HIPAA Compliance Checklist: The Only List You Need

Practical guidance for healthcare teams and business associates
Chuck Weiselberg
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
18 min read

Why You Need a HIPAA Compliance Checklist

The HHS HIPAA guidance runs over 100 pages. Most practices do not have time to read it, let alone implement it systematically. A compliance checklist gives you a concrete starting point - something you can work through with your team and actually mark done.

This checklist covers all three major rules: Privacy, Security, and Breach Notification. It also covers organizational requirements and annual maintenance tasks. Each section includes actionable items your practice can check off. Where a topic runs deep, we link to a dedicated guide so you can go further when you need to.

This is not a substitute for a formal HIPAA gap analysis. But it is the fastest way to identify where you stand and what needs attention first. Use it as a starting point, not a finish line.

Privacy Rule Checklist

The Privacy Rule governs how covered entities handle protected health information (PHI). It sets patient rights, limits on use and disclosure, and documentation requirements. For a full breakdown, see our understanding the HIPAA Privacy Rule guide.

Notice of Privacy Practices

The Notice of Privacy Practices (NPP) is one of the most visible compliance requirements. Patients must receive it at the first point of service.

  • Your NPP is written in plain language a patient can actually understand
  • The NPP describes all uses and disclosures of PHI your practice makes
  • The NPP includes patient rights (access, amendment, restriction, accounting)
  • The NPP lists your complaint process and includes the HHS complaint address
  • You give the NPP to new patients at the first service delivery
  • You make a good-faith effort to get a signed acknowledgment from each patient
  • You keep signed acknowledgments on file (or document why you could not obtain one)
  • The NPP is posted in your facility in a clear, readable location
  • The NPP is available on your website if you have one
  • Your NPP is reviewed and updated whenever your privacy practices change
  • You notify current patients when you make a material change to the NPP

Patient Rights

Patients have specific rights under the Privacy Rule. Your practice must be able to fulfill each one when a patient asks.

  • You have a process for handling requests to access PHI (45 CFR 164.524)
  • You respond to access requests within 30 days (or 60 with one 30-day extension)
  • You have a process for requests to amend PHI (45 CFR 164.526)
  • You respond to amendment requests within 60 days
  • You have a process for accounting of disclosures requests (45 CFR 164.528)
  • You can provide an accounting of disclosures for the prior six years
  • You have a process for requests to restrict use or disclosure of PHI
  • You honor requests to restrict disclosure to health plans for services paid out-of-pocket in full
  • You have a process for patients requesting confidential communications
  • Staff know how to route patient rights requests to the right person

Minimum Necessary Standard

The minimum necessary standard requires that you limit PHI use, disclosure, and requests to the least amount needed to accomplish the purpose.

  • Your policies define what PHI each job role needs access to
  • Staff only access PHI relevant to their job function
  • You have policies limiting incidental disclosures (e.g., in waiting rooms, open workstations)
  • When you share PHI with other providers, you limit what you send to what they need
  • Fax cover sheets include a confidentiality notice
  • You do not leave PHI visible on unattended computer screens
  • Verbal conversations about PHI happen in areas where the public cannot overhear
  • Waiting room sign-in sheets do not reveal diagnosis or reason for visit

Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate. You need a signed Business Associate Agreement (BAA) with each one.

  • You have a current inventory of all business associates
  • Every business associate has a signed BAA on file
  • Each BAA meets the required elements under 45 CFR 164.504(e)
  • BAAs address the business associate's obligations if a breach occurs
  • You review BAAs when you add a new vendor or when a vendor's services change
  • Expired or unsigned BAAs are flagged and resolved promptly
  • Cloud vendors, EHR vendors, billing companies, and IT support are covered
  • Your BAAs require subcontractors to agree to the same restrictions

Staff Training on Privacy

Training is required. It must be documented. See our HIPAA employee training guide for what to cover. You can also use our HIPAA training service to deliver and track it automatically.

  • All workforce members complete Privacy Rule training during onboarding
  • Training covers your specific policies, not just generic HIPAA concepts
  • Refresher training runs at least annually
  • Additional training triggers when policies change or after a privacy incident
  • Training completion is documented with dates and employee names
  • Contractors and temporary staff receive training before accessing PHI
  • Training records are retained for at least six years

Security Rule Checklist

The Security Rule applies to electronic protected health information (ePHI). It requires administrative, physical, and technical safeguards. For a deep dive, read our HIPAA Security Rule compliance guide.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and personnel requirements that form the foundation of your security program.

