The Ultimate IT HIPAA Compliance Checklist for Milwaukee Businesses in 2025

HIPAA compliance has always been important, but 2025 marks a turning point.
For Milwaukee’s healthcare practices, dental offices, imaging centers, and business associates, new federal updates are reshaping how data protection is measured and enforced.

In January 2025, the Department of Health and Human Services (HHS) introduced the first major update to the HIPAA Security Rule in more than ten years. The proposed rule makes encryption, multi-factor authentication (MFA), and regular vulnerability testing clear expectations for any organization handling electronic protected health information (ePHI).
You can read the full HHS proposal here: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html.

Local businesses that handle patient data can no longer assume that “basic IT security” is enough. Maintaining compliance now directly affects your ability to renew cyber-insurance policies, satisfy vendor audits, and maintain patient trust.

This checklist gives Milwaukee business owners a step-by-step way to review where they stand today and what actions to take to stay ahead of 2025 requirements.

What’s Changing in 2025

Federal Developments

• Proposed Security Rule Update (January 2025)
  The HHS proposal removes the “addressable vs. required” distinction and sets clear requirements for MFA, full encryption, annual penetration testing, and vendor oversight.
  → Source: HHS.gov Fact Sheet on the HIPAA Security Rule NPRM
  → Additional analysis: Barr Advisory summary of 2025 HIPAA Security Rule changes
• Privacy Rule Adjustments (June 2025)
  A U.S. District Court vacated parts of the 2024 Privacy Rule concerning reproductive-health data, but HHS continues to treat that data as highly sensitive until a new rule is issued.
  → Source: HHS Reproductive Health Privacy Guidance
• Stronger Enforcement and Penalties
  The Office for Civil Rights (OCR) is prioritizing cases where organizations have failed to perform formal risk assessments or maintain technical safeguards.
  → Source: Reuters Legal Analysis, April 2025

Wisconsin and Local Context

Wisconsin follows HIPAA as the foundation for patient data protection, with additional requirements under Wis. Stat. § 146.82 (Confidentiality of Patient Health Care Records).
This means Milwaukee-area healthcare providers and IT vendors must not only comply federally but also ensure that all business associates and subcontractors protect patient data to the same standard.

Who Needs to Pay Attention

HIPAA applies to Covered Entities (such as healthcare providers, health plans, and clearinghouses) and Business Associates (vendors or service providers that create, receive, maintain, or transmit PHI).

In Milwaukee, that includes:

• Local medical and dental practices
• Imaging centers and diagnostic labs
• Behavioral health clinics and therapy offices
• Chiropractors and physical therapy practices
• IT service providers, MSPs, and hosting companies supporting healthcare organizations

If your company touches patient data in any way, you share responsibility for safeguarding it. Compliance is not just a legal requirement; it’s a sign of professionalism and trust.

The Complete HIPAA IT Compliance Checklist

1. Governance and Policy

• Appoint a Security Officer and Privacy Officer.
• Keep written privacy and security policies, reviewed at least once a year.
• Maintain current Business Associate Agreements (BAAs) with all vendors.
• Update policies to include MFA, encryption, and annual security testing.
• Report compliance status to ownership or leadership each year.

2. Risk Analysis and Asset Inventory

• Maintain an inventory of every system and device that handles ePHI.
• Conduct formal risk assessments annually and after major system changes.
• Document how data moves inside and outside your network.
• Score each risk by likelihood and potential impact, and create mitigation plans.
• Keep all documentation for at least six years, as HIPAA requires.

3. Technical Safeguards

• Encrypt all ePHI, whether stored or transmitted.
• Require MFA for all users with administrative or remote access.
• Enable detailed access logs and review them monthly.
• Perform vulnerability scans every six months and penetration tests annually.
• Segment your network to separate ePHI systems from other business traffic.
• Securely dispose of drives, devices, and media that once stored ePHI.

4. Administrative Safeguards

• Train every employee on HIPAA and cybersecurity basics each year.
• Apply role-based access control and revoke credentials immediately upon termination.
• Maintain a business continuity and disaster recovery plan, tested annually.
• Keep an incident response plan and conduct periodic tabletop exercises.
• Include cybersecurity and breach notification clauses in all vendor contracts.

5. Physical Safeguards

• Restrict physical access to servers and storage rooms.
• Log all visitors and vendors entering sensitive areas.
• Lock or auto-logout all workstations when unattended.
• Properly destroy paper and electronic media that contain PHI.
• Review building access controls and cameras annually.

6. Privacy Rule and Data Use

• Post an updated Notice of Privacy Practices and distribute it to patients.
• Ensure patients can access or request amendments to their records within 30 days.
• Apply the “minimum necessary” principle for all disclosures.
• Obtain written authorization before using PHI for marketing or other non-treatment purposes.
• Review Wisconsin’s state privacy laws for added obligations.

7. Breach Response and Reporting

• Define how your organization identifies and classifies breaches.
• Notify affected individuals, HHS, and media (if required) within 60 days.
• Document every incident, investigation, and resolution.
• Retain breach documentation for at least six years.
• Build a relationship with local IT forensics and legal partners for faster response.

8. Continuous Improvement

• Perform internal HIPAA audits every year.
• Track metrics such as employee training completion and vendor compliance.
• Fix issues quickly and document remediation.
• Subscribe to HHS OCR updates and Wisconsin healthcare bulletins.

Implementation Roadmap for Milwaukee Businesses

Phase	Focus	Key Milestones
Phase 1 (0–60 Days)	Immediate Risk Reduction	Complete a risk assessment, enable MFA, and encrypt all devices and backups.
Phase 2 (60–120 Days)	Operational Readiness	Update policies, retrain staff, and renew vendor BAAs.
Phase 3 (Ongoing)	Long-Term Compliance	Conduct annual audits, refresh training, and update plans as new rules are finalized.

For most small and mid-sized Milwaukee businesses, partnering with a local IT and cybersecurity provider simplifies compliance. Regular reviews and documentation keep HIPAA readiness part of everyday operations rather than a once-a-year scramble.

Final Thoughts

HIPAA compliance does not have to be complicated.
Start with documentation, address one area at a time, and keep improving.

Milwaukee businesses that act early will have fewer challenges when the 2025 Security Rule becomes law. They’ll also gain a stronger cybersecurity posture and lower insurance risks.

At Centurion Data Systems, we help local organizations simplify compliance and secure their operations without disruption. If you’re unsure where to begin, we can walk you through the process.

Let’s make sure your business is protected before the next renewal cycle. Reach out today to schedule a consultation.