The HIPAA Compliance Checklist
All the compliance news that's fit to check
A practical front-page review for privacy, security, and audit readiness.
Mark each ballot square as evidence is confirmed. This broadsheet-style checklist is arranged for a quick desk review across risk assessment, safeguards, workforce training, vendor agreements, incident response, and documentation readiness.
Risk Assessment
- Conducted a comprehensive risk assessment within the last 12 months
- Documented all identified risks and vulnerabilities to ePHI
- Created a risk management plan with remediation timelines
Policies & Procedures
- Written HIPAA Privacy and Security policies in place
- Policies reviewed and updated within the last 12 months
- All staff have signed acknowledgment of policies
- Designated a HIPAA Privacy Officer and Security Officer
Employee Training
- All workforce members completed HIPAA training this year
- Training covers Privacy Rule, Security Rule, and Breach Notification
- New hires receive training within 30 days of start date
- Training completion is documented with dates and signatures
Physical Safeguards
- Facility access controls are in place (locks, badges, visitor logs)
- Workstation security policies implemented
- Device and media disposal procedures documented
- Server rooms and network equipment physically secured
Technical Safeguards
- Unique user IDs and strong passwords required for all systems
- Encryption applied to ePHI at rest and in transit
- Automatic logoff and session timeout configured
- Audit logs enabled and reviewed regularly
Business Associate Agreements
- All vendors with ePHI access have signed BAAs
- BAA inventory is current and reviewed annually
- Vendor security practices are periodically assessed
Incident Response & Breach Notification
- Written incident response plan in place
- Breach notification procedures documented (60-day rule)
- Staff know how to report suspected breaches
- Incident log maintained with all security events
Documentation & Audit Readiness
- All HIPAA documentation retained for minimum 6 years
- Evidence of ongoing compliance activities maintained
- Ready to demonstrate compliance if audited by OCR
- Annual compliance review scheduled and documented
The Office for Civil Rights (OCR) conducts periodic audits of covered entities and business associates. Completing this checklist does not constitute legal compliance but serves as a practical self-assessment tool.
Organizations are advised to engage qualified HIPAA counsel and maintain documentation of all compliance activities for a minimum retention period of six years from the date of creation or last effective date.
For questions regarding the 2026 Security Rule updates, enforcement trends, or audit preparation strategies, contact One Guy Consulting for a confidential review of your compliance posture.