Risk Analysis and Risk Management

  • You have conducted a formal, documented risk analysis (45 CFR 164.308(a)(1))
  • The risk analysis covers all ePHI your organization creates, receives, maintains, or transmits
  • Identified risks have been assigned a likelihood and impact rating
  • You have a written risk management plan to address identified risks
  • High and medium risks have documented mitigation steps with owners and timelines
  • The risk analysis is updated at least annually or after significant operational changes

If you have not done a risk analysis, start with our how to conduct a HIPAA risk assessment guide. We also offer a HIPAA risk assessment template you can use to structure the process.

Workforce Management

  • Your workforce clearance procedure screens new hires before they access ePHI
  • Access is terminated or modified promptly when employees change roles or leave
  • You conduct background checks appropriate to the level of ePHI access
  • Workforce supervision includes monitoring for inappropriate ePHI access
  • Sanctions are documented and consistently applied when policies are violated

Information Access Management

  • Access to ePHI is granted based on job function (role-based access control)
  • A process exists for authorizing access and documenting approvals
  • Access rights are reviewed when employee roles change
  • You have a procedure for establishing and modifying user access to workstations and applications

Security Awareness and Training

  • Security awareness training covers phishing, malware, and social engineering
  • Staff know how to recognize and report suspicious emails
  • Security reminders go out periodically throughout the year
  • Training is documented with completion dates

Security Incident Procedures

  • You have a written security incident response policy
  • Staff know how to report a suspected security incident
  • Incidents are logged, investigated, and documented
  • Your incident response connects to your breach notification procedures

Contingency Planning

  • You have a data backup plan that creates retrievable, exact copies of ePHI
  • Backups are tested regularly to confirm they can be restored
  • You have a disaster recovery plan for restoring data after a failure
  • Your emergency mode operations plan lets you maintain access to ePHI during a crisis
  • You have tested your contingency plan within the past year

Evaluation

  • You perform periodic technical and nontechnical evaluations of your security posture
  • Evaluations happen after environmental or operational changes
  • Evaluation results are documented and acted on

Physical Safeguards

Physical safeguards protect ePHI from unauthorized physical access, tampering, and theft.

Facility Access Controls

  • Access to areas where ePHI is stored or processed is limited to authorized personnel
  • Your facility has a documented contingency operations plan for physical access during emergencies
  • You have a facility security plan that protects against unauthorized physical access
  • Visitor access to sensitive areas is controlled and logged
  • Physical access logs are reviewed periodically
  • Server rooms, network closets, and storage areas are locked

Workstation Use and Security

  • Workstations that access ePHI are positioned to minimize viewing by unauthorized persons
  • You have written policies specifying the proper use of workstations
  • Workstations in public areas have privacy screens
  • Auto-lock is enabled on all workstations after a defined period of inactivity
  • Staff log out of applications before leaving their workstations unattended

Device and Media Controls

  • You have policies for receiving and removing hardware and electronic media
  • ePHI is removed from hardware before disposal or re-use (wiping or destruction)
  • You maintain a record of hardware movements within and outside your facility
  • Portable devices that access or store ePHI are tracked and accounted for
  • Lost or stolen devices are reported immediately and a remote wipe is initiated if possible

Technical Safeguards

Technical safeguards are the technology controls that protect ePHI and control access to it.

Access Controls

  • Each user has a unique login ID - no shared accounts
  • You have an emergency access procedure for obtaining ePHI during an emergency
  • Automatic logoff is implemented on systems containing ePHI
  • ePHI is encrypted and decrypted using appropriate mechanisms

Audit Controls

  • Systems containing ePHI generate audit logs of activity
  • Audit logs capture who accessed what, when, and what action was taken
  • Audit logs are reviewed regularly for anomalies
  • Log retention meets your policies and applicable requirements

Integrity Controls

  • You have mechanisms to confirm ePHI has not been altered or destroyed without authorization
  • File integrity monitoring is in place for systems storing ePHI
  • Data transmission integrity is verified using checksums or message authentication

Transmission Security

  • ePHI transmitted over open networks (internet, email) is encrypted
  • You use TLS or equivalent for web-based ePHI transmission
  • Unencrypted email is not used to send ePHI without patient authorization
  • Encrypted email or a secure messaging platform is available for clinical communications

For specifics on what encryption is required and what counts as sufficient, see our HIPAA encryption requirements guide.

Breach Notification Rule Checklist

The Breach Notification Rule requires covered entities to notify patients, HHS, and in some cases media outlets, when unsecured PHI is breached. Your full breach response plan should be documented in advance. Read our HIPAA breach response plan guide to build one from scratch.

