• blogangle-right
  • The Ultimate HIPAA Compliance Checklist for 2026 + What We Learned from 2025 Breach Reports and OCR Cases
Icons of a doctor's chart, stethoscope, and pill bottle in front of a teal background depicting healthcare compliance.

The Ultimate HIPAA Compliance Checklist for 2026 + What We Learned from 2025 Breach Reports and OCR Cases

  • October 08, 2025
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Jonathan Leach

Senior Manager, Compliance and Customer Success

In the first three quarters of 2025, there have been 546 healthcare data breaches of unsecured PHI reported to date to the Office for Civil Rights, including both open and resolved reports. These have affected an estimated 42 million individuals.

HIPAA violations are also on the rise. With 19 settlements and over $8 million in fines issued by the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) this year to date, 2025 has already broken the record for the highest number of resolution agreements in a year.

As breaches and violations surge, healthcare organizations are increasingly looking to checklists, automation, and other tools to simplify HIPAA compliance to stay ahead of enforcement and protect patient data and trust.

Keep reading to get a checklist outlining the tasks and safeguards required to achieve and maintain HIPAA compliance and expert deep dives into 8 key steps in the process.

HIPAA compliance checklist for 2026

We’ve created this interactive checklist to help you understand key HIPAA requirements in high-level terms that are easy to understand (like people, policies and procedures, and reporting) and track whether you're meeting them.

This can not only help you gauge your company’s HIPAA compliance readiness before pursuing an audit or attestation report—it can also help you spot gaps and issues before attackers or the OCR does to reduce the risk of breaches and potential HIPAA violations.

HIPAA Compliance Checklist

Audits

Yes
No

People

Yes
No

Policies and Procedures

Yes
No

Remediations

Yes
No

Reporting and Investigations

Yes
No

What is a HIPAA compliance checklist and its purpose?

A HIPAA compliance checklist is a list of requirements and tasks that an organization must complete to protect sensitive patient information, known as protected health information (PHI), and comply with HIPAA.

Compliance is an ongoing process that requires putting strong safeguards in place for data protection, employee training, risk analysis, remediation, reporting, and more. 

A comprehensive HIPAA compliance checklist can help guide you through this process and break down what requirements related to all five rules of HIPAA actually mean in practice:

  • Privacy Rule: regulates the use and disclosure of PHI
  • Security Rule: physical, technical, and administrative security measures
  • Enforcement Rule: provides instruction for regulating liability and imposing penalties for violations
  • Breach Notification Rule: guidelines for how and when to report violations 
  • Omnibus Rule: outlines how business associates should handle PHI

Who should use a HIPAA compliance checklist?

There are two types of organizations that need to comply with HIPAA and can benefit from using a HIPAA compliance checklist to identify gaps, strengthen safeguards, and prepare for audits: covered entities and business associations.

In addition to defining them below, we've included analysis to show how each type has been impacted by breaches this year and how important compliance is moving into 2026. This analysis is based on data from the HHS OCR Breach Portal covering reports submitted between January 1 and September 30, 2025. The dataset includes both resolved and ongoing investigations.

Covered entities

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that creates, receives, or transmits PHI. Examples include hospitals, clinics, pharmacies, dentists, psychologists, psychiatrists, chiropractors, and insurance providers.

Covered entities made up 82% of all breach reports submitted to the OCR in the first three quarters of 2025. In the 446 resolved and unresolved reports involving covered entities, an estimated 26.5 million individuals were affected.

This high volume underscores how difficult it can be for healthcare organizations to maintain ongoing compliance and why tools like a HIPAA compliance checklist and automation platform are essential for proactively identifying weaknesses in privacy, security, and breach notification procedures before a breach or OCR investigation occurs.

Business associates

A business associate is any vendor, contractor, or service provider that handles or has access to PHI on behalf of a covered entity. This includes data storage companies, billing firms, cloud service providers, attorneys, and CPA firms.

