improvement
Five-Step IT Audit Process
This process turns your devices and systems into a clear compliance picture.
Device Inventory
Catalog each device that stores, accesses, or sends ePHI. This includes workstations, laptops, phones, servers, and network equipment.
Encryption Assessment
Check encryption on stored data and sent data. Review every device and channel that handles protected health information.
Access Control Review
Review how users sign in. Check role-based access, automatic logoff, and emergency access.
Audit Log Analysis
Check log settings, log retention, and whether your team reviews audit logs on a regular schedule.
Findings Report
Provide a clear report with device findings, risk ratings, and technical fix steps.
IT Audit Case Study
Scenario
A 15-person medical practice had grown from 5 to 15 staff in two years. New laptops, tablets, and cloud services were added as needed with no formal tracking. The practice had no device inventory and was unsure which devices had encryption enabled.
Key Gaps Found
Four laptops had no disk encryption. Three cloud services lacked MFA. Audit logs were enabled but never reviewed. Two former employee accounts were still active. Patient data was being transmitted over unencrypted email.
Result
Complete device inventory established with 23 devices cataloged. All devices encrypted within 30 days. MFA enabled on all cloud services. Former employee access revoked. Encrypted email solution implemented. Quarterly audit log reviews scheduled.
Implementation Timeline
Most IT audits take two to three weeks. Larger teams or groups with several cloud platforms may need more time for a full inventory.
- Device discovery and inventory
- Network scan
- Cloud service list
- Encryption and access control testing
- Authentication review
- Audit log settings check
- Findings summary
- Risk ratings
- Technical fix recommendations
- Draft report review
- Final report delivery
- Fix priority list
- Quick-win implementation support
Most IT audits take two to three weeks. Larger teams or groups with several cloud platforms may need more time for a full inventory.
IT Audit Patterns by Healthcare Specialty
Audit findings differ by specialty. We tailor the review to match how your practice uses technology. These six practice types are the most common settings we audit. Each one has its own device, software, and access control risks.
Medical Practices
EHR system access, multi-device workflows, lab system integrations, and referral platform security.
Behavioral Health
Telehealth platform security, session recording controls, and heightened patient data sensitivity.
Dental Practices
Imaging system encryption, practice management software access, and operatory workstation security.
Pharmacies
POS system security, medication management software, and controlled substance tracking system access.
Business Associates
Multi-client data segregation, cloud infrastructure security, and remote access controls.
Telehealth Providers
Video platform encryption, mobile device management, and home network security verification.
What Your IT Audit Includes
Every engagement gives you a written record of your technical safeguard posture. These five deliverables create a clear evidence package. You can use it for internal fixes and during a HIPAA compliance review.
Complete Device Inventory
Each device is listed with its encryption status, OS version, access controls, and ePHI exposure level.
Technical Safeguard Assessment
Review of access controls, audit logs, integrity controls, authentication, and transmission security.
Encryption Status Report
Check encryption device by device. List fix steps for any unencrypted endpoint.
Access Control Audit
Review user accounts, MFA status, role-based access, and former employee access.
Remediation Action Plan
Rank technical fixes by risk. Include setup guidance and target dates.
Why This Approach Delivers Better Outcomes
Technology changes faster than policies. New devices, cloud services, and integrations get added often.
An IT audit catches gaps that daily work can miss. It gives you a current view of your HIPAA technical safeguards.
IT audits also find quick wins. Turning on encryption, enabling MFA, or removing old user accounts can often happen the same day.
Teams that audit their technology each year find and fix gaps before they become breaches. The cost of an audit is much lower than the cost of one breach notice.
Common Pitfalls We Help You Avoid
-
Incomplete inventory: You cannot secure devices you do not know about. Shadow IT is the leading technical audit gap.
-
Encryption assumptions: Many organizations assume encryption is enabled when it is not, especially on older devices
-
Audit log neglect: Having logs enabled but never reviewing them does not satisfy the audit control requirement
-
Stale access: Former employees and role changes create access rights that persist long after they should have been revoked
-
Personal device blindspot: BYOD policies without technical controls create unmanaged ePHI exposure on personal phones and tablets
Tracking Progress After Your IT Audit
Track a small set of technical metrics each month so findings turn into results.
Measure the percent of devices inventoried, percent of devices encrypted, MFA adoption across cloud services, and stale accounts removed.
Keep a leadership view that shows the trend, not just one point in time. Technical controls drift quickly as new devices and services are added.
Technical controls drift quickly. New devices get added, employees change roles, and software updates change settings. Annual IT audits keep your inventory accurate and your controls current.
Deep-Dive Resources
Use these guides to align IT audit findings to realistic implementation plans:
Frequently Asked Questions
Ready to Audit Your Devices and Systems?
We will inventory your devices, test your technical controls, and give you a clear report. You will know where you stand and what needs to change.
Book a 30-Minute Intro