Breach Detection

  • You have a process for identifying potential breaches as quickly as possible
  • Staff know how to report suspected breaches internally
  • A designated person or team is responsible for investigating breach reports
  • Your investigation process includes a four-factor risk assessment to determine if a breach occurred
  • You apply the four-factor test: nature of PHI, who accessed it, whether PHI was acquired or viewed, extent of mitigation
  • Unsecured PHI that has been breached is presumed reportable unless the four-factor test shows low probability of compromise
  • Your security incident log captures potential breaches so they can be reviewed
  • You track breach investigation timelines to ensure notifications meet deadlines

Notification Requirements

Patient Notification

  • Individual notifications go out within 60 days of discovering the breach
  • Notifications are sent by first-class mail (or email if the patient has agreed)
  • Your notification letter includes all required elements: description of the breach, types of PHI involved, steps individuals should take, what you are doing to investigate and prevent recurrence, and your contact information
  • If you cannot reach 10 or more individuals, you use substitute notification (website post or major media)
  • If you cannot reach fewer than 10 individuals, you use alternative means (phone, written notice)

HHS Notification

  • Breaches affecting 500 or more individuals are reported to HHS within 60 days of discovery
  • Breaches affecting fewer than 500 individuals are logged and reported to HHS annually by March 1
  • Your breach log captures all required fields for the HHS annual report
  • You report through the HHS Breach Reporting Portal (ocrportal.hhs.gov)

Media Notification

  • If a breach affects 500 or more residents of a state or jurisdiction, you notify prominent media outlets in that area
  • Media notification happens within 60 days of discovery
  • Media notification is documented

Documentation

  • All breach investigations are documented, including the four-factor risk assessment
  • Notification letters sent to individuals are retained on file
  • Proof of mailing or delivery is retained
  • Your breach log is maintained and updated for each incident
  • Documentation is retained for at least six years from the date of creation or last effective date
  • Post-breach reviews are conducted to identify root causes and improve controls

Organizational Requirements Checklist

Beyond the three major rules, HIPAA has organizational requirements that apply to every covered entity. These are frequently overlooked - but they are required.

Privacy Officer

  • You have designated a Privacy Officer responsible for developing and implementing privacy policies
  • The Privacy Officer is the contact point for patient rights requests and complaints
  • The Privacy Officer's identity and contact information are included in the NPP
  • The Privacy Officer has sufficient authority and resources to do the job

Security Officer

  • You have designated a Security Officer responsible for developing and implementing security policies
  • The Security Officer oversees the risk analysis and risk management processes
  • In small practices, the same person may hold both roles - this is acceptable if they have the knowledge and time to do both

Policies and Procedures

  • You have written policies and procedures for all required HIPAA safeguards
  • Policies are specific to your organization - not just a generic template
  • Policies are reviewed and updated when operations, technology, or regulations change
  • Staff can locate and reference policies when needed
  • Policies cover: privacy, access, training, breach response, BAAs, device disposal, and contingency planning at minimum

Documentation Retention

  • All HIPAA-required documentation is retained for at least six years from the date of creation or last effective date
  • Training records are retained for six years
  • BAAs are retained for six years after the agreement ends
  • Breach documentation is retained for six years
  • Risk analysis documentation is retained for six years
  • Audit logs from systems containing ePHI are retained per your policy
  • You have a documented records retention schedule

Complaint Process

  • You have a documented process for receiving and handling patient complaints about privacy practices
  • The complaint process is described in your NPP
  • Patient complaints are documented and investigated
  • You do not retaliate against anyone who files a complaint in good faith
  • Staff are trained not to intimidate or retaliate against patients who exercise their rights

Workforce Sanctions

  • You have a written sanctions policy for workforce members who violate HIPAA policies
  • Sanctions are applied consistently - similar violations get similar consequences
  • Sanction actions are documented

Annual Maintenance Checklist

HIPAA compliance is not a one-time project. It requires ongoing maintenance. Use this checklist at least once a year - or whenever significant changes occur in your operations, technology, or workforce.

Review and Update Each Year

  • Update your risk analysis to reflect new systems, new staff, new services, or new threats
  • Review your risk management plan and close out completed items
  • Review and update your policies and procedures for any changes in operations or law
  • Deliver annual HIPAA refresher training to all workforce members
  • Audit your business associate list and confirm every vendor has a current, signed BAA
  • Review system access logs to confirm access rights match current job functions
  • Terminate access for any former employees or contractors that was not already removed
  • Test your data backup and disaster recovery procedures
  • Review your contingency plan and update contact information and procedures
  • Audit workstation configurations for auto-lock, encryption, and software updates
  • Confirm all portable devices are inventoried and accounted for
  • Review audit logs from the prior year for anomalies or unresolved incidents
  • Submit your annual breach log to HHS by March 1 for incidents from the prior year (if any)
  • Update your NPP if your practices have changed
  • Notify patients of any material changes to the NPP
  • Review the Security Officer and Privacy Officer designations - are these still the right people?