While business associates accounted for only 18% of total breach reports during the same period of this year (January to September), their incidents had a disproportionately large impact. Across just 100 reports, these breaches affected an estimated 15.7 million individuals—representing 37% of all individuals impacted by reported healthcare data breaches in 2025 to date.

Because business associates often manage sensitive PHI on behalf of multiple covered entities, a single breach can have far-reaching consequences across multiple healthcare systems.
Using a HIPAA compliance checklist helps these organizations verify they have business associate agreements (BAAs) in place, apply required technical safeguards, and maintain documentation demonstrating compliance diligence.

Now that we have a better understanding of the purpose and target audience of a HIPAA compliance checklist, let's go through the key steps and areas of compliance it covers.

Recommended reading

What 2025 Healthcare Data Breaches & Biggest of All Time Reveal About Protecting PHI

8 steps to achieve HIPAA compliance: Breaking down the checklist

For a more in-depth look at the steps to achieving HIPAA compliance, check out the breakdown below.

Step 1: Appoint a HIPAA compliance officer

First, appoint a compliance officer to spearhead the HIPAA compliance process. This officer will be responsible for:

  • Ensuring security and privacy policies are followed and enforced
  • Managing privacy training for employees
  • Completing periodic risk assessments
  • Developing security and privacy processes
  • Investigating any security incidents or suspected/confirmed data breaches
  • Reporting breaches when required
  • Creating a disaster recovery plan
  • Ensuring the organization is has properly implemented the Security Rule’s administrative, physical, and technical safeguards

Larger organizations may require more than one officer to carry out these responsibilities. 

Step 2: Develop security management policies and standards

The Privacy Rule, Security Rule, and Breach Notification Rule specify a number of policies and procedures required for HIPAA compliance.

Organizations must create and implement a set of policies and procedures that ensure individual employees are safely handling PHI in their day-to-day roles. This set may include a HIPAA release form, notice of privacy practices, access management policy, data backup and retention policy, disaster recovery policy, and incident response policy, among others. 

The appointed HIPAA compliance officer should manage and document all the policies and procedures put in place to protect PHI.

Step 3: Manage business associates with access to PHI

A business associate is any individual, vendor, or organization that comes into contact with a healthcare organization's PHI. A business associate is just as responsible for protecting patient health care data as a covered entity. 

As mandated by the HIPAA Security Rule, a covered entity must enter into a legally binding agreement with any business associate to ensure the protection of PHI. This is known as a business associate agreement (BAA).

A BAA should cover a range of topics, including permitted uses of PHI, reporting of unauthorized uses and disclosures, processes to return or destroy PHI at termination, and more. You can download our auditor-approved template to get started on your own BAA.

Step 4: Implement the necessary safeguards to comply with the Security Rule 

The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI. 

We break down what each of those safeguards means below:

Administrative safeguards

Administrative safeguards help guide employees on how to properly use and store PHI. 

These safeguards are in place to:

  • Train workforce members about PHI protections
  • Resolve security incidents that may be a threat to PHI
  • Protect PHI during emergency situations

Physical safeguards

Physical safeguards protect the physical points of access to PHI. Physical safeguards set the stage for how employees should manage their workstation and mobile devices to keep sensitive information secure. 

Common physical safeguards include limits to facility access via surveillance cameras or ID badges and outlining proper and improper use of technology.

Technical safeguards

Technical safeguards protect against unauthorized access or alteration to PHI that’s stored electronically, such as in an application or system. 

Examples of common technical safeguards are antivirus software, data encryption, and access controls like multifactor authentication. 

Image depicting the three types of HIPAA safeguards: administrative, physical, and technical, with examples of each.

Step 5: Perform HIPAA risk assessments

You’ll also need to perform a HIPAA risk assessment. This is an essential requirement for HIPAA compliance and helps you identify weaknesses and vulnerabilities to prevent data breaches. 

These assessments also test to make sure administrative, technical, and physical safeguards are properly implemented and cover all the necessary controls.

While HIPAA doesn’t provide specific instructions on how to do a risk assessment, there are several elements that should be considered, including scope, potential risks and risk levels, and existing security measures. 

Following the steps below can help you identify weaknesses and improve or implement any security measures that were lacking or nonexistent.

HIPAA risk assessment process broken down into six steps

Step 6: Train employees on HIPAA procedures

Anyone who handles PHI is required to complete HIPAA compliance training

This training helps employees understand exactly what constitutes compliant and non-compliant behavior when it comes to PHI. 

While the HHS doesn’t specify how often training should be given, they do state that refresher training should be offered to all employees periodically. This can be done annually or more often depending on your organization’s size and resources.

It’s also important to share the consequences of violating HIPAA with your employees. Additionally, be sure to share your organization’s process for reporting violations should one occur. 

Recommended reading

5 Fun HIPAA Training Games Your Employees Will Remember

Step 7: Investigate violations and learn from these instances

If a breach should occur, your organization should do its due diligence to discover exactly why it happened. This is also an opportunity to implement tighter controls or update procedures so that type of incident won’t happen again. 

You can also learn from HIPAA violations and enforcement activities that the HHS OCR posts, and take corrective action before an incident occurs at your organization.

Step 8: Continually monitor and update compliance policies as your organization matures

Continuously monitoring your compliance policies will help you more proactively protect data and can help you avoid costly HIPAA violations.

You can look for solutions that help you monitor ongoing HIPAA compliance by tracking whether employees and business associates have received training and monitoring your safeguards to alert you of any nonconformities. 

Recommended reading

HIPAA Violations: Examples, Penalties + 5 Cases to Learn From

HIPAA Compliance Checklist PDF

If you’d rather track your HIPAA compliance progress offline or share it with your team, you can download the full PDF version of our HIPAA compliance checklist.

The downloadable version offers more than just a static list of requirements—it provides a structured framework to:

  • Document your compliance efforts: Record which safeguards and policies are in place and which still need attention.
  • Prepare for audits: Demonstrate due diligence with a complete record of your organization’s HIPAA readiness and remediation progress.
  • Collaborate across teams: Distribute the checklist to IT, HR, and other stakeholders to ensure all departments are aligned on security and privacy responsibilities.
  • Monitor ongoing compliance: Use the checklist as part of your annual risk analysis and policy review to confirm your safeguards remain effective over time.

Whether you’re just beginning your HIPAA compliance journey or maintaining compliance year after year, this PDF checklist can serve as a living document—one you can update as your organization evolves and HIPAA regulations continue to change.

Please note that this checklist is intended as guidance only and is not a substitute for legal advice.

Download the HIPAA Compliance Checklist PDF

Evaluate your organization’s compliance readiness with this auditor-approved HIPAA compliance checklist.

Top 3 HIPAA compliance issues, according to experts and enforcement data

Looking at OCR’s enforcement history, the same failures appear again and again in major healthcare breaches and investigations. These aren’t isolated oversights—they’re systemic weaknesses that attackers exploit and regulators penalize most harshly.

Drawing on insights from real-world enforcement examples, Secureframe experts, and auditor partners, here are three of the most common HIPAA compliance challenges organizations face—and how to avoid them.

1. Failing to assess and reduce risks and vulnerabilities

One of the most frequent findings in OCR settlements is that organizations either never performed an enterprise-wide risk analysis or failed to act on the results.

By neglecting to identify and mitigate potential risks to the confidentiality, integrity, and availability of PHI, healthcare organizations expose themselves to both data breaches and regulatory penalties. HIPAA requires that risks be reduced to a “reasonable and appropriate level,” and failing to do so is one of the most common root causes of violations.

OCR enforcement example: The University of Rochester Medical Center paid $3 million in a settlement after failing to encrypt portable devices flagged as high-risk during an assessment—a lapse that ultimately led to a breach.

Expert insight:

“We’ve helped many, many organizations effectively implement the policies and procedures that are required to be compliant with HIPAA," explained Jonathan Leach, CISSP, CCSFP, CCSK and former auditor. "And not just checking boxes for the sake of HHS, but on behalf of the patients and data subjects whose protected health information you’re entrusted to safeguard, whether you’re a covered entity or a business associate. Encryption is just one piece of that."

2. Weak or missing access controls that leave PHI unprotected

Many healthcare breaches stem from unauthorized access to PHI—either from employees, contractors, or third-party vendors. HIPAA’s Privacy and Security Rules require robust access controls such as multifactor authentication, role-based access, unique user IDs, and periodic reviews of permissions.

Organizations that lack or under-enforce these controls are at heightened risk. Strengthening access management and monitoring procedures was a common remediation action in breach reports resolved this year, including Bassford Remele P.A. and Indiana University Health.

OCR enforcement example: Anthem paid a record $16 million settlement after attackers exploited weak authentication controls and gained access to sensitive ePHI of nearly 79 million individuals.

Expert insight:

In the HHS press release announcing the settlement, OCR Director Roger Severino said: “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion—or risk enforcement by OCR.”

3. Insufficient vendor management and missing BAAs

In the first three quarters of 2025, business associates reported 100 breaches affecting nearly 16 million individuals and were present in another 97 breaches. Since business associates are increasingly involved in healthcare data breaches (36% of all reported breaches this year to date), OCR continues to not only fine business associates that violate HIPAA—but also fine covered entities that share PHI without a signed BAA or fail to monitor vendor compliance.

OCR enforcement example: Advocate Health paid a $5.55 million settlement after three breaches—including one tied to its business associate, Blackhawk Consulting Group—led OCR to uncover multiple issues, including a missing business associate agreement.

Expert insight:

“While it is generally accepted that any organization can be attacked—and an attack itself isn’t proof of a HIPAA violation—Advocate was penalized because it failed to enter into a HIPAA Business Associate Agreement with Blackhawk,” explained Kenneth N. Rashbaum, a partner at Barton LLP and nationally known expert on healthcare privacy. “Such agreements...are a black-and-white HIPAA requirement.”

How audits and automation help prove—and improve—HIPAA compliance

HIPAA doesn’t require a third-party audit or formal attestation of compliance. But for most organizations, having a structured way to verify and document compliance can make all the difference.

Voluntarily conducting a HIPAA audit—or using automated compliance tools to track your controls—helps identify weaknesses before they lead to costly breaches or enforcement actions like the ones mentioned above. It also provides tangible proof of compliance to regulators, customers, and partners who increasingly expect transparency and accountability.

Cavan Leung, CISSP, CISA, CCSK, a former auditor and Secureframe partner, emphasized this point in a webinar: "HIPAA is a law...There is no official certification for HIPAA, but many companies do an external HIPAA audit to gain that extra assurance that they are abiding by the law as they should."

That assurance can be important not just to regulators but to customers as well.

Case in point: Bento, a medically tailored nutrition service that partners with state Medicaid agencies, used Secureframe to formalize its HIPAA compliance program and have audit-ready reports available on demand.

quote

“Sometimes, later in the deal discovery process, a prospect will say, ‘We forgot to mention—we need you to be HIPAA compliant,’” said Deepak Kumar, Bento’s CTO. “With Secureframe, we can easily export a report showcasing our HIPAA compliance. We’re an open book. That’s helping us get to the next growth phase and close deals quickly.”

For organizations like Bento, automation delivers the same peace of mind as a third-party audit—continuous visibility into compliance posture, evidence collection, and documentation—without the manual burden.

As Steve Seideman, CISSP, Director of Ethical Hacking at Prescient Assurance, explained: “The primary thing to remember about privacy [frameworks like HIPAA] is that they require transparency. They require you to define very clearly what you do and why you do it, if you share data with anybody, and who you share it with."

Whether through an external audit or automated monitoring, having verifiable proof of HIPAA compliance helps organizations demonstrate that transparence and trust, maintain resilience, and protect the patients and data that depend on them.

How Secureframe's automation and experts can simplify HIPAA compliance

If you noticed more unchecked boxes than check marks after completing the HIPAA compliance checklist above, don’t stress. 

HIPAA compliance can be complicated, but cybersecurity automation platforms like Secureframe can help alleviate stress and streamline the process. 

We can help you create HIPAA privacy and security policies, train employees on how to protect PHI, manage vendors and business associates, and monitor your PHI safeguards. 

Request a demo to learn more about how you can build strong security practices and automate your HIPAA compliance efforts today. 

This post was originally published in March 2022 and has been updated for comprehensiveness.

Additional HIPAA compliance resources 

Here’s a list of resources to reference during your HIPAA compliance journey:

FAQs

What is a HIPAA compliance checklist?

A HIPAA compliance checklist is a resource HIPAA covered entities and business associates can use to assess their HIPAA compliance readiness. 

While a checklist cannot cover every task or control an organization must implement to meet the HIPAA requirements that apply to them, it can lay out the basic steps involved in achieving and maintaining HIPAA compliance so that organizations can gauge their level of compliance and identify and remedy gaps. 

Who is this HIPAA Compliance Checklist for?

Our HIPAA compliance checklist can be used by HIPAA Compliance, Privacy, and/or Security Officers to evaluate their organization’s readiness. Other members of the organization’s workforce may use the checklist to understand the process of preparing for HIPAA compliance as well as their responsibilities for complying with specific areas of the law. 

What is considered PHI under HIPAA?

PHI under HIPAA includes written records, lab results, x-rays, bills — even verbal conversations that include identifiable health information.

It also includes electronic health records (EHRs). In this form, it’s referred to as electronic protected health information (ePHI).

What is the Minimum Necessary Standard?

The Minimum Necessary Standard, which falls under the Privacy Rule, requires covered entities to make reasonable efforts to limit PHI access to the minimum amount necessary to complete a task. 

Here are a few ways you can adhere to this standard:

  • Determining exactly what roles need access to PHI and documenting that information 
  • Setting up role-based permissions that limit access to certain types of PHI 
  • Conducting periodic audits of permissions to ensure PHI access is only granted to the necessary individuals

What are the HIPAA Data Retention Requirements?

The HIPAA Privacy Rule does not include medical record retention requirements. Instead, each state has its own set of guidelines for storing and retaining medical records that covered entities and business associates must follow. 

However, there is a requirement for how long HIPAA-related documentation is stored. 

Documentation related to compliance policies and procedures must be kept for a minimum of six years from the date of its creation or the date when it last was in effect, whichever is later.

Examples of HIPAA-related documentation include:

  • Risk assessments
  • Disaster recovery and contingency plans
  • Business associate agreements
  • Information security and privacy policies, notice of privacy practices
  • Incident and breach notification documentation

Is employee training required under HIPAA?

Yes, HIPAA training is mandatory for any covered entity and business associate that interacts with PHI.

Emily Bonnie

Senior Content Marketing Manager

Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.

Jonathan Leach

Senior Manager, Compliance and Customer Success

Jonathan Leach is a cybersecurity and compliance expert with over a decade of experience spanning information security, GRC, IT risk management, and cloud security. Prior to joining Secureframe, he led compliance programs and audit readiness efforts for both Fortune 500 enterprises and high-growth startups. His background includes deep expertise in international frameworks such as ISO 27001, ISO 27701, and GDPR, as well as HIPAA and HITRUST. At Secureframe, Jonathan helps companies build scalable, audit-ready compliance programs from the ground up.