HIPAA Compliance Checklist 2026 — What Healthcare Organizations Actually Need

Why Most HIPAA Checklists Are Useless

Search "HIPAA compliance checklist" and you get pages of generic advice. "Train your staff." "Encrypt your data." "Have a policy." None of it tells you what auditors actually look for, what the OCR (Office for Civil Rights) focuses on during investigations, or how to build documentation that holds up when things go wrong.

This checklist is different. It covers the HIPAA Security Rule implementation specifications — the actual technical requirements — organized the way a compliance professional thinks about them. Not marketing copy. Practical guidance.

If you need ready-made documentation to support your HIPAA programme, our HIPAA Compliance Toolkit covers the key specifications with editable templates, audit checklists, and implementation guidance.

The Three Pillars of HIPAA Compliance

HIPAA's Security Rule organizes requirements into three safeguard categories. Every covered entity and business associate must address all three. There are no optional categories — only required and addressable implementation specifications within them.

The difference matters: Required specifications must be implemented exactly as stated. Addressable specifications must be implemented if reasonable and appropriate for your organization — or you must document why an equivalent alternative was chosen instead.

Administrative Safeguards — The Foundation

Administrative safeguards account for the majority of HIPAA requirements and the majority of OCR findings. Most breaches trace back to failures here — inadequate risk analysis, poor workforce training, or missing sanction policies.

Security Management Process (§164.308(a)(1))

This is the cornerstone of your entire HIPAA programme. Four required specifications sit under this standard:

• Risk Analysis (Required): Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI you hold. This is not a one-time exercise — it must be ongoing. The OCR has issued millions in fines specifically for missing or inadequate risk analyses.
• Risk Management (Required): Implement security measures sufficient to reduce risks identified in your risk analysis to a reasonable and appropriate level. Document your risk treatment decisions.
• Sanction Policy (Required): Apply appropriate sanctions against workforce members who fail to comply with your security policies. This must be documented and applied consistently.
• Information System Activity Review (Required): Regularly review records of information system activity — audit logs, access reports, security incident tracking reports.

Assigned Security Responsibility (§164.308(a)(2))

Identify the security official responsible for developing and implementing your security policies and procedures. This person must be named — not a role, an actual individual. Document this assignment formally.

Workforce Security (§164.308(a)(3))

• Authorization and Supervision (Addressable): Implement procedures for the authorization and supervision of workforce members who work with ePHI.
• Workforce Clearance Procedure (Addressable): Implement procedures to determine appropriate access to ePHI for each workforce member.
• Termination Procedures (Addressable): Implement procedures for terminating access to ePHI when employment ends or roles change.

Information Access Management (§164.308(a)(4))

• Isolating Healthcare Clearinghouse Functions (Required): If you operate as a healthcare clearinghouse within a larger organization, implement policies to protect ePHI from the larger organization.
• Access Authorization (Addressable): Implement policies for granting access to ePHI — who gets access, how it is approved, and how it is documented.
• Access Establishment and Modification (Addressable): Implement procedures that establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

Security Awareness and Training (§164.308(a)(5))

Training is required for all workforce members — including management. The four addressable specifications under this standard are frequently cited in OCR investigations:

• Security Reminders (Addressable): Periodic security updates to all workforce members.
• Protection from Malicious Software (Addressable): Procedures for guarding against, detecting, and reporting malicious software.
• Log-in Monitoring (Addressable): Procedures for monitoring log-in attempts and reporting discrepancies.
• Password Management (Addressable): Procedures for creating, changing, and safeguarding passwords.

Security Incident Procedures (§164.308(a)(6))

• Response and Reporting (Required): Implement policies and procedures to address security incidents. Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document incidents and their outcomes.

Contingency Plan (§164.308(a)(7))

Your contingency plan covers what happens when systems fail or disasters strike. Five specifications apply:

• Data Backup Plan (Required): Establish and implement procedures to create and maintain retrievable exact copies of ePHI.
• Disaster Recovery Plan (Required): Establish and implement procedures to restore any loss of data.
• Emergency Mode Operation Plan (Required): Establish and implement procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode.
• Testing and Revision Procedures (Addressable): Implement procedures for periodic testing and revision of contingency plans.
• Applications and Data Criticality Analysis (Addressable): Assess the relative criticality of specific applications and data in support of other contingency plan components.

Evaluation (§164.308(a)(8))

Perform a periodic technical and non-technical evaluation, based initially upon the standards in this rule, in response to environmental or operational changes affecting the security of ePHI. This evaluation must be documented.

Business Associate Contracts and Other Arrangements (§164.308(b)(1))

Every business associate who handles ePHI on your behalf must have a signed Business Associate Agreement (BAA). This is required — not addressable. Missing BAAs are one of the most common HIPAA violations.