Triggered Reviews

These items should happen in response to specific events - not just annually.

  • After a breach or near-miss: conduct a root cause analysis and update controls
  • After a new technology deployment: update the risk analysis before go-live
  • After a significant staff change: review access rights and training status
  • After a merger or acquisition: assess the new entity's HIPAA posture and integrate it
  • After an HHS investigation or audit: implement all corrective action plan items on schedule
  • After a major HIPAA regulatory change: update policies, train staff, and document the update

HIPAA Compliance by Practice Type

The checklist above applies to all covered entities. But certain practice types have additional considerations worth flagging.

Dental practices often underestimate their HIPAA exposure. X-rays, treatment records, and insurance data all count as PHI. See our HIPAA compliance guide for dental practices for a specialty-specific breakdown.

Small practices and solo providers sometimes assume they are too small to matter. They are not - OCR investigates complaints from any size entity. Our HIPAA compliance starter kit for small practices covers what to prioritize when resources are limited.

Any covered entity evaluating their cost exposure should read our HIPAA compliance cost breakdown to understand what a compliant program actually costs compared to the cost of non-compliance.

What Happens If You Are Not Compliant

HIPAA violations carry civil and criminal penalties. Civil penalties range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category. Criminal penalties apply when violations are willful. Our HIPAA violations and penalties guide covers the full penalty tiers and how OCR determines which tier applies.

The practical risk is not just the fine. Investigations are time-consuming, public, and damaging to patient trust. A corrective action plan can run for years. Proactive compliance costs far less.

"The cost of a data breach in healthcare averages over $10 million per incident - the highest of any industry. Most small practices cannot survive a major breach event."

IBM Cost of a Data Breach Report 2023

Frequently Asked Questions

How often do I need to update my HIPAA compliance program?

At minimum, annually. The risk analysis must be updated whenever there are significant changes to your operations, technology, or workforce - not just on a calendar schedule. Policies should be reviewed annually and updated whenever your practices change. Training must happen at onboarding and at least annually after that. The six-year documentation retention rule applies to everything.

Does HIPAA apply to my small practice with only two employees?

Yes. HIPAA applies to covered entities regardless of size. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions. If you bill insurance electronically, you are a covered entity. Size affects how you implement compliance - not whether you have to comply.

What is the difference between the Privacy Rule and the Security Rule?

The Privacy Rule covers all forms of PHI - paper, verbal, and electronic. It sets rules for who can see or use PHI and what rights patients have. The Security Rule covers only electronic PHI (ePHI). It sets requirements for the administrative, physical, and technical controls that protect ePHI from unauthorized access, use, or disclosure. Most practices need to comply with both.

Do I need a HIPAA compliance officer?

Yes. HIPAA requires covered entities to designate a Privacy Officer and a Security Officer. In small practices, these can be the same person. The role can be held by a staff member, a contractor, or an outsourced compliance service. The requirement is that someone is clearly accountable for developing and implementing your privacy and security policies. This cannot be left to "everyone" or no one.

What is a business associate, and do I really need a BAA with all of them?

A business associate is any entity that performs a function or activity on your behalf that involves creating, receiving, maintaining, or transmitting PHI. This includes your EHR vendor, billing company, IT support provider, cloud storage provider, and anyone else who touches PHI as part of providing services to you. You need a signed BAA with every one of them. If they refuse to sign a BAA, you cannot legally share PHI with them. There are no exceptions for vendors who say they are "HIPAA compliant" without a BAA - the signed agreement is the requirement.

What counts as a HIPAA breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises the security or privacy of the information. It is presumed to be reportable unless you can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised. Common breaches include: unauthorized access by a workforce member, a lost or stolen device with unencrypted PHI, a misdirected fax or email, and a ransomware attack. Accidental disclosures to another provider in the course of treatment may not be breaches - but they still need to be assessed.

Start With a Gap Analysis

A checklist tells you what to look for. A gap analysis tells you exactly where you stand.

If you have worked through this list and found gaps, the next step is to prioritize. Not every gap carries the same risk. A formal HIPAA gap analysis identifies your highest-risk exposures and gives you a sequenced action plan - so you fix the most important things first instead of guessing.

Our platform also handles the ongoing work: policy distribution, annual training delivery, BAA tracking, and documentation - all in one place. If you are starting from scratch, our HIPAA compliance starter kit is the right entry point. If you want to understand the investment involved, start with our HIPAA compliance cost breakdown.

HIPAA compliance is not a one-time event. It is an ongoing program. This checklist gives you the foundation. The work is in maintaining it year after year - and having the systems in place to make that maintenance manageable. That is what we built the OGC platform to do.

Keep Reading

More archive content for healthcare teams working through HIPAA operations, policy, and risk.

All Articles