The Ultimate HIPAA Compliance Checklist for 2025 + Free PDF
Understanding the national standards of the Health Insurance Portability and Accountability Act (HIPAA) and the steps necessary for compliance can be difficult.
To help combat confusion and gauge exactly where your healthcare organization stands in its compliance readiness, we’ve created an interactive HIPAA compliance checklist.
This checklist outlines the essential action items you need to accomplish to satisfy healthcare industry regulations and properly protect patient data. Keep reading to understand the fundamentals of HIPAA compliance and the steps required to prepare for, achieve, and maintain it.
What is HIPAA compliance?
HIPAA compliance is the process of securing and protecting sensitive patient information, known as protected health information, or PHI.
Being compliant with HIPAA is an ongoing process that includes putting strong safeguards in place for data protection, staff training, risk analysis, reporting, and more.
HIPAA compliance requirements include five main components. These are the:
- Privacy Rule: regulates the use and disclosure of PHI
- Security Rule: physical, technical, and administrative security measures
- Enforcement Rule: provides instruction for regulating liability and imposing penalties for violations
- Breach Notification Rule: guidelines for how and when to report violations
- Omnibus Rule: outlines how business associates should handle PHI
Below we break down the two types of businesses that must comply with HIPAA regulations.
What is a covered entity?
A covered entity is an organization legally required to comply with HIPAA rules.
Examples of a covered entity include:
- Hospitals
- Clinics
- Pharmacies
- Doctors
- Dentists
- Psychologists
- Psychiatrists
- Chiropractors
- Health care providers
- Health insurance companies
What is a business associate?
A business associate provides services to a covered entity and has access to PHI.
Examples of business associates include:
- Data storage firms
- Billing companies
- Cloud service providers
- Attorneys
- CPA firms
HIPAA compliance checklist for 2023
We’ve created this interactive checklist to help you gauge your company’s HIPAA compliance readiness.
HIPAA Compliance Checklist
Audits
People
Policies and Procedures
Remediations
Reporting and Investigations
HIPAA compliance in 8 steps
For a more in-depth look at the steps to achieving HIPAA compliance, check out the breakdown below.
Step 1: Appoint a HIPAA compliance officer
First, appoint a compliance officer to spearhead the HIPAA compliance process. This officer will be responsible for:
- Ensuring security and privacy policies are followed and enforced
- Managing privacy training for employees
- Completing periodic risk assessments
- Developing security and privacy processes
- Investigating any security incidents or suspected/confirmed data breaches
- Reporting breaches when required
- Creating a disaster recovery plan
- Ensuring the organization is has properly implemented the Security Rule’s administrative, physical, and technical safeguards
Larger organizations may require more than one officer to carry out these responsibilities.
Step 2: Develop security management policies and standards
The Privacy Rule, Security Rule, and Breach Notification Rule specify a number of policies and procedures required for HIPAA compliance.
Organizations must create and implement a set of policies and procedures that ensure individual employees are safely handling PHI in their day-to-day roles. This set may include a notice of privacy practices, access management policy, data backup and retention policy, disaster recovery policy, and incident response policy, among others.
The appointed HIPAA compliance officer should manage and document all the policies and procedures put in place to protect PHI.
Step 3: Manage business associates with access to PHI
A business associate is any individual, vendor, or organization that comes into contact with a healthcare organization's PHI. A business associate is just as responsible for protecting patient health care data as a covered entity.
As mandated by the HIPAA Security Rule, a covered entity must enter into a legally binding agreement with any business associate to ensure the protection of PHI. This is known as a business associate agreement (BAA).
A BAA should cover a range of topics, including permitted uses of PHI, reporting of unauthorized uses and disclosures, processes to return or destroy PHI at termination, and more. You can download the template below to get started on your own BAA.
Step 4: Implement the necessary safeguards to comply with the Security Rule
The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI.
We break down what each of those safeguards means below:
Administrative safeguards
Administrative safeguards help guide employees on how to properly use and store PHI.
These safeguards are in place to:
- Train workforce members about PHI protections
- Resolve security incidents that may be a threat to PHI
- Protect PHI during emergency situations
Physical safeguards
Physical safeguards protect the physical points of access to PHI. Physical safeguards set the stage for how employees should manage their workstation and mobile devices to keep sensitive information secure.
Common physical safeguards include limits to facility access via surveillance cameras or ID badges and outlining proper and improper use of technology.
Technical safeguards
Technical safeguards protect against unauthorized access or alteration to PHI that’s stored electronically, such as in an application or system.
Examples of common technical safeguards are antivirus software, data encryption, and access controls like multifactor authentication.
Step 5: Perform HIPAA risk assessments
You’ll also need to perform a HIPAA risk assessment. This is an essential requirement for HIPAA compliance and helps you identify weaknesses and vulnerabilities to prevent data breaches.
These assessments also test to make sure administrative, technical, and physical safeguards are properly implemented and cover all the necessary controls.
While HIPAA doesn’t provide specific instructions on how to do a risk assessment, there are several elements that should be considered, including scope, potential risks and risk levels, and existing security measures.
Following the steps below can help you identify weaknesses and improve or implement any security measures that were lacking or nonexistent.
Step 6: Train employees on HIPAA procedures
Anyone who handles PHI is required to complete HIPAA compliance training.
This training helps employees understand exactly what constitutes compliant and non-compliant behavior when it comes to PHI.
While the Department of Health and Human Services (HHS) doesn’t specify how often training should be given, they do state that refresher training should be offered to all employees periodically. This can be done annually or more often depending on your organization’s size and resources.
It’s also important to share the consequences of violating HIPAA with your employees. Additionally, be sure to share your organization’s process for reporting violations should one occur.
Step 7: Investigate violations and learn from these instances
If a breach should occur, your organization should do its due diligence to discover exactly why it happened. This is also an opportunity to implement tighter controls or update procedures so that type of incident won’t happen again.
You can also learn from HIPAA violations and enforcement activities that the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) posts, and take corrective action before an incident occurs at your organization.
Step 8: Continually monitor and update compliance policies as your organization matures
Continuously monitoring your compliance policies will help you more proactively protect data and can help you avoid costly HIPAA violations.
You can look for solutions that help you monitor ongoing HIPAA compliance by tracking whether employees and business associates have received training and monitoring your safeguards to alert you of any nonconformities.
Recommended reading
HIPAA Violations: Examples, Penalties + 5 Cases to Learn From
HIPAA Compliance Checklist PDF
If you’d rather track your HIPAA compliance with a PDF, click below to download that version of our HIPAA compliance checklist.
Recommended reading
5 Fun HIPAA Training Games Your Employees Will Remember
HIPAA compliance resources
Here’s a list of resources to reference during your HIPAA compliance journey:
How Secureframe can simplify HIPAA compliance
If you noticed more unchecked boxes than check marks after completing the HIPAA compliance checklist above, don’t stress.
HIPAA compliance can be complicated, but cybersecurity automation platforms like Secureframe can help alleviate stress and streamline the process.
We can help you create HIPAA privacy and security policies, train employees on how to protect PHI, manage vendors and business associates, and monitor your PHI safeguards.
Request a demo to learn more about how you can build strong security practices and automate your HIPAA compliance efforts today.
FAQs
What is a HIPAA compliance checklist?
A HIPAA compliance checklist is a resource HIPAA covered entities and business associates can use to assess their HIPAA compliance readiness.
While a checklist cannot cover every task or control an organization must implement to meet the HIPAA requirements that apply to them, it can lay out the basic steps involved in achieving and maintaining HIPAA compliance so that organizations can gauge their level of compliance and identify and remedy gaps.
Who is this HIPAA Compliance Checklist for?
Our HIPAA compliance checklist can be used by HIPAA Compliance, Privacy, and/or Security Officers to evaluate their organization’s readiness. Other members of the organization’s workforce may use the checklist to understand the process of preparing for HIPAA compliance as well as their responsibilities for complying with specific areas of the law.
What is considered PHI under HIPAA?
PHI under HIPAA includes written records, lab results, x-rays, bills — even verbal conversations that include identifiable health information.
It also includes electronic health records (EHRs). In this form, it’s referred to as electronic protected health information (ePHI).
What is the Minimum Necessary Standard?
The Minimum Necessary Standard, which falls under the Privacy Rule, requires covered entities to make reasonable efforts to limit PHI access to the minimum amount necessary to complete a task.
Here are a few ways you can adhere to this standard:
- Determining exactly what roles need access to PHI and documenting that information
- Setting up role-based permissions that limit access to certain types of PHI
- Conducting periodic audits of permissions to ensure PHI access is only granted to the necessary individuals
What are the HIPAA Data Retention Requirements?
The HIPAA Privacy Rule does not include medical record retention requirements. Instead, each state has its own set of guidelines for storing and retaining medical records that covered entities and business associates must follow.
However, there is a requirement for how long HIPAA-related documentation is stored.
Documentation related to compliance policies and procedures must be kept for a minimum of six years from the date of its creation or the date when it last was in effect, whichever is later.
Examples of HIPAA-related documentation include:
- Risk assessments
- Disaster recovery and contingency plans
- Business associate agreements
- Information security and privacy policies, notice of privacy practices
- Incident and breach notification documentation
Is employee training required under HIPAA?
Yes, HIPAA training is mandatory for any covered entity and business associate that interacts with PHI.