HIPAA Readiness Checklist

Whether you are a covered entity or a business associate, HIPAA compliance is not optional. This checklist will help you evaluate your current posture across the four key areas that the Department of Health and Human Services examines during audits and investigations. Use it as a starting point to identify gaps before they become violations.

Administrative Safeguards

Administrative safeguards account for more than half of HIPAA Security Rule requirements. These are the policies, procedures, and people-focused controls that form the foundation of your compliance program.

• ☐ Completed a thorough Security Risk Analysis (SRA) within the past 12 months
• ☐ Documented a Risk Management Plan that addresses identified vulnerabilities
• ☐ Designated a HIPAA Security Officer and a HIPAA Privacy Officer
• ☐ Established workforce sanction policies for compliance violations
• ☐ Conducted HIPAA security awareness training for all workforce members within the past year
• ☐ Implemented procedures for terminating access when employees leave the organization
• ☐ Documented an Incident Response Plan with defined roles and escalation procedures
• ☐ Reviewed and updated all HIPAA policies and procedures within the past 12 months
• ☐ Established a process for regular review of information system activity (audit logs, access reports)

Physical Safeguards

Physical safeguards protect the actual hardware, facilities, and physical media that store or transmit electronic Protected Health Information (ePHI). Even organizations moving to the cloud must address physical security for the devices their workforce uses.

• ☐ Implemented facility access controls (badge readers, key management, visitor logs)
• ☐ Established workstation use policies defining how and where devices may access ePHI
• ☐ Secured workstations in clinical and administrative areas (screen locks, privacy screens, cable locks)
• ☐ Documented procedures for disposing of hardware and electronic media containing ePHI
• ☐ Maintained an inventory of all hardware and devices that store, process, or transmit ePHI
• ☐ Created procedures for moving hardware and media containing ePHI between locations
• ☐ Implemented environmental controls (fire suppression, climate control) for server rooms or data closets

Technical Safeguards

Technical safeguards are the technology-based controls that protect ePHI and control access to it. These are often the most straightforward to implement but also the most commonly cited in breach investigations.

• ☐ Implemented unique user identification for every person who accesses systems containing ePHI
• ☐ Enabled Multi-Factor Authentication (MFA) on all systems that access ePHI
• ☐ Configured automatic session timeouts and screen locks on all workstations
• ☐ Encrypted ePHI at rest (full-disk encryption on laptops, encrypted databases)
• ☐ Encrypted ePHI in transit (TLS for email, HTTPS for web applications, VPN for remote access)
• ☐ Implemented role-based access controls following the minimum necessary standard
• ☐ Enabled audit logging on all systems that create, store, or transmit ePHI
• ☐ Deployed endpoint protection (antivirus, EDR) on all workstations and servers
• ☐ Configured network segmentation to isolate systems containing ePHI
• ☐ Implemented intrusion detection or intrusion prevention systems

Documentation and Business Associate Agreements

HIPAA requires extensive documentation. If it is not documented, regulators will treat it as if it does not exist. Business Associate Agreements (BAAs) are legally required with every vendor that handles ePHI on your behalf.

• ☐ Maintained a complete inventory of all Business Associates who handle ePHI
• ☐ Executed signed BAAs with every Business Associate, including cloud service providers
• ☐ Documented all policies and procedures in a centralized, accessible location
• ☐ Retained documentation for a minimum of six years as required by HIPAA
• ☐ Documented all security incidents, including near-misses and the investigation outcomes
• ☐ Maintained training records showing completion dates for every workforce member
• ☐ Documented evidence of periodic technical and non-technical evaluations

Breach Notification Readiness

When a breach occurs, HIPAA imposes strict timelines for notification. Being prepared before a breach happens can mean the difference between a manageable incident and a catastrophic one.

• ☐ Established a breach notification procedure that complies with the 60-day notification rule
• ☐ Identified the individuals responsible for breach determination and notification
• ☐ Prepared template notification letters for affected individuals
• ☐ Established a relationship with legal counsel experienced in HIPAA breach response
• ☐ Documented the four-factor risk assessment process for determining whether a breach is reportable

If you found yourself checking fewer than half of these items, your organization has significant compliance gaps that need to be addressed promptly. Even if most boxes are checked, the quality and currency of your documentation matters. A checklist is a starting point, not a substitute for a professional assessment.