Quick answer
HIPAA compliance for a small or mid-sized healthcare practice comes down to six categories of safeguards and documentation. Here's the high-level checklist:
| Category | What it covers |
|---|---|
| 1. Administrative safeguards | Risk assessment, security officer, workforce training, written policies |
| 2. Physical safeguards | Facility access, workstation security, device disposal |
| 3. Technical safeguards | Access controls, audit logging, encryption, transmission security |
| 4. Privacy Rule | Notice of Privacy Practices, patient rights, minimum necessary standard |
| 5. Breach notification readiness | Risk assessment, 60-day patient notice, HHS reporting, documentation |
| 6. Business associate management | BAAs with every vendor that touches PHI, annual review |
The full detailed checklist is below — designed to be worked through in order, with checkboxes you can mark off. None of it is optional. Some items are "addressable" in the regulation (meaning you can substitute an equivalent control), but addressable does not mean ignorable.
Note: This is a practical operational checklist written by an IT services provider that supports HIPAA-regulated practices. It is not legal advice. For interpretation of specific requirements, work with HIPAA counsel and your compliance officer.
What HIPAA compliance actually means
HIPAA is shorthand for three distinct rules that together govern protected health information (PHI):
- The Privacy Rule (45 CFR Part 164, Subpart E) — when you can use or disclose PHI and what rights patients have
- The Security Rule (45 CFR Part 164, Subpart C) — how you protect electronic PHI through administrative, physical, and technical safeguards
- The Breach Notification Rule (45 CFR Part 164, Subpart D) — what you must do if PHI is compromised
"HIPAA compliance" means complying with all three, plus maintaining the documentation that proves it. The Privacy Rule applies to all PHI in any form. The Security Rule applies only to electronic PHI (ePHI). The Breach Notification Rule applies whenever PHI is acquired, accessed, used, or disclosed without authorization.
Who needs to be HIPAA compliant
Two categories of organizations are subject to HIPAA:
Covered Entities
- Healthcare providers who transmit health information electronically — doctors, dentists, clinics, hospitals, mental health professionals, chiropractors, pharmacies
- Health plans — insurance companies, HMOs, employer-sponsored group health plans
- Healthcare clearinghouses — entities that translate health information between standard and non-standard formats
Business Associates
Any vendor or contractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples: IT services providers, cloud storage vendors, EHR vendors, billing companies, transcription services, shredding services, accounting firms with access to patient records.
If you're a covered entity, every business associate you work with needs a signed Business Associate Agreement (BAA) before they touch PHI. If you're a business associate, you have most of the same compliance obligations as the covered entity for the PHI you handle.
Administrative safeguards checklist
The administrative safeguards (45 CFR § 164.308) are the policies, procedures, and people-management controls. These are the most commonly missed in HIPAA audits because they require documentation, not just deployed technology.
Risk management
- Conduct a documented HIPAA risk assessment within the past 12 months
- Document a risk management plan that addresses identified risks
- Maintain evidence of remediation actions taken on identified risks
Personnel and roles
- Designate a Security Officer (HIPAA Security Rule requirement)
- Designate a Privacy Officer (HIPAA Privacy Rule requirement) — can be the same person at small practices
- Maintain a current organizational chart showing who reports to whom for compliance matters
Workforce security
- Document the process for granting workforce access to PHI (authorization, need-to-know basis)
- Document termination procedures (account disabled, badges returned, devices recovered) — within 24 hours
- Maintain an authorization matrix showing which roles can access which categories of PHI
- Conduct workforce HIPAA training annually with documented attendance and acknowledgment
- Maintain training records for at least 6 years
Information access management
- Document procedures for granting, modifying, and revoking access to ePHI
- Implement role-based access controls aligned with the minimum necessary standard
- Conduct quarterly review of who has access to what
Security incident procedures
- Maintain a documented incident response plan (see our IRP template)
- Maintain an incident log of all reported security events
- Conduct an annual tabletop exercise of the incident response plan
Contingency planning
- Maintain a written disaster recovery plan covering ePHI
- Maintain a written data backup plan with documented backup schedule and retention
- Test backup restoration at least annually
- Document an emergency mode operation plan (how to function during an outage)
Audit and review
- Conduct ongoing review of system activity logs (sign-ins, access attempts, data exports)
- Conduct annual evaluation of HIPAA compliance posture, with documented findings
- Maintain sanction policy for workforce violations of HIPAA policies
Physical safeguards checklist
Physical safeguards (45 CFR § 164.310) cover the physical access to systems and locations where PHI is stored or processed. Often overlooked at small practices because they assume "we have a lock on the front door."
Facility access controls
- Limit physical access to areas containing ePHI (server room, network closet, file rooms)
- Maintain a visitor log for areas containing PHI
- Issue and track keys, badges, or access cards with documented assignment
- Recover badges and keys at termination (same day)
- Document facility security plan including alarm systems, cameras, and after-hours protocols
Workstation security
- Position workstations so screens are not visible to unauthorized persons (no PHI screens facing waiting rooms)
- Configure automatic screen lock after 10 minutes of inactivity (5 minutes for shared workstations)
- Prohibit shared user accounts on workstations
- Document workstation use policy that all workforce members acknowledge in writing
Device and media controls
- Maintain inventory of all devices that store or access ePHI (workstations, laptops, phones, tablets, servers, removable media)
- Document procedures for media disposal (NIST 800-88 standard for hard drives — purge or destroy)
- Document procedures for media reuse (sanitize before redeployment)
- Track movement of devices in and out of the facility
- Use full-disk encryption on all laptops and mobile devices
Technical safeguards checklist
Technical safeguards (45 CFR § 164.312) are the technology controls. This is where most IT-driven HIPAA conversations focus, and where most small practices have the biggest gaps.
Access control
- Assign unique user IDs to every workforce member (no shared accounts, ever)
- Implement automatic logoff after defined inactivity period
- Implement encryption and decryption for ePHI (addressable but expected — use full-disk encryption + database encryption + email encryption)
- Document emergency access procedures for accessing PHI when normal authentication is unavailable
Authentication
- Require strong passwords meeting current NIST guidance (12+ characters, no forced rotation, no complexity requirements that cause weak patterns)
- Require multi-factor authentication (MFA) for all remote access to ePHI
- Require MFA for privileged accounts (admin, IT, anyone with elevated rights)
- Document authentication procedures including account lockout thresholds
Audit controls
- Enable system logging on all systems containing or accessing ePHI
- Retain audit logs for at least 6 years (matching documentation retention requirement)
- Review logs for anomalies on a defined cadence (weekly minimum for small practices)
- Configure alerts for high-risk events (failed admin logins, mass exports, after-hours access)
Integrity
- Implement controls to detect and prevent improper alteration of ePHI
- Use endpoint detection and response (EDR) to detect tampering
- Maintain backup integrity through verified, immutable backups
Transmission security
- Encrypt all transmission of ePHI over open networks (TLS 1.2+ for email, web, file transfer)
- Use secure messaging or encrypted email for any patient communication containing PHI
- Disable insecure protocols (FTP, Telnet, SMB v1, unencrypted email)
- Document acceptable transmission methods in your security policy
Privacy Rule readiness checklist
The Privacy Rule (45 CFR Part 164, Subpart E) governs how you use and disclose PHI in any form, paper or electronic, and what rights patients have over their information.
Notice of Privacy Practices
- Maintain a current Notice of Privacy Practices (NPP)
- Post NPP in a clear and prominent location at the practice
- Provide NPP to patients at first service delivery
- Obtain written acknowledgment of NPP receipt (or document good-faith effort)
- Post NPP on the practice website if you have one
Patient rights procedures
- Document procedure for patient access requests (30 days to respond)
- Document procedure for amendment requests
- Document procedure for accounting of disclosures
- Document procedure for restriction requests
- Document procedure for confidential communication requests
Use and disclosure
- Document permitted uses (treatment, payment, operations — no authorization needed)
- Use authorization forms for all uses outside TPO (marketing, research, sale of PHI)
- Apply minimum necessary standard to all uses and disclosures except treatment
- Maintain log of disclosures requiring accounting (excluding TPO)
Breach notification readiness
The Breach Notification Rule (45 CFR Part 164, Subpart D) defines what you must do if PHI is compromised. Most small practices don't think about this until a breach happens — which is exactly when it's most expensive to figure out.
Pre-breach preparation
- Document breach risk assessment procedure (4-factor analysis)
- Maintain template patient notification letter ready to customize
- Maintain template HHS notification ready to file
- Maintain template media notification (only required for breaches affecting 500+ in a state)
- Identify outside legal counsel familiar with HIPAA breach response in advance
Notification timelines (memorize these)
- Patient notification: within 60 days of discovery
- HHS notification (breaches affecting 500+ individuals): within 60 days of discovery
- HHS notification (breaches affecting fewer than 500): within 60 days of end of calendar year
- Media notification (breaches affecting 500+ in a state): within 60 days of discovery, to prominent media outlets in the state
- Business associate notification to covered entity: without unreasonable delay, no later than 60 days from discovery
Documentation requirements
- Maintain breach log of all incidents with PHI involvement
- For each incident, document the 4-factor risk assessment (nature/extent of PHI, who received it, was it actually acquired, mitigation extent)
- Retain incident documentation for 6 years
Business associate management
One of the most common audit findings: missing or outdated Business Associate Agreements. Every vendor that creates, receives, maintains, or transmits PHI on your behalf needs a signed BAA — including your IT provider, EHR, cloud storage, billing service, shredding service, and anyone else with access to patient data.
