Home › Solutions › Healthcare › HIPAA Cybersecurity Checklist 2026
Need HIPAA-Compliant Security in Colorado?
Start With This 2026 Checklist.
Whether you’re preparing for an audit, renewing cyber insurance, or comparing MSPs — this checklist helps Colorado healthcare teams identify gaps, prioritize safeguards, and document progress. Backed by ABT Managed IT + Todyl.
On This Page
Why Colorado healthcare organizations are prioritizing this in 2026
If you manage IT for a medical practice, behavioral health clinic, dental office, home health agency, or any organization that handles protected health information — 2026 is not the year to let cybersecurity slide.
HHS OCR enforcement activity is up. Cyber insurance carriers are tightening requirements. And attackers have gotten significantly better at targeting healthcare specifically — because patient data is worth more on the dark web than almost any other record type. A single breach at a small practice can cost $200,000 or more in fines, breach notification costs, and operational disruption.
What we hear most from Colorado healthcare teams: “We know we have gaps — we just don’t know where to start.” That’s exactly what this checklist is for. It’s not a 200-page HIPAA manual. It’s a working document your team can actually use — to identify where you’re exposed, prioritize what to fix first, and track progress over time.
ABT has supported healthcare organizations across the Front Range since 2000. We put this checklist together because we kept seeing the same gaps — and wanted to give your team a head start before an auditor, insurer, or breach does it for you.
What’s inside the 2026 HIPAA Cybersecurity Checklist
The checklist is organized around the three pillars of the HIPAA Security Rule. Each section includes clear controls, documentation prompts, and notes on what auditors and insurers look for. You can hand this to your IT team, walk through it in a leadership meeting, or use it to evaluate your current MSP against what they should be doing.
Administrative Safeguards — Make It Provable
Administrative safeguards are where most practices get caught. Having the right technology isn’t enough — you need documentation that proves your policies are current, understood, and actually followed. Auditors and insurers both want to see evidence, not assurances.
Define scope, score risks by likelihood and impact, and track fixes with assigned owners and due dates. HIPAA requires this to be updated regularly — “we did one in 2019” is not acceptable.
Document who was trained, when, on what, and their acknowledgment. Phishing simulation results count — if you’re using ABT’s security awareness training, that reporting is built in.
A current, signed BAA with every vendor that touches PHI — your EHR vendor, billing service, MSP, cloud storage provider, transcription service. Missing BAAs are one of the most common OCR findings.
Documented escalation paths, containment steps, breach notification workflow, and tabletop exercise records. Your team should know what to do before an incident — not be reading the policy for the first time during one.
Technical Safeguards — Reduce Your Actual Breach Risk
Technical safeguards are what most people think of when they hear “cybersecurity” — but there’s a gap between having security tools and having them configured correctly. This section helps you verify your controls are actually working, not just present.
Email, EHR admin accounts, remote access, cloud portals, vendor logins, billing systems. If MFA is off on any of these, your cyber insurance policy may not cover a resulting breach. This is now a baseline requirement — not optional.
Every device that accesses PHI needs endpoint detection and response (EDR) — not just traditional antivirus. Legacy AV misses modern ransomware variants. ABT’s endpoint security uses behavior-based detection to catch what signature-based tools miss.
PHI transmitted over the network or stored on devices must be encrypted. This includes laptops, USB drives, email, and any cloud storage. A lost encrypted laptop is not a reportable breach — a lost unencrypted one is.
Staff should only have access to the PHI they need for their role. Verify that terminated employee access is revoked immediately, shared credentials are eliminated, and admin privileges are limited to those who genuinely need them.
HIPAA requires that access to PHI is logged and those logs are reviewed. ABT’s managed IT services include 24/7 monitoring and log aggregation so unusual access patterns trigger alerts automatically.
Backups that have never been tested are not backups — they’re guesses. This section covers RPO/RTO definitions, tested restore procedures, air-gapped or immutable backup copies, and documentation your insurer can review.
Physical Safeguards — Often Overlooked, Often Cited
Physical safeguards are the most frequently overlooked HIPAA requirement — and one of the most commonly cited in audits. Access to workstations, servers, and physical records needs to be controlled, monitored, and documented.
Who can enter server rooms, records storage, and areas where PHI is accessible? Cloud-managed access control systems let you log and audit every entry event — and revoke access remotely the moment an employee leaves.
Screen locks, clean desk policies, and rules about using workstations in view of patients or the public. Simple to implement, often missing in busy clinical environments.
Old computers, hard drives, printers, and copiers all retain data. ABT offers device recycling and secure disposal for Colorado healthcare organizations — with documentation for your compliance records.
