HIPAA Compliance Checklist for Custom EHR Systems (2026 Update)
Author
Fornex Health Team
Published
June 30, 2026

Quick answer: A HIPAA-compliant custom EHR needs three things in place before go-live: documented administrative safeguards (risk analysis, training, a named Security Officer), enforced technical safeguards (encryption at rest and in transit, mandatory MFA, audit logging), and signed Business Associate Agreements with every vendor that touches patient data. As of the 2026 HIPAA Security Rule update, several of these, encryption and MFA in particular, are no longer optional "addressable" items. They're mandatory.
If you're building or commissioning a custom EHR this year, this checklist walks through what "compliant" actually means in practice, not just on paper.
Why 2026 Changes the Compliance Bar
For over a decade, HIPAA let organizations treat certain security measures as "addressable", meaning you could implement a reasonable alternative or document why a control didn't apply to you. That flexibility is going away. Under the updated HIPAA Security Rule, encryption of electronic protected health information (ePHI) is required, not addressable, for data both at rest and in transit. Multi-factor authentication is now mandatory for any system that touches ePHI, with no exceptions carved out for smaller practices.
For custom-built EHR systems, this matters more than it does for off-the-shelf software, because there's no vendor already handling these controls for you. Whoever builds your system is responsible for architecting compliance in from day one, not bolting it on after a security review flags a gap. This is especially important if you're migrating patient data from a legacy system into a new custom build, since compliance gaps are easiest to introduce during that transition.
Administrative Safeguards: The Paperwork That Isn't Just Paperwork
Administrative safeguards make up roughly half of the HIPAA Security Rule's requirements, and they're where most audits actually start. Before OCR (the HHS Office for Civil Rights) looks at your encryption settings, they look at whether you can produce documentation proving you knew about your risks and did something about them.
At minimum, your custom EHR project needs:
- A named Security Officer and Privacy Officer. In smaller organizations, this can be the same person, often a practice manager or administrator, not necessarily a dedicated compliance hire.
- A documented Security Risk Analysis (SRA), reviewed at least annually and after any significant system change. Under the 2026 rule, risk ratings should be quantitative and aligned to NIST standards, not a subjective "high/medium/low" guess.
- Written policies covering access control, data backup, incident response, and device management, reviewed and updated at least annually.
- Workforce training at hire and annually thereafter, with individual completion records (name, date, content covered).
- Six years of retained documentation for every SRA, policy, and training record. If it isn't written down and dated, it doesn't count as evidence during an audit.
Technical Safeguards: What Your Custom EHR Must Enforce by Default
This is the layer a development team controls directly, and it's where custom builds have an advantage, you can bake these in architecturally instead of hoping a third-party platform got it right.
- Encryption everywhere. ePHI must be encrypted at rest (database and backup encryption) and in transit (TLS 1.2 or higher). This is now a hard requirement, not a recommendation.
- Mandatory multi-factor authentication on every account with ePHI access, clinicians, admins, and any integrated third-party tool.
- Role-based access control with unique user IDs. No shared logins, ever, even for small practices where "everyone just uses the front-desk account" feels convenient.
- Automatic session timeout, typically after no more than 15 minutes of inactivity.
- Audit logging with six-year retention, covering who accessed what record, when, and what changed.
- Secure device disposal procedures, documented data wiping before any hardware is retired.
Business Associate Agreements: The Part People Forget Until It's Too Late
If your custom EHR integrates with a billing service, a cloud host, a lab interface, or an AI documentation tool, every one of those vendors is a Business Associate under HIPAA, and every one of them needs a signed Business Associate Agreement (BAA) before they touch PHI. A signed BAA alone isn't enough anymore, either: covered entities are now expected to obtain written verification, at least annually, that each business associate has actually implemented the technical safeguards they agreed to.
Practically, this means your EHR vendor selection process should include:
- A complete inventory of every system or vendor with any access to ePHI.
- Signed BAAs on file for all of them, with zero gaps.
- A recurring (at minimum annual) verification process, not a one-time signature.
A Working Compliance Checklist
Use this as a starting audit for your development and compliance teams, not a substitute for a formal legal review.
What Happens If You Don't Meet This Bar
OCR enforcement penalties currently range from roughly $141 per violation up to over $2.1 million per violation category per year, and regulators have signaled that enforcement is shifting toward "willful neglect", meaning known, undocumented gaps are treated far more seriously than a good-faith mistake that was already being remediated. A documented plan to fix a known gap holds up in a review. An undocumented gap does not.
Frequently Asked Questions
Does a custom EHR need to be "HIPAA-certified" before launch?
There's no formal HIPAA certification body. HIPAA compliance is self-attested and enforced through audits and complaints, not a pass/fail certificate. What matters is whether you can demonstrate documented safeguards and technical controls when asked.
Is HIPAA compliance a one-time project or ongoing?
Ongoing. Risk analyses need annual review, policies need annual updates, and vendor safeguards need annual re-verification. Treat compliance as an operating rhythm, not a launch checklist you complete once.
Do small practices get more time to comply with the 2026 changes?
Some phasing exists for smaller organizations under the proposed rule, but the direction is clear: previously "addressable" controls like encryption and MFA are becoming mandatory across the board, regardless of practice size.
References
- OmniMD - HIPAA Compliance Checklist 2026: Is Your EHR Secure?
- Medcurity - 2026 HIPAA Compliance Checklist: Free Step-by-Step Guide
- ShieldForce - HIPAA Security Rule 2026: Checklist for Home Health Agencies
- DBL Lawyers - HIPAA Compliance Checklist (2026 Update)
- Medcurity - 2026 HIPAA Security Rule Changes: What Every Hospital Must Do
- HHS.gov - Summary of the HIPAA Security Rule
- HIPAA Journal - HIPAA Compliance Checklist
Ready to Build for the Future?
Don't let legacy architecture limit your potential. Connect with us to build a flexible, AI-ready healthcare application.
Talk to Our ExpertsRelated Insights
FHIR Trust Layer
FAST Security: The New FHIR Trust Layer Every Health IT Leader Needs to Understand
Interoperability
Healthcare Interoperability in 2026: The Rules Changed. Most Hospitals Have Not Caught Up.
AI Governance