Identification
- Maintain a current inventory of all business associates with PHI access
- Categorize BAs by what PHI they touch and at what scale
- Identify subcontractor BAs (BAs your BAs use)
Contracts
- Execute BAA with every business associate before they touch PHI
- Use BAA language that includes all required HHS provisions
- Maintain executed BAA copies, fully signed by both parties
- Renew BAAs when relationships materially change or every 3 years
Ongoing oversight
- Maintain process for terminating BA relationships (return or destroy PHI)
- Document any BA security incidents or breaches affecting your PHI
- Review BA security posture annually for high-risk vendors (cloud, EHR, MSP)
Documentation and retention
HIPAA requires written documentation of all policies, procedures, and actions, retained for at least 6 years from creation or last effective date. This applies to:
- Written policies and procedures
- Risk assessments and risk management plans
- Training records and acknowledgments
- Audit logs (system logs of access to ePHI)
- Incident logs
- Breach notifications and supporting documentation
- Business associate agreements (after termination)
- Authorization and consent forms (after expiration)
Retention should be in a system that's tamper-resistant and searchable. A folder of Word docs on a shared drive is acceptable on paper but fails practically when an audit asks you to produce specific documents from 4 years ago. A document management system or compliance platform makes audits substantially easier.
Common audit triggers and findings
The Office for Civil Rights (OCR) at HHS conducts HIPAA audits and investigates complaints. The most common findings — the things that get small practices in trouble — are surprisingly consistent:
- No documented risk assessment in the past 12 months. The single most-cited finding in OCR investigations. Risk assessment is foundational; missing it suggests everything else is also unmanaged.
- Missing Business Associate Agreements. Especially with cloud storage, EHR vendors, and IT providers. "We've been using them for years" is not a defense.
- Workforce training not documented. Training happens but isn't recorded with attendance, content, and acknowledgment. From OCR's perspective, undocumented training didn't happen.
- No incident response process. Or a process that exists on paper but has never been tested.
- Weak access controls. Shared accounts, no MFA, terminated employees with active access weeks after departure.
- No encryption on portable devices. Lost or stolen unencrypted laptops are the single most common breach trigger for healthcare practices.
- No audit log review. Logs are enabled but no one is reviewing them — meaning a slow data exfiltration could go unnoticed for months.
- Outdated written policies. Policies dated 2014 with no annual review. Policies that don't match what actually happens in the practice.
Annual HIPAA compliance cadence
Compliance isn't a project — it's an ongoing practice. The minimum yearly cadence:
| Cadence | Activity |
|---|---|
| Annually | Risk assessment with documented findings and remediation |
| Annually | Workforce HIPAA training with attendance records |
| Annually | Review and update written policies and procedures |
| Annually | Test backup restoration |
| Annually | Tabletop exercise of incident response plan |
| Annually | Review BA inventory and BAA status |
| Quarterly | Review user access — who has access to what ePHI |
| Quarterly | Security awareness reminder (phishing simulation, micro-training) |
| Monthly | Review audit logs for anomalies |
| Monthly | Patch management cycle for systems handling ePHI |
| Within 24 hours | Disable access for terminated workforce members |
| Ongoing | Maintain incident log and document any security events |
Getting started if you're behind
If reading this checklist made you realize your practice has gaps — you're not alone. Most small healthcare and dental practices are partially compliant. The question is what to do next.
A realistic 90-day catch-up plan:
- Days 1–14: Identify your Security Officer and Privacy Officer (formally, in writing). Take inventory of all systems, devices, and vendors that touch PHI.
- Days 14–30: Conduct a documented risk assessment. This is foundational; everything else builds on it.
- Days 30–45: Identify and execute missing BAAs with all vendors. Cloud storage, EHR, IT provider, and email/communications platforms first.
- Days 45–60: Update or create written policies covering each of the categories above. Don't aim for perfection — aim for current and accurate.
- Days 60–75: Conduct workforce training (live or via a HIPAA training platform), document attendance, get acknowledgment from every person.
- Days 75–90: Run a tabletop exercise of your incident response plan. Document the exercise. Identify and assign action items.
After 90 days, you have a documented compliance posture that can withstand an audit. Then it becomes the annual cadence above.
If you're a Chicago-area healthcare or dental practice that needs help getting from "we should probably do this" to "we have documented compliance" — that's exactly the work Datastrive does for our healthcare and dental clients. Get on a call with one of the partners and we'll walk through what your specific practice needs. No pitch deck, no obligation.
