HIPAA Compliance Checklist for 2025
Quick Answer
A comprehensive HIPAA compliance checklist covers risk assessments, administrative/physical/technical safeguards, Business Associate Agreements, workforce training, breach notification procedures, and ongoing documentation requirements.
HIPAA Compliance Checklist Overview
HIPAA compliance requires implementing safeguards across administrative, physical, and technical domains. This checklist covers all major requirements for both covered entities and business associates. Use it as a roadmap to identify gaps and track your compliance progress.
Key Takeaways
- Risk assessment is the #1 most critical HIPAA requirement — do this first
- Three safeguard categories: administrative, physical, and technical
- Business Associate Agreements must be in place for every vendor handling PHI
- All workforce members need HIPAA training, documented and refreshed annually
- Documentation is key — if you can't prove you did it, you didn't do it
1. Risk Assessment
Risk Assessment Requirements
- Conducted a comprehensive HIPAA risk assessment
- Identified all systems that create, receive, store, or transmit ePHI
- Documented threats and vulnerabilities for each system
- Assessed likelihood and impact of each identified risk
- Created a risk management plan with remediation priorities
- Scheduled regular risk assessment reviews (at least annually)
- Documented risk assessment methodology and results
2. Administrative Safeguards
Administrative Safeguard Requirements
- Designated a Security Officer responsible for HIPAA security program
- Designated a Privacy Officer responsible for privacy practices
- Created and documented security policies and procedures
- Implemented workforce training program for all staff handling PHI
- Established sanctions policy for HIPAA violations
- Implemented information access management (role-based access to PHI)
- Created security incident procedures (identification, response, reporting)
- Developed contingency plan (data backup, disaster recovery, emergency operations)
- Implemented evaluation procedures (periodic compliance assessments)
- Executed Business Associate Agreements with all vendors handling PHI
3. Physical Safeguards
Physical Safeguard Requirements
- Facility access controls (locks, badges, visitor logs)
- Workstation use policies (screen positioning, clean desk, auto-lock)
- Workstation security (physical access restrictions to workstations with ePHI)
- Device and media controls (disposal, re-use, tracking of devices containing ePHI)
- Media disposal procedures (secure wipe, physical destruction)
- Hardware inventory tracking for devices containing ePHI
4. Technical Safeguards
Technical Safeguard Requirements
- Unique user identification (every user has a unique ID)
- Emergency access procedure (break-glass access to ePHI in emergencies)
- Automatic logoff (sessions timeout after inactivity)
- Encryption of ePHI at rest and in transit
- Audit controls (logging of access to systems containing ePHI)
- Integrity controls (mechanisms to ensure ePHI hasn't been altered)
- Person or entity authentication (verify identity before granting access)
- Transmission security (encryption for ePHI transmitted over networks)
5. Breach Notification
Breach Notification Preparedness
- Breach identification and investigation procedures documented
- Breach notification process for individuals (within 60 days)
- HHS notification process (within 60 days for breaches of 500+)
- Media notification process (for breaches affecting 500+ in a state)
- Breach log maintained for all incidents
- Breach risk assessment methodology documented (to determine if notification is required)
6. Documentation & Ongoing Compliance
Documentation Requirements
- All policies and procedures documented and dated
- Policy retention for 6 years from creation or last effective date
- Training records maintained for all workforce members
- Business Associate Agreements on file and current
- Risk assessment documentation retained
- Incident/breach response documentation maintained
- Annual policy review process established
- Annual risk assessment review scheduled
Compliance Timeline
Typical HIPAA Compliance Timeline
Month 1
Conduct risk assessment, identify all systems with ePHI, designate Security and Privacy Officers
Month 2-3
Develop/update policies and procedures, implement technical safeguards, set up audit logging
Month 3-4
Execute Business Associate Agreements, train workforce, implement physical safeguards
Month 4-5
Test incident response procedures, verify breach notification processes, document everything
Month 6+
Ongoing monitoring, annual risk assessments, workforce training refreshers, policy updates
3-6 months
Initial Compliance
For most organizations
6 years
Document Retention
Required retention period for HIPAA docs
Annual
Risk Assessment Review
At minimum, review and update yearly
60 days
Breach Notification
Maximum time to notify after discovery
Is this checklist sufficient for HIPAA compliance?
This covers the major requirements, but HIPAA compliance depends on your specific organization, the types of PHI you handle, and your risk profile. Use this as a starting point and consult with a HIPAA specialist or compliance tool for a comprehensive assessment.
How do I prove HIPAA compliance?
Since there's no official HIPAA certification, you prove compliance through documentation: completed risk assessments, implemented policies, training records, BAAs, and audit logs. Some organizations use third-party assessments or HITRUST certification to demonstrate compliance to customers.
What's the most common HIPAA compliance gap?
Risk assessment. OCR has consistently found that the #1 compliance failure is not conducting a thorough, comprehensive risk assessment. It's the foundation of all HIPAA compliance — every other requirement flows from understanding your risks.
Do I need a compliance tool for HIPAA?
Not required, but strongly recommended for organizations handling significant amounts of ePHI. HIPAA compliance tools help track requirements, manage policies, automate risk assessments, and maintain documentation. See our guide on HIPAA compliance tools.
Automate Your HIPAA Compliance
Compare HIPAA compliance tools that help you track requirements, manage policies, and document safeguards.
Browse HIPAA Tools