Use it as a self-assessment: for each item, ask whether you can demonstrate it with documentation. The gaps you find become your remediation plan. Work through it in order and you will cover the essentials of HIPAA compliance.
How to use this checklist
This checklist is organized in the order you would actually build a program, from scoping through maintenance. For each item, the goal is not just to say “yes” but to be able to point to evidence — a document, a record, a configuration — that proves it.
Anywhere you cannot demonstrate an item, you have found a gap. Collect those gaps, prioritize them by risk, and they become a concrete remediation roadmap rather than an abstract worry.
1. Determine your scope
Begin by confirming whether you are a covered entity or business associate and documenting that determination. Identify every system, application, and vendor that touches PHI, and map how data flows between them.
Check: Have you documented your HIPAA role? Do you have a current inventory of where PHI lives and moves? Have you identified every vendor that handles PHI?
2. Conduct a risk analysis
The Security Rule requires a documented risk analysis. Identify threats and vulnerabilities to your ePHI, rate them by likelihood and impact, and record the results, along with a risk management plan to address them.
Check: Do you have a written risk analysis? Is it current? Does a risk management plan address the risks it identified?
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
3. Implement administrative safeguards
Administrative safeguards include access management, workforce security, security training, contingency planning, and a sanction policy. They are the largest safeguard category and the backbone of the program.
Check: Is access granted by role and reviewed periodically? Are onboarding and offboarding procedures in place? Is there a sanction policy and a contingency plan?
4. Implement physical safeguards
Physical safeguards protect the facilities and equipment that house ePHI, including facility access controls, workstation security, and device and media controls.
Check: Are areas housing systems access-controlled? Are workstations secured? Do you have procedures for securely disposing of and reusing devices and media?
5. Implement technical safeguards
Technical safeguards include unique user IDs, access controls, audit logging, integrity controls, authentication, transmission security, and encryption of ePHI at rest and in transit.
Check: Does each user have a unique login with strong authentication? Are audit logs enabled and reviewed? Is ePHI encrypted at rest and in transit?
6. Write policies and procedures
Document privacy and security policies and procedures that reflect what your organization actually does and cover the required topics, from use and disclosure to incident response.
Check: Do you have written privacy and security policies? Do they match actual practice? Are they reviewed and updated regularly?
7. Execute Business Associate Agreements
Sign a BAA with every vendor that handles PHI, and ensure subcontractors are bound as well. Maintain an inventory of executed agreements.
Check: Does every vendor that touches PHI have a signed, current BAA? Are subcontractor agreements in place? Do you have a BAA register?
8. Train your workforce
Train all workforce members on privacy and security policies appropriate to their roles, at onboarding and periodically, and document the training.
Check: Has everyone been trained? Is training role-appropriate and refreshed? Do you have completion records?
9. Designate responsible officials
Assign a Privacy Officer and a Security Officer (or one person for both) with the authority and resources to run the program.
Check: Have you designated your officials? Do they have real authority and the bandwidth to do the work?
10. Prepare for breaches
Build and document an incident-response and breach-notification plan, including how you will conduct the four-factor risk assessment and meet notification timelines.
Check: Do you have a written breach-response plan? Are roles and timelines defined? Have you prepared notification templates?
11. Honor patient rights
Establish reliable procedures for patient access, amendment, restriction, confidential communications, and accounting of disclosures, along with a current Notice of Privacy Practices.
Check: Can patients access their records promptly? Do you have procedures for each right? Is your Notice of Privacy Practices current and distributed?
12. Maintain documentation
Keep your policies, risk analysis, training records, access records, BAAs, and incident files organized and retained for at least six years.
Check: Is your documentation complete, current, and retrievable? Is it retained for the required period?
13. Monitor and audit
Continuously monitor access and logs, conduct internal audits, and re-run the risk analysis as systems and threats change.
Check: Are you reviewing access and audit logs? Do you conduct internal audits? Is your risk analysis updated when things change?
14. Plan for ongoing maintenance
HIPAA compliance is continuous. Set a cadence to refresh policies and training, review BAAs, re-run the risk analysis, and address new gaps.
Check: Do you have a recurring schedule for review and update? Is someone accountable for keeping the program current?
Turning the checklist into action
Once you have worked through every item, you will have a clear picture of your compliance posture and a prioritized list of gaps to close. Tackle the highest-risk gaps first, assign owners and deadlines, and track progress to completion.
Used this way, the checklist is more than a one-time assessment — it becomes a recurring tool you revisit periodically to confirm the program remains complete and current as your organization evolves.
Common gaps the checklist reveals
When organizations work honestly through a checklist, a few gaps appear again and again: a risk analysis that is missing or years out of date, policies copied from a template but never tailored, vendors handling PHI without a signed BAA, devices left unencrypted, and training that was promised but never documented. These recurring gaps map directly to the areas regulators scrutinize most.
Finding these gaps is the point of the exercise. Each one represents a concrete, fixable task, and closing them moves the organization measurably closer to a defensible posture.
Prioritizing what you find
Not every gap is equally urgent. A missing risk analysis or unencrypted laptops carrying PHI are high-risk and should be addressed first, while a minor policy update can wait. Prioritizing by the likelihood and impact of each gap ensures effort goes where it reduces the most risk.
This prioritization turns a long list of findings into a sequenced plan, preventing the paralysis that can come from trying to fix everything at once.
Assigning owners and deadlines
A checklist only drives improvement if someone is accountable for each gap. Assigning an owner and a deadline to every remediation item creates the accountability that turns intentions into completed work. Tracking these to closure — and documenting the results — provides evidence of diligence.
Without ownership, findings tend to linger indefinitely; with it, they get resolved and the program steadily strengthens.
Using the checklist for vendor reviews
The same checklist that assesses your own program is a useful lens for evaluating vendors. When selecting a business associate, asking how they address each item — risk analysis, safeguards, training, breach response — reveals whether they take HIPAA seriously. A vendor that cannot answer these questions is a risk to your own compliance.
This makes the checklist a tool not just for internal assessment but for managing the third-party risk that flows through your supply chain.
Beyond the checklist
A checklist captures the essentials, but a mature program goes further — building the leadership, culture, monitoring, and continuous improvement that keep compliance alive between assessments. Think of the checklist as the starting point and the floor, not the ceiling.
Organizations that treat it as a recurring tool, revisited periodically and paired with ongoing program management, get the most value from it and stay continuously prepared rather than periodically scrambling.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.