Physical Safeguards — Protecting the Hardware

Physical safeguards address the physical protection of electronic information systems and the buildings and equipment that house them. Remote work has made this significantly more complex.

Facility Access Controls (§164.310(a)(1))

• Contingency Operations (Addressable): Establish and implement procedures to allow facility access in support of restoration of lost data under the disaster recovery and emergency operations plans.
• Facility Security Plan (Addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
• Access Control and Validation Procedures (Addressable): Implement procedures to control and validate a person's access to facilities based on their role or function.
• Maintenance Records (Addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility — hardware, walls, doors, locks.

Workstation Use (§164.310(b))

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. Remote workstations present particular challenges here.

Workstation Security (§164.310(c))

Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users only.

Device and Media Controls (§164.310(d)(1))

• Disposal (Required): Implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media on which it is stored. This means certified data destruction — not just deleting files.
• Media Re-use (Required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
• Accountability (Addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
• Data Backup and Storage (Addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

Technical Safeguards — The Controls Auditors Test

Technical safeguards are the technology controls that protect ePHI. These are the specifications most frequently tested during security assessments and OCR technical reviews.

Access Control (§164.312(a)(1))

• Unique User Identification (Required): Assign a unique name and/or number for identifying and tracking user identity. Shared accounts are not permitted for ePHI access.
• Emergency Access Procedure (Required): Establish and implement necessary procedures for obtaining necessary ePHI during an emergency.
• Automatic Logoff (Addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Encryption and Decryption (Addressable): Implement a mechanism to encrypt and decrypt ePHI.

Audit Controls (§164.312(b))

Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit logs must be retained and regularly reviewed. This is required — not addressable.

Integrity (§164.312(c)(1))

• Mechanism to Authenticate ePHI (Addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

Person or Entity Authentication (§164.312(d))

Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. Multi-factor authentication is the standard approach and is increasingly expected by OCR. This specification is required.

Transmission Security (§164.312(e)(1))

• Integrity Controls (Addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
• Encryption (Addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate. In practice, TLS 1.2 or higher is the minimum expected standard for any ePHI in transit.

Organizational Requirements

Business Associate Contracts (§164.314(a)(1))

Business associate contracts must contain specific provisions required by HIPAA. A simple NDA is not sufficient. The contract must specify permitted and required uses, require the business associate to implement safeguards, and require notification of breaches.

Requirements for Group Health Plans (§164.314(b))

Group health plans that provide benefits through health insurance issuers or HMOs must ensure that plan documents include required provisions restricting disclosure of ePHI to plan sponsors.

Policies, Procedures, and Documentation

Every HIPAA control requires documentation. Oral policies do not satisfy HIPAA requirements. Documentation must be:

• Written and retained for a minimum of 6 years from the date of creation or the date it was last in effect, whichever is later
• Available to those responsible for implementing the procedures
• Reviewed and updated periodically in response to environmental or operational changes

The Most Common HIPAA Violations — OCR Data

Based on OCR resolution agreements and corrective action plans, the five most frequently cited HIPAA failures are:

1. Incomplete or missing risk analysis — the single most common finding
2. Missing Business Associate Agreements — especially with cloud providers and IT vendors
3. Lack of access controls — users with excessive permissions, shared accounts
4. Insufficient security awareness training — annual training not documented or not completed
5. Inadequate audit controls — audit logs not collected, not reviewed, or not retained

Building Your HIPAA Documentation Set

Passing a HIPAA audit or OCR investigation requires more than policies — you need evidence. Auditors look for dated records showing your programme is active and maintained, not just documented on paper.

A complete HIPAA documentation set typically includes: Security Risk Analysis, Risk Management Plan, Security Policies and Procedures (covering the key implementation specifications), Workforce Training Records, Business Associate Agreement Register, Incident Response Log, Contingency Plan with test results, and Access Review Records.

Building all of this from scratch typically takes 80-120 hours of skilled compliance work. Our HIPAA Compliance Toolkit provides all of these documents as professionally formatted, editable templates — aligned with the Security Rule implementation specifications and ready to customize for your organization.

Key Takeaway

HIPAA compliance is not a one-time project. It is an ongoing programme that requires regular risk analysis, continuous monitoring, annual training, and documented evidence of all activities. The organizations that fail OCR investigations are rarely those with bad intentions — they are organizations that treated HIPAA as a checkbox exercise rather than a living programme.

Start with a thorough risk analysis. Build your policy documentation from there. Train your workforce. Test your contingency plans. Review and update everything annually. That is what HIPAA compliance actually looks like in practice.