HIPAA Compliance Checklist

Max 4 MB | PNG, JPG

HIPAA Compliance Checklist

Company Name:

Privacy Officer:

Plan Name:

Review Date:

HIPAA Privacy Rule Compliance

☐Designate a HIPAA Privacy Officer responsible for policy development and compliance

Appoint a Privacy Officer who is responsible for developing, implementing, and maintaining HIPAA privacy policies and procedures, serving as the point of contact for privacy inquiries, and overseeing the organization's compliance with the HIPAA Privacy Rule.

☐Develop and maintain written privacy policies and procedures

Create comprehensive written policies governing the use and disclosure of protected health information (PHI), including the minimum necessary standard, individual rights (access, amendment, accounting of disclosures), and permissible disclosures for treatment, payment, and health care operations.

☐Distribute the Notice of Privacy Practices (NPP) to plan participants

Provide the Notice of Privacy Practices to all health plan participants at enrollment, within 60 days of a material revision, and at least once every three years as a reminder, describing how PHI may be used and disclosed and the individual's privacy rights.

☐Implement the minimum necessary standard for PHI use and disclosure

Establish policies ensuring that workforce members access, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose, and apply role-based access controls to limit PHI exposure to authorized personnel.

☐Obtain valid written authorizations for non-routine uses and disclosures of PHI

Ensure that any use or disclosure of PHI not permitted or required by the Privacy Rule is supported by a valid, signed authorization from the individual that includes all required elements (description of PHI, purpose, expiration, right to revoke).

☐Establish procedures for individuals to exercise their HIPAA rights

Create processes for individuals to access their PHI, request amendments, obtain an accounting of disclosures, request restrictions on uses and disclosures, and request confidential communications, responding within the timeframes required by the Privacy Rule.

HIPAA Security Rule Compliance

☐Designate a HIPAA Security Officer responsible for electronic PHI (ePHI) safeguards

Appoint a Security Officer who is responsible for developing, implementing, and maintaining the administrative, physical, and technical safeguards required by the HIPAA Security Rule to protect electronic protected health information (ePHI).

☐Conduct a comprehensive risk analysis of ePHI

Perform a thorough risk analysis to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI in all forms (at rest, in transit, and in use), and document the findings as required by 45 CFR 164.308(a)(1)(ii)(A).

☐Implement a risk management plan based on the risk analysis findings

Develop and execute a risk management plan that addresses each identified risk to ePHI with appropriate security measures, reducing risks to a reasonable and appropriate level considering the organization's size, complexity, and capabilities.

☐Implement access controls for systems containing ePHI

Deploy unique user identification, emergency access procedures, automatic logoff, and encryption and decryption mechanisms as technical safeguards to control access to systems that create, receive, maintain, or transmit ePHI.

☐Establish audit controls to record and examine ePHI access activity

Implement hardware, software, and procedural mechanisms to record and examine access and activity in information systems containing ePHI, and regularly review audit logs to detect unauthorized access or security incidents.

☐Implement physical safeguards for facilities and workstations with ePHI access

Establish facility access controls, workstation use policies, workstation security measures, and device and media controls to protect physical access to ePHI and the systems that store it.

Business Associate Agreements & Third-Party Management

☐Identify all business associates that create, receive, maintain, or transmit PHI

Conduct an inventory of all vendors, contractors, consultants, and service providers that perform functions involving the use or disclosure of PHI on behalf of the covered entity, including claims processors, IT service providers, TPA administrators, and cloud storage providers.

☐Execute compliant Business Associate Agreements (BAAs) with all business associates

Enter into written BAAs with each business associate that include all elements required by 45 CFR 164.504(e), including permissible uses and disclosures, safeguards requirements, breach notification obligations, and return or destruction of PHI upon termination.

☐Ensure business associates extend BAA obligations to their subcontractors

Confirm that BAAs require business associates to obtain satisfactory assurances from their subcontractors that subcontractors will appropriately safeguard PHI, creating a chain of responsibility as required by the HITECH Act.

☐Periodically review and update BAAs for regulatory changes

Review all BAAs at least annually and upon any material change in the business relationship, HIPAA regulations, or breach of the agreement to ensure they remain current and enforceable.

☐Monitor business associate compliance with BAA obligations

Implement a process for periodically assessing business associate compliance with BAA obligations, including requesting evidence of security measures, reviewing incident reports, and addressing any identified deficiencies.

Breach Notification & Incident Response

☐Establish a breach identification and risk assessment process

Develop procedures to identify potential breaches of unsecured PHI and conduct a four-factor risk assessment (nature and extent of PHI, unauthorized person, whether PHI was actually acquired or viewed, and extent of risk mitigation) to determine whether breach notification is required.

☐Notify affected individuals within 60 days of discovering a breach

Provide written notification to each individual whose unsecured PHI was breached within 60 calendar days of discovery, including a description of the breach, types of PHI involved, steps the individual should take, what the organization is doing to mitigate harm, and contact information.

☐Report breaches affecting 500 or more individuals to HHS and the media

Notify the HHS Secretary through the HHS breach notification portal and provide notice to prominent media outlets serving the state or jurisdiction within 60 days for breaches affecting 500 or more individuals.

☐Log breaches affecting fewer than 500 individuals for annual reporting

Maintain a log of all breaches affecting fewer than 500 individuals and submit the log to the HHS Secretary within 60 days of the end of each calendar year via the HHS breach notification portal.

☐Document all breach investigations and response actions

Maintain comprehensive documentation of each breach incident including the risk assessment, notification decisions, remediation actions taken, and any policy or procedural changes implemented to prevent recurrence.

Training, Documentation & Ongoing Compliance

☐Train all workforce members on HIPAA privacy and security policies

Provide HIPAA training to all workforce members (including employees, volunteers, and trainees) upon hire and periodically thereafter, covering privacy and security policies, PHI handling procedures, breach reporting, and the consequences of non-compliance.

☐Provide role-specific training for workforce members with access to PHI

Deliver additional targeted training to individuals who handle PHI as part of their job functions, addressing specific procedures for their role, the minimum necessary standard, and proper PHI disposal methods.

☐Retain HIPAA policies, procedures, and documentation for at least six years

Maintain all HIPAA-related documentation including policies, procedures, risk analyses, training records, BAAs, breach logs, and privacy practice notices for a minimum of six years from the date of creation or the date last in effect, whichever is later.

☐Implement sanctions for workforce members who violate HIPAA policies

Establish and apply a sanctions policy for workforce members who fail to comply with HIPAA privacy and security policies, ranging from retraining to termination depending on the severity and nature of the violation.

☐Conduct periodic HIPAA compliance audits and assessments

Perform regular internal audits of HIPAA privacy and security practices, including risk analysis updates, policy reviews, access control assessments, and training program evaluations, to identify gaps and ensure continuous compliance improvement.

What Is a HIPAA Compliance Checklist?

A HIPAA compliance checklist is a structured tool that helps covered entities and business associates meet the requirements of the Health Insurance Portability and Accountability Act's Privacy Rule, Security Rule, and Breach Notification Rule. It covers policies and procedures for protecting protected health information, workforce training, risk assessments, business associate agreements, and breach response protocols. This checklist is essential for healthcare providers, health plans, healthcare clearinghouses, and any employer that self-administers a group health plan.

Why HR Teams Need This Checklist

Employers who sponsor group health plans are covered entities under HIPAA and must protect employee protected health information from unauthorized use and disclosure. HIPAA violations carry civil penalties ranging from $137 per violation for unknowing violations to $68,928 per violation for willful neglect, with annual maximums exceeding $2 million per violation category. This checklist helps HR teams establish and maintain the administrative, physical, and technical safeguards required to avoid costly penalties and reputational damage from breaches.

Key Areas Covered in This Checklist

This checklist covers Privacy Rule requirements including minimum necessary standards, notice of privacy practices, individual rights to access and amend PHI, authorization requirements, and designated record sets. It also addresses Security Rule administrative safeguards such as risk analysis, workforce training, and access management, physical safeguards for facilities and workstations, technical safeguards including access controls, audit logs, and encryption, business associate agreement requirements, and Breach Notification Rule response procedures.

How to Use This Free HIPAA Compliance Checklist

Use Hyring's free checklist generator to create a HIPAA compliance review customized to your organization's role as a covered entity or business associate. The Brief view provides a quick compliance posture assessment, while the Detailed view walks through each safeguard requirement with implementation guidance. Download the checklist to document your annual risk assessment, track policy updates, and maintain evidence of your compliance program for potential OCR audits.

Frequently Asked Questions

Who must comply with HIPAA?

HIPAA applies to covered entities, which include healthcare providers who transmit health information electronically, health plans including employer-sponsored group health plans, and healthcare clearinghouses. Business associates, meaning organizations that perform functions involving PHI on behalf of covered entities, must also comply with applicable HIPAA rules. Employers that sponsor self-insured health plans or self-administer aspects of fully insured plans may be subject to HIPAA requirements for the PHI they handle.

What is protected health information under HIPAA?

Protected health information is individually identifiable health information that is created or received by a covered entity and relates to past, present, or future physical or mental health conditions, the provision of healthcare, or payment for healthcare. PHI includes 18 specific identifiers such as names, dates, Social Security numbers, medical record numbers, and account numbers when linked to health information. Electronic PHI, or ePHI, is PHI that is created, stored, transmitted, or received in electronic form.

What is a business associate agreement and when is it required?

A business associate agreement is a written contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI, requires appropriate safeguards, mandates breach reporting, and ensures the business associate will return or destroy PHI upon termination. A BAA is required before a covered entity shares PHI with any vendor, contractor, or service provider that will create, receive, maintain, or transmit PHI on its behalf. Failure to execute a BAA before sharing PHI is itself a HIPAA violation.

What is a HIPAA risk assessment and how often should it be conducted?

A HIPAA risk assessment is a systematic evaluation of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a covered entity or business associate. The Security Rule requires a risk assessment but does not specify a frequency; however, OCR recommends conducting one annually and whenever significant changes occur in the organization's technology, operations, or environment. The risk assessment should identify threats, assess current security measures, determine the likelihood and impact of threat occurrence, and assign risk levels to guide remediation priorities.

What are the HIPAA breach notification requirements?

When a breach of unsecured PHI occurs, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach. Breaches affecting 500 or more individuals require notification to the HHS Secretary and prominent media outlets in the affected jurisdiction within the same 60-day period. Breaches affecting fewer than 500 individuals may be reported to HHS annually. Business associates must notify their covered entity within the timeframe specified in the BAA, typically within 30 days of discovery.

What training must employers provide for HIPAA compliance?

Covered entities must train all workforce members on HIPAA policies and procedures relevant to their job functions, provide training to new members within a reasonable period after joining the workforce, and retrain when policies or procedures change in ways that affect their duties. Training should cover the minimum necessary standard, proper handling and disposal of PHI, recognizing and reporting security incidents and breaches, and sanctions for policy violations. Document all training including date, attendees, topics covered, and trainer information.

What is the minimum necessary standard under HIPAA?

The minimum necessary standard requires covered entities to make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. This means implementing role-based access controls so employees can only access the PHI they need for their job functions. The minimum necessary standard does not apply to disclosures to the individual, disclosures authorized by the individual, disclosures for treatment purposes, disclosures to HHS for enforcement, or uses required by law.

What are the penalties for HIPAA violations?

HIPAA civil penalties are structured in four tiers: Tier 1 for unknowing violations carries penalties of $137 to $68,928 per violation; Tier 2 for violations due to reasonable cause ranges from $1,379 to $68,928; Tier 3 for willful neglect that is corrected ranges from $13,785 to $68,928; and Tier 4 for willful neglect not corrected carries a minimum of $68,928 per violation. Annual maximums apply per violation category. Criminal penalties under Tier 1 include up to one year imprisonment, Tier 2 up to five years, and Tier 3 up to ten years for offenses committed with intent to sell or use PHI for personal gain.

Written by Adithyan RK

Fact Checked by Surya N

Published on: 3 Mar 2026|Last updated:

Share now: