Understanding the Health Insurance Portability and Accountability Act (HIPAA) and the steps necessary for compliance can be difficult.

To help combat confusion and gauge exactly where your organization stands in its compliance readiness, we’ve created an interactive HIPAA compliance checklist. 

This checklist outlines the essential action items you need to accomplish to properly protect patient data. Keep reading to understand the fundamentals of HIPAA compliance and the steps required to prepare for, achieve, and maintain it.

What is HIPAA compliance?

HIPAA compliance is the process of securing and protecting sensitive patient information, known as protected health information, or PHI.

Being compliant with HIPAA is an ongoing process that includes putting strong safeguards in place for data protection, staff training, risk assessments, reporting, and more. 

HIPAA compliance requirements include five main components. These are the:

• Privacy Rule: regulates the use and disclosure of PHI
• Security Rule: physical, technical, and administrative security measures
• Enforcement Rule: provides instruction for regulating liability and imposing penalties for violations
• Breach Notification Rule: guidelines for how and when to report violations 
• Omnibus Rule: outlines how business associates should handle PHI

Below we break down the two types of businesses that must comply with HIPAA regulations.

What is a covered entity?

A covered entity is an organization legally required to comply with HIPAA rules. 

Examples of a covered entity include:

• Hospitals
• Clinics
• Pharmacies
• Doctors
• Dentists
• Psychologists
• Psychiatrists
• Chiropractors
• Health care providers
• Health insurance companies

What is a business associate?

A business associate provides services to a covered entity and has access to PHI. 

Examples of business associates include:

• Data storage firms
• Billing companies
• Cloud service providers
• Attorneys
• CPA firms

HIPAA compliance checklist for 2023

We’ve created this interactive checklist to help you gauge your company’s HIPAA compliance readiness.

HIPAA compliance in 8 steps

For a more in-depth look at the steps to achieving HIPAA compliance, check out the breakdown below.

Step 1: Appoint a HIPAA compliance officer

First, appoint a compliance officer to spearhead the HIPAA compliance process. This officer will be responsible for:

• Ensuring security and privacy policies are followed and enforced
• Managing privacy training for employees
• Completing periodic risk assessments
• Developing security and privacy processes
• Investigating any security incidents or suspected/confirmed data breaches
• Reporting breaches when required
• Creating a disaster recovery plan
• Ensuring the organization is has properly implemented the Security Rule’s administrative, physical, and technical safeguards

Larger organizations may require more than one officer to carry out these responsibilities. 

Step 2: Develop security management policies and standards

The Privacy Rule, Security Rule, and Breach Notification Rule specify a number of policies and procedures required for HIPAA compliance.

Organizations must create and implement a set of policies and procedures that ensure individual employees are safely handling PHI in their day-to-day roles. This set may include a notice of privacy practices, access management policy, data backup and retention policy, disaster recovery policy, and incident response policy, among others. 

The appointed HIPAA compliance officer should manage and document all the policies and procedures put in place to protect PHI.

Step 3: Manage business associates with access to PHI

A business associate is any individual, vendor, or organization that comes into contact with a healthcare organization's PHI. A business associate is just as responsible for protecting patient health care data as a covered entity. 

As mandated by the HIPAA Security Rule, a covered entity must enter into a legally binding agreement with any business associate to ensure the protection of PHI. This is known as a business associate agreement (BAA).

A BAA should cover a range of topics, including permitted uses of PHI, reporting of unauthorized uses and disclosures, processes to return or destroy PHI at termination, and more. You can download the template below to get started on your own BAA.

Step 4: Implement the necessary safeguards to comply with the Security Rule 

The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI. 

We break down what each of those safeguards means below:

Administrative safeguards

Administrative safeguards help guide employees on how to properly use and store PHI. 

These safeguards are in place to:

• Train workforce members about PHI protections
• Resolve security incidents that may be a threat to PHI
• Protect PHI during emergency situations

Physical safeguards

Physical safeguards protect the physical points of access to PHI. Physical safeguards set the stage for how employees should manage their workstation and mobile devices to keep sensitive information secure. 

Common physical safeguards include limits to facility access via surveillance cameras or ID badges and outlining proper and improper use of technology.

Technical safeguards

Technical safeguards protect against unauthorized access or alteration to PHI that’s stored electronically, such as in an application or system. 

Examples of common technical safeguards are antivirus software and data encryption. 

Step 5: Perform HIPAA risk assessments

You’ll also need to perform a HIPAA risk assessment. This is an essential requirement for HIPAA compliance and helps you identify weaknesses and vulnerabilities to prevent data breaches. 

These assessments also test to make sure administrative, technical, and physical safeguards are properly implemented and cover all the necessary controls.

While HIPAA doesn’t provide specific instructions on how to do a risk assessment, there are several elements that should be considered, including scope, potential risks and risk levels, and existing security measures. 

Following the steps below can help you identify weaknesses and improve or implement any security measures that were lacking or nonexistent.

Step 6: Train employees on HIPAA procedures

Anyone who handles PHI is required to complete HIPAA compliance training. 

This training helps employees understand exactly what constitutes compliant and non-compliant behavior when it comes to PHI. 

While the Department of Health and Human Services (HHS) doesn’t specify how often training should be given, they do state that refresher training should be offered to all employees periodically. This can be done annually or more often depending on your organization’s size and resources.

It’s also important to share the consequences of violating HIPAA with your employees. Additionally, be sure to share your organization’s process for reporting violations should one occur. 

Step 7: Investigate violations and learn from these instances

If a breach should occur, your organization should do its due diligence to discover exactly why it happened. This is also an opportunity to implement tighter controls or update procedures so that type of incident won’t happen again. 

You can also learn from HIPAA violations and enforcement activities that the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) posts, and take corrective action before an incident occurs at your organization.

Step 8: Continually monitor and update compliance policies as your organization matures

Continuously monitoring your compliance policies will help you more proactively protect data and can help you avoid costly HIPAA violations.

You can look for solutions that help you monitor ongoing HIPAA compliance by tracking whether employees and business associates have received training and monitoring your safeguards to alert you of any nonconformities. 

HIPAA Compliance Checklist PDF

If you’d rather track your HIPAA compliance with a PDF, click below to download that version of our HIPAA compliance checklist.

HIPAA compliance resources 

Here’s a list of resources to reference during your HIPAA compliance journey:

• Official HHS HIPAA website
• American Medical Association
• Secureframe’s HIPAA Risk Assessment
• Centers for Disease Control
• Secureframe’s Ultimate HIPAA Guide

How Secureframe can simplify HIPAA compliance 

If you noticed more unchecked boxes than check marks after completing the HIPAA compliance checklist above, don’t stress. 

HIPAA compliance can be complicated, but organizations like Secureframe can help alleviate stress and streamline the process. 

We can help you create HIPAA privacy and security policies, train employees on how to protect PHI, manage vendors and business associates, and monitor your PHI safeguards. 

Request a demo to learn more about how you can automate your HIPAA compliance today.