HIPAA COMPLIANCE CHECKLIST

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation. Paired with a BPMN process map that ties the cadence together.

Official source:

Read HIPAA on HHS.gov (official)

Download the checklist (PDF)Download DOCX

Who must comply with HIPAA

Who HIPAA applies to

US healthcare covered entities (health plans, healthcare clearinghouses, most healthcare providers) and their business associates that handle protected health information (PHI).

Jurisdiction: US healthcare (covered entities and business associates). Full name: Health Insurance Portability and Accountability Act.

HIPAA Checklist

The HIPAA compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDF Download DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

STEP 1
Run an accurate and thorough HIPAA risk analysis (45 CFR 164.308(a)(1)(ii)(A)).
STEP 2
Maintain a current Notice of Privacy Practices and patient access workflow.
STEP 3
Implement administrative, physical, and technical safeguards per the Security Rule.
STEP 4
Execute Business Associate Agreements with every vendor that handles PHI on the covered entity's behalf.
STEP 5
Train the workforce on privacy and security policies - initial onboarding plus annual refreshers.
STEP 6
Document access controls - joiner / mover / leaver against every system that holds ePHI.
STEP 7
Operate the Breach Notification Rule process (4-factor risk assessment + 60-day clock).
STEP 8
Maintain a sanctions policy and disciplinary record for HIPAA violations.
STEP 9
Document the contingency plan: backups, disaster recovery, emergency mode.
STEP 10
Annual review of the risk analysis output and re-attest where required.

FILLABLE PDF PREVIEW

HIPAA compliance checklist

Health Insurance Portability and Accountability Act

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Run an accurate and thorough HIPAA risk analysis (45 CFR 164.308(a)(1)(ii)(A)).

Maintain a current Notice of Privacy Practices and patient access workflow.

Implement administrative, physical, and technical safeguards per the Security Rule.

Execute Business Associate Agreements with every vendor that handles PHI on the covered entity's behalf.

Train the workforce on privacy and security policies - initial onboarding plus annual refreshers.

+ 5 more checkboxes in the downloaded PDF

HIPAA Process Map

HIPAA as a process map

The annual HIPAA compliance cycle, captured as a BPMN process map. Risk analysis feeds policy, policy feeds training, training feeds safeguards, and the annual review feeds the next risk analysis.

Open in editor

HIPAA Security Rule risk analysis process

A HIPAA Security Rule risk analysis (45 CFR 164.308(a)(1)(ii)(A)-(B)) rendered as a BPMN 2.0 process map. The flow inventories ePHI assets, identifies threats and vulnerabilities, rates likelihood and impact, evaluates current controls, decides whether residual risk is acceptable, and either routes findings to a remediation plan and re-assesses, or files the risk register and closes the cycle. The breach-side branch (500-individual-impact split, 60-day HHS / media notification) is covered separately on /hipaa-compliance-processes.

Inventory ePHI assets and the systems that create, receive, maintain, or transmit them (§164.308(a)(1)(ii)(A)).
Identify reasonably anticipated threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Rate likelihood and impact for each threat-vulnerability pair, scoring inherent risk before controls.
Evaluate current administrative, physical, and technical safeguards and recompute residual risk.
If residual risk is unacceptable, open a remediation plan (assign owner, control, due date) and route back for re-assessment after fix.
If residual risk is acceptable, document the determination in the risk register (§164.308(a)(1)(ii)(B)) and archive supporting evidence.
Schedule the next periodic review and close the analysis - the register feeds the security management process and the Sanction and Workforce Security standards.

HIPAA FAQ

Frequently asked questions

Who has to comply with HIPAA?

Covered entities (health plans, healthcare clearinghouses, and most healthcare providers that transmit electronic transactions) and business associates that create, receive, maintain, or transmit PHI on behalf of a covered entity.

Is a HIPAA compliance checklist enough?

A checklist is the right starting point, but HIPAA compliance is operational - it lives in the processes that produce evidence year after year. Most enforcement actions begin not because the checklist was incomplete but because the underlying processes drifted. The diagram on this page is the cadence the OCR expects to see operating.

How often do I need to run a HIPAA risk analysis?

HIPAA does not prescribe a fixed frequency, but the OCR has consistently emphasised that the risk analysis must be "accurate and thorough" and refreshed in response to material changes (new systems, new business associates, incidents). In practice, most programmes run it annually and update for triggering events.

What is the difference between this and the "seven HIPAA processes" page?

This page is the line-by-line checklist for an organisation-wide HIPAA programme. The /hipaa-compliance-processes page goes deeper into the seven specific operational processes (breach notification, incident response, access management, BA onboarding, risk analysis, workforce training, ePHI disposal), with the breach-notification process rendered as an editable BPMN map and the remaining six catalogued for follow-up.

More Compliance Checklists

Other compliance checklists

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

PCI DSS 4.0.1 compliance checklist

A practical PCI DSS 4.

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion.

CCPA / CPRA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

NIST RMF compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Turn the HIPAA checklist into a working process

Open the HIPAA process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.