Back to Insights

HIPAA Compliance Checklist for Custom EHR Systems (2026 Update)

Author

Fornex Health Team

Published

June 30, 2026

HIPAA Compliance Checklist for Custom EHR Systems (2026 Update)

Quick answer: A HIPAA-compliant custom EHR needs three things in place before go-live: documented administrative safeguards (risk analysis, training, a named Security Officer), enforced technical safeguards (encryption at rest and in transit, mandatory MFA, audit logging), and signed Business Associate Agreements with every vendor that touches patient data. As of the 2026 HIPAA Security Rule update, several of these, encryption and MFA in particular, are no longer optional "addressable" items. They're mandatory.

If you're building or commissioning a custom EHR this year, this checklist walks through what "compliant" actually means in practice, not just on paper.

Why 2026 Changes the Compliance Bar

For over a decade, HIPAA let organizations treat certain security measures as "addressable", meaning you could implement a reasonable alternative or document why a control didn't apply to you. That flexibility is going away. Under the updated HIPAA Security Rule, encryption of electronic protected health information (ePHI) is required, not addressable, for data both at rest and in transit. Multi-factor authentication is now mandatory for any system that touches ePHI, with no exceptions carved out for smaller practices.

For custom-built EHR systems, this matters more than it does for off-the-shelf software, because there's no vendor already handling these controls for you. Whoever builds your system is responsible for architecting compliance in from day one, not bolting it on after a security review flags a gap. This is especially important if you're migrating patient data from a legacy system into a new custom build, since compliance gaps are easiest to introduce during that transition.

Administrative Safeguards: The Paperwork That Isn't Just Paperwork

Administrative safeguards make up roughly half of the HIPAA Security Rule's requirements, and they're where most audits actually start. Before OCR (the HHS Office for Civil Rights) looks at your encryption settings, they look at whether you can produce documentation proving you knew about your risks and did something about them.

At minimum, your custom EHR project needs:

  • A named Security Officer and Privacy Officer. In smaller organizations, this can be the same person, often a practice manager or administrator, not necessarily a dedicated compliance hire.
  • A documented Security Risk Analysis (SRA), reviewed at least annually and after any significant system change. Under the 2026 rule, risk ratings should be quantitative and aligned to NIST standards, not a subjective "high/medium/low" guess.
  • Written policies covering access control, data backup, incident response, and device management, reviewed and updated at least annually.
  • Workforce training at hire and annually thereafter, with individual completion records (name, date, content covered).
  • Six years of retained documentation for every SRA, policy, and training record. If it isn't written down and dated, it doesn't count as evidence during an audit.

Technical Safeguards: What Your Custom EHR Must Enforce by Default

This is the layer a development team controls directly, and it's where custom builds have an advantage, you can bake these in architecturally instead of hoping a third-party platform got it right.

  • Encryption everywhere. ePHI must be encrypted at rest (database and backup encryption) and in transit (TLS 1.2 or higher). This is now a hard requirement, not a recommendation.
  • Mandatory multi-factor authentication on every account with ePHI access, clinicians, admins, and any integrated third-party tool.
  • Role-based access control with unique user IDs. No shared logins, ever, even for small practices where "everyone just uses the front-desk account" feels convenient.
  • Automatic session timeout, typically after no more than 15 minutes of inactivity.
  • Audit logging with six-year retention, covering who accessed what record, when, and what changed.
  • Secure device disposal procedures, documented data wiping before any hardware is retired.

Business Associate Agreements: The Part People Forget Until It's Too Late

If your custom EHR integrates with a billing service, a cloud host, a lab interface, or an AI documentation tool, every one of those vendors is a Business Associate under HIPAA, and every one of them needs a signed Business Associate Agreement (BAA) before they touch PHI. A signed BAA alone isn't enough anymore, either: covered entities are now expected to obtain written verification, at least annually, that each business associate has actually implemented the technical safeguards they agreed to.

Practically, this means your EHR vendor selection process should include:

  • A complete inventory of every system or vendor with any access to ePHI.
  • Signed BAAs on file for all of them, with zero gaps.
  • A recurring (at minimum annual) verification process, not a one-time signature.

A Working Compliance Checklist

Use this as a starting audit for your development and compliance teams, not a substitute for a formal legal review.

Security Officer and Privacy Officer designated in writing
Current Security Risk Analysis on file, reviewed within the last 12 months
Written policies for access control, backup, incident response, and device management
Annual workforce training completed and documented for all staff with ePHI access
Encryption enforced at rest and in transit across all systems storing ePHI
MFA enforced on every account with ePHI access, no exceptions
Unique user IDs for all staff; no shared credentials
Audit logging enabled with 6-year retention
Session timeout configured (15 minutes or less)
Signed BAAs on file for every vendor touching ePHI
Annual written verification of vendor technical safeguards
Breach notification procedure documented and tested

What Happens If You Don't Meet This Bar

OCR enforcement penalties currently range from roughly $141 per violation up to over $2.1 million per violation category per year, and regulators have signaled that enforcement is shifting toward "willful neglect", meaning known, undocumented gaps are treated far more seriously than a good-faith mistake that was already being remediated. A documented plan to fix a known gap holds up in a review. An undocumented gap does not.

Frequently Asked Questions

Does a custom EHR need to be "HIPAA-certified" before launch?

There's no formal HIPAA certification body. HIPAA compliance is self-attested and enforced through audits and complaints, not a pass/fail certificate. What matters is whether you can demonstrate documented safeguards and technical controls when asked.

Is HIPAA compliance a one-time project or ongoing?

Ongoing. Risk analyses need annual review, policies need annual updates, and vendor safeguards need annual re-verification. Treat compliance as an operating rhythm, not a launch checklist you complete once.

Do small practices get more time to comply with the 2026 changes?

Some phasing exists for smaller organizations under the proposed rule, but the direction is clear: previously "addressable" controls like encryption and MFA are becoming mandatory across the board, regardless of practice size.