HIPAA

HIPAA Compliance Checklist

A comprehensive HIPAA compliance checklist covering the Privacy Rule, Security Rule, Business Associate Agreements, workforce training, and breach response procedures.
Browse HIPAA topics
Business Associate Agreements (BAA)HIPAA Breach Notification RuleHIPAA Compliance ChecklistHIPAA Privacy RuleHIPAA Security Rule

HIPAA compliance checklist overview

Building and maintaining a HIPAA compliance program requires coordinating across privacy, security, vendor management, workforce training, and incident response. This checklist provides a structured walkthrough of the major requirements that covered entities and business associates must address.

This checklist is not a substitute for legal counsel or a formal risk assessment, but it serves as a practical framework for identifying gaps and tracking progress. For detailed guidance on individual topics, refer to the dedicated pages for the Security Rule, Privacy Rule, Breach Notification Rule, and Business Associate Agreements. The main HIPAA compliance page provides a high-level overview, and the HIPAA glossary entry covers foundational terms.

Privacy Rule checklist

The Privacy Rule governs the use and disclosure of PHI in all forms. Every covered entity and business associate must address the following:

Privacy official and NPP

  • Appoint a privacy officer with authority to develop and enforce privacy policies
  • Draft and distribute the Notice of Privacy Practices with all required content
  • Post the NPP at physical locations and on the organization's website
  • Revise and redistribute the NPP when material changes occur

Minimum necessary and individual rights

  • Define role-based access ensuring workforce members access only the PHI needed for their role
  • Establish standard protocols for routine disclosures and a review process for non-routine requests
  • Create documented processes for access requests (30 days), amendment requests (60 days), and accounting of disclosures
  • Establish procedures for restriction and confidential communication requests

Authorizations and permitted disclosures

  • Develop authorization forms with all required elements and track expiration dates
  • Document policies for each category of permitted use and disclosure
  • Establish verification procedures for third-party disclosure requests

Security Rule checklist

The Security Rule requires administrative, physical, and technical safeguards for ePHI. These requirements apply to all covered entities and business associates.

Designate a security official

  • Appoint a security officer responsible for developing and implementing security policies (may be the same person as the privacy officer in smaller organizations)
  • Document the appointment and ensure adequate authority and resources

Conduct and maintain a risk analysis

  • Identify all systems that create, receive, maintain, or transmit ePHI
  • Identify and document reasonably anticipated threats and vulnerabilities for each system
  • Assess current security measures in place
  • Determine the likelihood and impact of each identified threat
  • Assign risk levels and document a prioritized remediation plan
  • Schedule regular risk analysis updates (at least annually and after significant changes)
  • Maintain all risk analysis documentation for at least six years

Implement safeguards

  • Develop a risk management plan and sanction policies
  • Implement regular log reviews and workforce security procedures (authorization, supervision, termination)
  • Establish security awareness training covering passwords, malware, and incident reporting
  • Develop and test contingency plans: data backup, disaster recovery, and emergency operations
  • Establish facility access controls, workstation use and security policies, and device/media controls
  • Deploy technical access controls: unique user IDs, automatic logoff, encryption, and MFA
  • Implement audit controls and ePHI integrity mechanisms
  • Secure transmissions with encryption (TLS 1.2+)
  • Document all addressable specification assessments, decisions, and rationale

Business Associate Agreement checklist

BAAs must be in place before any PHI is shared with vendors and subcontractors. Managing BAAs is an ongoing operational responsibility.

Identify business associates

  • Inventory all vendors, contractors, and service providers that access, store, process, or transmit PHI
  • Evaluate each relationship to determine whether a BAA is required
  • Document the determination for each vendor, including rationale for cases where a BAA is deemed unnecessary
  • Include BAA evaluation in the procurement and vendor onboarding process

Execute compliant BAAs

  • Use a standardized BAA template that includes all required provisions under 45 CFR 164.504(e)
  • Ensure each BAA establishes permitted uses and disclosures consistent with the Privacy Rule
  • Include requirements for appropriate safeguards and Security Rule compliance
  • Include breach notification obligations with defined timelines (60 days or less)
  • Require subcontractor BAAs for downstream vendors handling PHI
  • Include provisions for PHI access, amendment, and accounting of disclosures
  • Include return-or-destroy provisions for PHI at agreement termination
  • Include termination rights for material BAA violations

Manage BAAs ongoing

  • Maintain a centralized BAA inventory with effective dates, renewal dates, and scope of PHI
  • Implement renewal tracking with automated reminders
  • Review and update BAAs when regulations change, services change, or agreements expire
  • Conduct periodic vendor risk assessments evaluating business associate security posture
  • Enforce return-or-destroy provisions when vendor relationships end
  • Monitor business associate compliance through certifications, audit reports, and incident reporting

Workforce training checklist

Training is required under both the Privacy Rule and Security Rule. Effective training reduces the likelihood of workforce-caused incidents and demonstrates organizational commitment to compliance.

Develop and deliver training

  • Create content covering Privacy Rule, Security Rule, breach reporting, and BAA awareness
  • Tailor training to job roles (clinical, IT, billing, administrative)
  • Train all new workforce members within a defined period after hiring
  • Deliver refresher training at least annually and when policies change
  • Document all training: dates, attendees, content, and acknowledgments
  • Maintain training records for at least six years

Breach response checklist

The Breach Notification Rule requires timely, documented responses to breaches of unsecured PHI.

Build and maintain the response framework

  • Develop a written incident response plan covering detection, investigation, assessment, notification, and remediation
  • Assign an incident response team with defined roles and escalation paths
  • Create pre-drafted notification templates for individuals, HHS, and media
  • Document the four-factor risk assessment process for evaluating potential breaches
  • Establish procedures for individual, HHS, and media notification
  • Conduct tabletop exercises at least annually
  • Maintain incident documentation for at least six years
  • Maintain a log of smaller breaches (under 500 individuals) for annual HHS submission

Documentation and record retention

HIPAA requires policies, procedures, and certain records be maintained for at least six years.

  • Maintain all HIPAA policies and procedures in a central, accessible location
  • Retain risk analysis, training, BAA, and incident documentation
  • Establish a document retention schedule with assigned responsibility
  • Implement version control for policies so prior versions remain accessible

Putting the checklist to work

This checklist is most effective as a living document. Healthcare organizations should conduct an initial gap assessment, prioritize remediation based on risk, assign ownership for each item, set deadlines, and review at minimum annually. Compliance is an ongoing process — regular review combined with thorough risk analysis forms the foundation of a sustainable HIPAA program.

Related topics

security-ruleprivacy-rulebreach-notificationbusiness-associate-agreements

Related terms

What is Access Control?What is an Audit Trail?What is a Business Associate Agreement (BAA)?What is Breach Notification?What is a Business Associate?What is a Covered Entity?What is Encryption?What is Evidence Collection?What is GRC?What is HIPAA?What is the HITECH Act?What is Incident Response?What is the Minimum Necessary Rule?What is Protected Health Information (PHI)?What is Security Awareness Training?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough