HIPAA Compliance
Checklist Pack

The Privacy Rule establishes standards for the use and disclosure of PHI. Verify each item below with your Privacy Officer.

• Notice of Privacy Practices (NPP) is written, current, and distributed to all patients at first service delivery

  Cite: 45 CFR §164.520 · Must be updated whenever practices change
• Privacy Officer designated and documented with defined responsibilities

  Cite: 45 CFR §164.530(a) · Must be a specific named individual
• Minimum Necessary Standard policy in place — only access/disclose the minimum PHI needed

  Cite: 45 CFR §164.514(d)
• Patient authorization forms are HIPAA-compliant for all non-TPO disclosures

  Must include: description of PHI, recipient, purpose, expiration, patient signature
• Workforce training on Privacy Rule completed and documented annually

  Cite: 45 CFR §164.530(b) · Training records retained for 6 years
• Procedure in place for patients to request access to their PHI within 30 days

  Cite: 45 CFR §164.524 · 2021 rule allows extension to 60 days once
• Procedure for patients to request amendment of incorrect PHI

  Cite: 45 CFR §164.526
• Accounting of disclosures process established for disclosures outside TPO

  Cite: 45 CFR §164.528 · Must be able to provide disclosures for past 6 years
• Restriction request process: patients can request restrictions on certain disclosures

  Mandatory for disclosures to health plans if patient paid out-of-pocket in full
• Confidential communications accommodation process documented

  e.g., patient requests contact only at specific phone number or address
• PHI disposal policy implemented (paper shredding, secure electronic deletion)
• Incidental disclosures policy (e.g., sign-in sheets, waiting room conversations)
• Marketing: no use of PHI for marketing without explicit patient authorization

  Exceptions: treatment communications, small-value (under $15) promotional gifts
• De-identification policy documented (Safe Harbor or Expert Determination method)
• Research disclosure process established with IRB waiver documentation
• Fundraising communications: patients given opt-out opportunity
• Complaint process in place; all privacy complaints logged and investigated
• Sanctions policy documented for workforce violations

  Must apply sanctions consistently — document every instance
• Privacy policies stored and accessible; version control maintained
• NPP posted in physical locations (waiting rooms) and on website
• Disclosure log maintained for all PHI disclosures outside of TPO
• All policies reviewed and updated at least every 2 years

Administrative safeguards are policies and procedures designed to manage the selection and implementation of security measures.

• Risk Analysis: comprehensive, organization-wide security risk assessment completed and documented

  Must identify all ePHI, threats, vulnerabilities, and likelihood of occurrence
• Risk Management Plan: documented plan to reduce identified risks to a reasonable level
• Security Officer designated with documented authority and responsibilities
• Sanctions policy for security violations — document and apply consistently
• Information system activity review: audit logs reviewed regularly (at minimum quarterly)
• Access authorization policy — define who can access ePHI and under what circumstances
• Access establishment and modification: formal request/approval workflow for new/changed access
• Workforce clearance procedure: background checks for roles with access to ePHI
• Termination procedures: access revoked immediately upon separation
• Security awareness training program conducted upon hire and annually thereafter
• Phishing awareness training completed and documented
• Malicious software protection training included in security awareness
• Password management training — policies on complexity, rotation, and sharing
• Security incident procedures: defined process for identifying, reporting, and responding to incidents
• Contingency plan: Data Backup, Disaster Recovery, Emergency Mode Operation plans documented
• Testing and revision procedures: contingency plans tested at least annually
• Applications and data criticality analysis completed for contingency planning
• Business associate evaluation: periodic technical and non-technical evaluations of business associates

Physical safeguards limit physical access to information systems and the facilities housing them.

• Facility access controls: policies limiting physical access to systems containing ePHI
• Visitor access log maintained for all areas with ePHI systems
• Workstation use policy: rules for proper use and access to workstations accessing ePHI
• Workstation security: physically secured workstations in appropriate locations (not viewable by public)
• Device and media controls: policy for receipt/removal of hardware containing ePHI
• Media disposal policy: ePHI destroyed before hardware disposal (NIST-compliant wiping or degaussing)
• Media re-use policy: ePHI cleared before media is reused for other purposes
• Accountability records for hardware movements (laptops, tablets, servers, drives)
• Facility maintenance log: record of repairs and modifications to physical security components
• Lock policy: server rooms and areas with ePHI systems secured with key or badge access
• Contingency operations: procedures to allow facility access during emergencies
• Data backup copies stored off-site or in a separate secure location
• Clean desk policy: no PHI left visible on unattended workstations
• Screen lock policy: auto-lock after inactivity (recommended: 5–15 minutes)

Technical safeguards are the technology and policy controls that protect ePHI and control access to it.

• Unique user identification: each user has a unique login ID — no shared accounts for ePHI systems
• Multi-Factor Authentication (MFA) enabled on all systems accessing ePHI

  OCR enforcement priority — especially for email, EHR, and remote access
• Encryption of ePHI at rest: all drives, databases, and backups containing PHI are encrypted

  AES-256 minimum. Encrypted = safe harbor in breach scenarios
• Encryption of ePHI in transit: all network transmissions of PHI use TLS 1.2+
• Audit controls: hardware, software, and procedural mechanisms to record and examine activity around ePHI
• Integrity controls: ePHI not improperly altered or destroyed — validation mechanisms in place
• Automatic logoff: sessions terminate after defined period of inactivity
• Emergency access procedure: defined process for obtaining ePHI during system failures
• Role-based access control (RBAC): access to ePHI limited by job function
• VPN required for all remote access to systems containing ePHI
• Antivirus/anti-malware deployed and updated on all endpoints
• Patch management: all systems patched within 30 days of critical vulnerability disclosure
• Firewall and network segmentation separating PHI systems from general network
• Intrusion detection/prevention system (IDS/IPS) monitoring ePHI network segments
• Data Loss Prevention (DLP) tools: alerts or blocks unauthorized exfiltration of PHI
• Log retention: audit logs maintained for minimum 6 years

A breach is any impermissible use or disclosure that compromises the security or privacy of PHI. Follow this checklist for incident response.

• Incident Response Policy documented and approved by leadership
• Incident Response Team (IRT) designated with contact list maintained and current
• Breach risk assessment process: evaluate probability PHI was compromised (4-factor test)

  Factors: Nature of PHI, unauthorized person who used or received PHI, whether PHI was viewed, extent of mitigation
• Individual notification within 60 days of discovery for breaches >500 individuals
• HHS Secretary notification: annual report for breaches <500 individuals; immediate (60 days) for >500
• Media notification required for breaches >500 individuals in a state or jurisdiction
• Breach notification letter template prepared and available (must include 6 required elements)

  Required: description of breach, PHI involved, steps individuals should take, what org is doing, contact info
• Breach log maintained with all incidents documented (regardless of whether breach determination is made)
• Containment procedures: steps to stop ongoing breach (credential revocation, device quarantine)
• Evidence preservation: do not alter/destroy systems before forensic analysis
• Post-incident analysis: root cause identification and corrective action plan documented
• Legal counsel notified immediately for breaches involving >500 individuals or potential litigation
• Cyber insurance carrier notified per policy terms (typically 24–72 hours)
• Tabletop exercise for breach response conducted annually
• Staff trained on how to identify and report potential incidents to IRT
• Breach response retainer with forensic investigation firm in place (for high-risk organizations)
• HHS OCR Breach Portal bookmarked: reportbreaches.hhs.gov
• State AG notification assessed: multiple states have additional reporting requirements
• Credit monitoring offer evaluated for breaches involving financial or sensitive personal data
• Lessons learned session conducted after each significant incident

A Business Associate Agreement is required with any vendor or third party that creates, receives, maintains, or transmits PHI on your behalf.

• BAA inventory: list of all Business Associates with signed BAAs on file
• BAA signed with EHR/EMR vendor
• BAA signed with cloud storage provider (e.g., Microsoft, Google, AWS)
• BAA signed with billing and coding services
• BAA signed with IT managed services provider
• BAA signed with transcription services
• BAA signed with telehealth platform vendor
• BAA signed with shredding/document destruction company
• BAA signed with email and communication platform (e.g., Microsoft 365 Healthcare)
• BAA renewal schedule tracked — review annually or upon contract renewal
• BAA termination procedure: process for ending relationship and ensuring PHI return/destruction
• Subcontractor BAAs: confirm Business Associates have BAAs with their own subcontractors
• BAA template reviewed by HIPAA counsel within last 2 years
• BAA provisions include: permitted uses, reporting obligations, safeguards, breach notification timeline
• BAA dispute resolution process defined