It seems every time I turn around there's another company waving their standards about, proclaiming profound success for those lucky few who were brave enough to listen to them. If I'm being fair, I think I have a HIPAA compliance checklist bouncing around this blog somewhere. Truth be told, it's because everyone has them. In my naivety, I followed along without knowing any better.
Every HIPAA vendor offers a free checklist. None of them will make you HIPAA compliant. A checklist may help you organize your thoughts, but no auditor is coming into your office asking for your risk analysis, written policies, and completed HIPAA compliance 10-question checklist.
Why Do HIPAA Compliance Checklists Fail?
The answer will sound short, but it's because HIPAA compliance checklists as a marketing tool lack originality. With the whole of advanced technology that nearly all of humanity enjoys at their leisure, there's actually someone out there attaching a PDF to a note they're sending to a prospective customer. I yawned while writing that. I thought we were selling software here? That we were high-tech and futuristic?
There's no better idea out there in the marketplace than a... a packet? I find this very hard to believe.
What OCR Actually Asks For
When OCR audits you, they don't ask "do you have a checklist?" They ask for evidence of a living process.
Specifically, they request:
- Your most recent enterprise-wide risk analysis (with dates)
- Your risk management plan (what you're doing about the findings)
- Written policies and procedures with revision history
- Business Associate Agreements and a current vendor inventory
- Workforce training records — who was trained, when, on what
- Access management evidence — who has access to what, provisioning and termination logs
- System audit logs and monitoring reports
- Incident and breach log with associated risk assessments
- Contingency and disaster recovery plans with test results
That's nine categories of living documentation. Not one of them is "a checklist you downloaded."
The key phrase from OCR's audit protocol: they want policies and procedures "adopted and employed." "Adopted" means you wrote them. "Employed" means you can prove staff actually follow them. A checklist proves neither.
And the enforcement backs this up. Gums Dental Care, a solo Maryland dental practice, was fined $70,000 for refusing to give a patient her records within 30 days. A checklist wouldn't have saved them. A system that tracked the request and escalated it would have. Three more dental practices were fined a combined $135,000 in 2022 for the same right-of-access violation. Since 2019, OCR has taken 50+ enforcement actions specifically on patient right of access — many against small practices, not hospitals.
The pattern: small practices get fined not for lacking a checklist, but for lacking a process. They knew the rules. They just didn't have a system that made following them automatic.
The Checklist Concept Isn't Wrong — The Format Is
A checklist is just a sequence of tasks. That's fine. The problem is when the sequence lives on paper and dies in a drawer. What if the checklist ran itself?
What actually works is not terribly far off from a checklist in theory. In practice, automation in a stepped environment is the way we bring this process out of the drudgery and into the 21st century. We don't need to play a weird work-version of connect the dots — deficiency going to remediation, going to a written policy. AI is touted as having the ability to remove repetitive tasks from dull work projects. To a fair extent, it can take over the boring stuff for you. This doesn't mean you entrust the whole task to Claude. Instead, you're the manager of your dull work projects, instead of the mill worker breathing soot all day. We don't get rid of the checklist. We bake the checklist into the "set-it-and-forget-it machine" that agentic AI is in the modern day.
What This Looks Like in Action
A gap is identified in your risk analysis. The system generates the remediation plan, assigns the corrective policy, tracks the deadline, and logs it for audit — no printing, no killing trees, no forgetting, and no saying "dangit, where did I just put that thing?"
That's the difference between a checklist and a compliance program. One sits in a drawer. The other runs whether you remember to check it or not.
FAQs
What is a HIPAA compliance checklist?
A HIPAA compliance checklist is a list of tasks or requirements meant to help organizations track their obligations under HIPAA. While useful as a starting point, a checklist alone does not make an organization compliant. OCR auditors ask for evidence of living processes, not completed checklists.
What does OCR look for in a HIPAA audit?
OCR requests nine categories of documentation including a current risk analysis, risk management plan, written policies with revision history, training records, access management logs, and incident reports. The key phrase from their audit protocol is that policies must be "adopted and employed," meaning written down and provably followed.
Can a small practice get fined for HIPAA violations?
Yes. Since 2019, OCR has taken 50+ enforcement actions under its Right of Access Initiative, many against solo and small practices. Gums Dental Care, a one-dentist practice in Maryland, was fined $70,000 in 2024 for failing to provide patient records within 30 days.
What is the difference between a HIPAA checklist and a compliance program?
A checklist is a static list of tasks. It tells you what to do but can't verify that you did it. A compliance program is a living system that tracks risk assessments, assigns remediation, logs training, and produces audit-ready evidence automatically.
Conclusion
HIPAA compliance checklists aren't going anywhere. Vendors will keep handing them out because they're cheap to make and easy to gate behind an email form. But if you've read this far, you already know the difference between checking a box and running a compliance program.
OCR doesn't care what you downloaded. They care what you can prove. If your policies are adopted, your staff is trained, your risks are documented, and your systems track it all without you having to remember, you're compliant. If not, no checklist is going to save you.
One Guy Consulting builds the system that replaces the checklist. Start a free trial and see what audit-ready actually looks like.
Sources
- HHS OCR HIPAA Audit Protocol (Updated July 2018)
- HHS — Gums Dental Care $70,000 Penalty (Oct 2024)
- HHS — Three Dental Practice Settlements (Sept 2022)
- HHS — HIPAA Enforcement Highlights
- Nixon Peabody — OCR Right of Access Initiative (March 2025)
Related Reading: