☑ HIPAA Compliance Checklist

Conduct a comprehensive risk analysis identifying threats and vulnerabilities to all ePHI

💡 This is the single most important HIPAA requirement. Use the HHS Security Risk Assessment Tool (free) or NIST SP 800-30 methodology. Document EVERYTHING.

Implement a risk management plan to reduce identified risks to reasonable levels

💡 The risk management plan is your compliance roadmap. For each risk identified in the risk analysis, document the planned action, responsible person, timeline, and status.

Implement and enforce a sanction policy for workforce HIPAA violations

💡 Create a progressive discipline policy: first offense education, second offense written warning, third offense suspension or termination. Ensure consistency.

Conduct regular review of information system activity (audit log review)

💡 At minimum, review access logs monthly for anomalies. Set up automated alerts for high-risk events like after-hours access or bulk data downloads.

Designate a Security Officer responsible for security policies and procedures

💡 This must be a named individual with documented responsibilities. In small practices, this can be the same person as the Privacy Officer.

Implement workforce authorization and supervision procedures

💡 Define who is authorized to access what ePHI. Create an access authorization matrix mapping roles to systems and data access levels.

Implement workforce clearance procedures for positions accessing ePHI

💡 Consider background checks for positions with access to sensitive ePHI. At minimum, verify credentials and references for all positions with PHI access.

Implement termination procedures that revoke ePHI access when workforce members leave

💡 Create a termination checklist: revoke Active Directory access, EHR access, VPN access, badge access, email access, and collect all devices. Complete within 24 hours of termination.

Implement information access management policies and procedures

💡 Establish a formal process: access request form, manager approval, security review, IT provisioning, documentation. No access without documented authorization.

Deliver security awareness training to all workforce members

💡 Train all staff at hire and annually thereafter. Include: PHI identification, password security, phishing awareness, physical security, incident reporting. Document all training with signed acknowledgments.

Implement security incident response procedures

💡 Create a clear incident response plan with roles, responsibilities, and escalation procedures. Conduct tabletop exercises at least annually.

Establish a contingency plan including data backup, disaster recovery, and emergency mode operations

💡 Implement automated, encrypted backups with offsite storage. Define RTOs and RPOs for each critical system. Test backup restoration quarterly.

Conduct periodic security evaluations

💡 Evaluate your security program at least annually and after any significant changes. Consider engaging an independent assessor for objectivity.

Execute Business Associate Agreements with all vendors that access PHI

💡 Inventory ALL vendors that touch PHI. No BAA = no PHI access. Track all BAAs in a central register with execution dates and review dates.

Implement facility access controls to limit physical access to ePHI systems

💡 Server rooms must be locked with access logging. Use badge readers or key cards for sensitive areas. Implement visitor sign-in procedures.

Establish workstation use policies specifying proper functions and physical attributes of workstation surroundings

💡 Ensure screens displaying PHI are not visible to unauthorized persons. Use privacy filters in public areas. Configure automatic screen lock.

Implement physical safeguards for workstations to restrict access to authorized users

💡 Encrypt all laptops. Use cable locks in shared spaces. Maintain a workstation inventory. Establish lost/stolen device reporting procedures.

Implement device and media disposal procedures ensuring ePHI is destroyed before disposal

💡 Never dispose of any device or media without secure wiping or physical destruction. Get certificates of destruction. Remember: old copiers and printers have internal hard drives.

Implement device and media re-use procedures to remove ePHI before re-use

💡 Before repurposing any device, perform a certified wipe of all data. Reformatting is NOT sufficient — use NIST 800-88 guidelines for media sanitization.

Maintain accountability records for hardware and media movement

💡 Track all devices containing ePHI: serial numbers, locations, assigned users, and movement history. Conduct annual physical inventory verification.

Assign unique user identifiers for all users accessing ePHI (no shared accounts)

💡 Every single person gets their own login. Shared accounts like 'frontdesk' or 'nurse1' must be eliminated. This is non-negotiable.

Establish emergency access (break-glass) procedures for ePHI systems

💡 Create a documented process for accessing ePHI in emergencies. Break-glass access should be logged, reviewed after every use, and reserved for genuine emergencies only.

Implement automatic logoff on all systems accessing ePHI

💡 Configure screen lock after 2-5 minutes of inactivity in clinical areas, up to 15 minutes in private offices. Use Group Policy to enforce consistently.

Implement encryption for ePHI at rest and in transit

💡 Encrypt databases (TDE), laptops (BitLocker/FileVault), backups, and all network transmissions (TLS 1.2+). Encryption is the HIPAA safe harbor — encrypted data lost/stolen is NOT a breach.

Implement audit controls that record and examine activity in ePHI systems

💡 Log all access to PHI: who, what, when, where, and how. Review logs regularly. Retain logs for 6 years. Use a SIEM if budget allows.

Implement integrity controls to protect ePHI from improper alteration or destruction

💡 Use database constraints, triggers, and checksums. Implement file integrity monitoring. Never allow hard deletes of clinical records — use soft deletes with audit trails.

Implement person or entity authentication mechanisms

💡 Deploy MFA for all remote access and administrative accounts. Implement strong password policies. Prohibit shared credentials and default passwords.

Implement transmission security controls including encryption for ePHI in transit

💡 Use TLS 1.2+ for all web traffic, encrypted VPN for remote access, secure email for PHI. Disable legacy protocols (SSLv3, TLS 1.0/1.1). Never send PHI over unencrypted channels.

Designate a Privacy Officer responsible for privacy policies and procedures

💡 This must be a named individual. In small practices, the same person can serve as both Privacy and Security Officer. Document the designation in writing.

Develop and distribute a Notice of Privacy Practices to all patients

💡 Provide the NPP to every new patient, post it in the facility, and publish it on your website. Obtain acknowledgment of receipt (not required for refusal, but best practice to document attempts).

Implement Minimum Necessary policies for all uses and disclosures (except treatment)

💡 For each type of PHI use or disclosure, define what the minimum necessary information is. Train staff to share only what is needed, not entire records.

Establish procedures for patient rights: access, amendment, accounting, restrictions, confidential communications

💡 Create standardized forms and workflows for each patient right. Track requests with deadlines. The right to access (30 days) is the most common and most enforced.

Implement authorization procedures for uses and disclosures beyond TPO

💡 Create a valid authorization form that includes: description of PHI, who is disclosing, who is receiving, purpose, expiration date, right to revoke, and signature.

Train all workforce members on privacy policies and procedures

💡 Train at hire and annually. Include: what PHI is, permitted uses/disclosures, patient rights, minimum necessary, and how to report concerns. Document all training.

Implement breach identification and investigation procedures

💡 Create a clear process for reporting suspected breaches. Train all staff to recognize and report potential breaches immediately.

Establish 4-factor risk assessment methodology for breach determination

💡 Document your methodology for evaluating: nature of PHI, who accessed it, whether it was actually viewed, and extent of mitigation. Every incident must go through this assessment.

Establish individual notification procedures (within 60 days of discovery)

💡 Pre-draft notification letter templates. Establish procedures for sending first-class mail or email (with prior consent). Include all required content elements.

Establish HHS notification procedures (within 60 days for 500+ affected; annual log for fewer)

💡 Know the HHS breach portal URL and have credentials ready. For breaches of 500+, you must report immediately (within 60 days). For smaller breaches, maintain a log and submit annually.

Establish media notification procedures for breaches affecting 500+ residents of a jurisdiction

💡 Prepare a media notification template and identify prominent local media outlets in advance. Have a communications plan ready before you need it.

Maintain a breach log for all breaches affecting fewer than 500 individuals

💡 Create a breach log spreadsheet: date discovered, date of breach, number affected, type of PHI, description, individuals notified, HHS reported (annual submission).

Maintain a complete inventory of all Business Associates

💡 Review all vendor contracts and accounts payable records. Any vendor that accesses, creates, receives, stores, or transmits PHI on your behalf is a BA.

Execute BAAs with all Business Associates before sharing any PHI

💡 No BAA = no PHI sharing. This is absolute. If a vendor refuses to sign a BAA, find a different vendor.

Ensure BAAs contain all required Omnibus Rule provisions

💡 Key provisions: safeguard implementation, breach notification, subcontractor requirements, access termination, PHI return/destruction, compliance with applicable Security Rule requirements.

Monitor Business Associate compliance (annual assessments or certifications)

💡 Request SOC 2 Type II reports, HITRUST certifications, or send annual compliance questionnaires. Document your due diligence efforts.

Require BAs to ensure their subcontractors also comply with HIPAA

💡 Your BAA must require BAs to flow down HIPAA obligations to any subcontractors who access PHI. Ask BAs for their subcontractor management procedures.

Deliver HIPAA privacy training to all workforce members at hire

💡 Training should occur within 30 days of hire, ideally before the employee accesses any PHI. Cover basic privacy concepts, patient rights, and organizational policies.

Deliver HIPAA security awareness training to all workforce members at hire

💡 Cover: password security, phishing recognition, physical security, device security, incident reporting, and social engineering awareness.

Conduct annual HIPAA refresher training for all workforce members

💡 Annual training should cover new threats, policy updates, lessons learned from incidents, and reinforce core concepts. Track completion and follow up on non-completions.

Deliver additional training when policies or procedures change materially

💡 When you update a HIPAA policy, deliver targeted training to affected staff within a reasonable time. Document the training with the specific policy change covered.

Maintain training documentation for at least 6 years

💡 Keep records of: training date, attendees, content covered, trainer, assessment results, and signed acknowledgments. Use an LMS for automated tracking and reporting.