We’ve published some resources, free to use: https://www.hipaapotamus.com/
A checklist covering the technology aspects of HIPAA
A deep-dive into change tracking techniques in databases
Note that the checklist (like the law itself) is not specific about how to achieve each of these. A lot of organizations get hung up on this — you’re obligated to “isolate” data so that it’s not exposed to people that aren’t authorized, and to document your policies, procedures, and safeguards… but there’s a proliferation of inaccurate, dogmatic advice around how to implement this.
Ideas such as physical separation of servers, databases, or usage of specific features in specific database technologies might be good advice, but it’s all too common to see these used in ways that actually make applications less secure, or impose costs without conveying benefits because someone believed “HIPAA made us do it.”
For example, it’s not HIPAA’s fault that a system requires users create an “8–12 character password with at least 2 capital letters and no punctuation aside from exclamation points.” HIPAA only requires that organizations have “procedures for creating, changing, and safeguarding passwords” — that absurd password “complexity” rule came from the lowest-bidder contractor who copied code from another D-minus firm, neither of which could figure out how to handle the 40-character passphrase generated by your password manager or how to escape quotation marks.
The change-tracking document does go into implementation. The same techniques are broadly useful in non-healthcare settings, as well.
In fact, very little of the technical techniques are healthcare-specific. Properly anonymizing personal data is important for many sectors. Writing down your termination procedures so you don’t forget to disable that one account to that one website is good advice for any company.