Cloud-managed cameras that document who accessed your facility and when. Pairs directly with access control for a complete physical security record. ABT’s Verkada-powered systems are cloud-managed with no on-site DVR required.
Cyber Insurance Alignment — What Carriers Now Require
Cyber insurance underwriting has changed dramatically since 2020. Many Colorado healthcare organizations are shocked at renewal to find that controls they assumed were covered are now explicitly required — and missing them voids coverage or triggers premium increases of 30–50%.
Near-universal requirement. If you’re using Microsoft 365 or Google Workspace without MFA enforced for all users, most carriers will either deny coverage or require remediation before binding.
Carriers increasingly require endpoint detection and response — not just antivirus. If your current IT provider is running legacy AV, that may no longer satisfy your policy terms.
Carriers want documented proof that your backups work and that your team has practiced a recovery scenario. An untested backup strategy is a significant coverage risk.
A documented plan — not just a general awareness that you’d “call your IT guy.” Carriers want to see a real escalation path, containment procedure, and notification workflow.
Who uses this checklist
The checklist is designed to be useful whether you’re in IT, compliance, operations, or leadership. Here’s how different roles typically use it:
Use it to get a plain-language overview of where you’re exposed before your next audit, insurance renewal, or IT review. Bring it to your MSP and ask them to walk through each item with you.
Use it as a working document to track gap remediation over time. Each section includes documentation prompts so you can maintain an audit trail of what was reviewed, what was found, and what was fixed.
Use it as a technical benchmark. If your current provider can’t check every box — or can’t explain clearly why something doesn’t apply to your environment — that’s important information going into a renewal or vendor review.
Not a healthcare organization?
HIPAA applies specifically to covered entities and business associates. But the security controls in this checklist — MFA, EDR, encrypted backups, incident response planning, access controls — apply to every Colorado business handling sensitive data.
ABT provides cybersecurity services for businesses across all industries, including financial services, legal firms, manufacturing, energy and oil & gas, and churches and nonprofits throughout Colorado.
View ABT Cybersecurity Services →How ABT supports Colorado healthcare organizations
ABT isn’t a national vendor with a 1-800 number. We’re a Colorado company — with offices in Centennial/Denver, Colorado Springs, and Westminster — and we’ve been supporting healthcare practices, clinics, and health systems across the Front Range since 2000.
When you work with ABT, you get a local team that knows your environment and can show up onsite when it matters. Here’s what that looks like in practice:
Before you download the checklist, you can also request an onsite or remote ABT security assessment. We’ll identify gaps in your current posture and walk you through findings — no obligation to engage further.
ABT Managed IT Services include cybersecurity as a core component — endpoint monitoring, patch management, 24/7 alerting, backup, and help desk. One contract, one local team, one monthly invoice.
HIPAA’s physical safeguards require documented facility access controls. ABT’s Verkada-powered access control systems are cloud-managed, audit-ready, and deployed across Colorado healthcare facilities — with video surveillance that integrates directly.
Printers and copiers store data too — and improperly disposed devices are a common HIPAA breach source. ABT handles secure device recycling with documentation, and manages print security as part of a complete healthcare IT program.
Local Colorado support — Front Range and beyond
ABT supports healthcare organizations across Colorado from three Front Range offices. When you need an onsite assessment, emergency response, or security review, you get a local technician — not a remote contractor on a 3-day response window.
Serving Denver · Boulder · Colorado Springs · Westminster · Fort Collins · Pueblo · and healthcare organizations statewide
Related ABT Solutions
Proactive monitoring, help desk, endpoint management, backup, and vCIO strategy — with cybersecurity included.
Managed IT Services →Endpoint security, MDR, ransomware protection, email security, compliance support, and security awareness training.
Cybersecurity Services →Cloud-managed door access and video surveillance for HIPAA physical safeguard compliance.
Access Control →IT, print, and security solutions built around the specific needs of Colorado healthcare organizations.
Healthcare Solutions →Secure print environment management — including device-level data security and HIPAA-aligned disposal.
Managed Print →Not ready for the checklist? Start with a no-obligation ABT environment assessment.
Request Assessment →Request the 2026 HIPAA Cybersecurity Checklist — Free
Get the PDF + a quick “next steps” guide. No sales call required — we’ll follow up only if you want us to.
No legal advice — this checklist is operational guidance only. For legal or compliance counsel, please consult a qualified HIPAA attorney.
Prefer to talk first? Call us at 303-778-0600 or request a full ABT security assessment →