HIPAA fines cost ten companies $28.7 million in 2018, which broke the previous 2016 record for HIPAA fines by 22%! Needless to say, you don't want to have to worry about a HIPAA complaint being filed against your organization, and by going through this straight forward checklist, you can ensure full compliance

The primary purpose of the HIPAA is simply to keep people's healthcare data private. If your healthcare organization is an entity that uses and has access to Protected Health Information (PHI), then you are classified as a Covered Entity (CE) and need to make sure you are compliant with HIPAA regulations. 

There are three critical components to PHI security:

  • Technical safeguards
  • Physical safeguards
  • Administrative safeguards

Each part is equally important and must be satisfied to ensure HIPAA compliance. 

You will notice that next to each task there is either an (R) or an (A). R stands for "Required", and A is "Addressable", however, this does not mean that they are optional. Each of the criteria has to be adhered to in order to achieve full HIPAA compliance.

While going through the checklist, bear in mind that the requirements of HIPAA are intentionally vague so that it can be applied equally to different types of covered entities that come into contact with PHI.

For more information on the ins and outs of HIPAA compliance, check out this comprehensive guide. You can also watch the video below for an overview of what is required for HIPAA compliance

In case you're wondering what Process Street is all about...

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Technical safeguards:

Implement a means of access control (R)

Establishing and implementing a means of access control for each user of company software is an essential technical safeguard. 

This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.

State below whether your organization is compliant with this requirement.

Restrict access to ePHI via permissions after you have identified the who should have access.

Introduce activity logs and audit controls (R)

All attempts to access ePHI must be registered and whatever is done with that data once it has been accessed must be recorded so that if needs be, it can be reviewed at a later date.

In the case of a data breach, CEs need to provide a complete audit trail and show exactly how the breach occurred. Alerts and security analytics should be set up so that you can prevent breaches in the first place.

Introduce a mechanism to authenticate ePHI (A)

Introducing a mechanism to authenticate ePHI is an essential component as it confirms whether ePHI has been altered or destroyed in an unauthorized manner. 

To be HIPAA compliant, CEs need to be able to prove that the ePHI they manage is protected from threats both inside and out. Whether a member of staff accidentally deleted a record or a hacker deleted it intentionally, you should be able to recover and restore that record.

Implement tools for encryption and decryption (A)

Any device used by authorized users to access ePHI must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and in turn, decrypt those messages when they are received. 

In short, you need to be able to prove that only authorized individuals accessed the ePHI. 

As an example, you can use an encrypted email with a private key, HTTPS file transfer, or a VPN. 

Facilitate automatic log-offs of PCs and devices (A)

This simple function logs authorized personnel off the device they are using to access or communicate ePHI after a pre-defined period of time.

This prevents unauthorized access of ePHI should the device be left unattended.

Verify technical safeguards are in place

Once this checklist has been completed, it will require approval from a senior person, such as your IT Security Officer

If you have any comments regarding the status of technical safeguards at your organization, state them below so they can be reviewed during the approval process. 

Physical safeguards:

Implement policies for the use/positioning of workstations (R)

Desktops, laptops, and tablets that are used by staff to access ePHI must be securely managed. Every computer with access to ePHI must adhere to this policy.

  • 1
    Physical safeguards for all computers that access ePHI
  • 2
    Restricted access to computers that access ePHI
  • 3
    Remote wipe safeguards on laptops that are frequently moved

Implement policies and procedures for mobile devices (R)

If users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.

Implement facility access controls (A)

Limit and audit physical access to the computers that store and process ePHI.

A simple and easy way to do is put a lock on the server room door. This will prevent unauthorized physical access, tampering, and theft.

Establish and maintain an inventory of hardware (A)

An inventory of all hardware must be maintained, together with a record of the movements of each item. In addition to computers, this includes media such as USB drives, tape backups and removable storage.

A retrievable exact copy of ePHI must be made before any equipment is moved.

Verify physical safeguards are in place

If you have any comments regarding the status of physical safeguards at your organization, state them below so they can be reviewed during the approval process. 

Administrative safeguards:

Conduct ePHI risk assessments (R)

The Security Officer designated to managing HIPAA compliance is responsible for conducting regular risk assessments to identify every area in which ePHI is being used, and to determine all of the ways in which a security breach could occur.

Below is a graphic summarising the process of conducting a comprehensive risk assessment.


Introduce a risk management policy (R)

CEs must establish policies and procedures to prevent, detect, contain, and correct security violations. Part of this process is to follow the procedures stated in the Risk Management Policy to assess overall risk in your current processes or when you implement new policies.

The primary purpose of a risk management policy is to periodically reduce the risks of a security breach by introducing security measures following a risk assessment. This should take place at regular intervals.

Restrict third-party access to ePHI (R)

It goes without saying that it is vital to ensure ePHI is not accessed by unauthorized parent organizations, subcontractors, or other third-parties.

In the case that a business partner will be granted access to ePHI, a Business Associate Agreement must be signed. 

Develop a contingency plan (R)

In the case of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI.

You must have a:

  • 1
    Data backup plan
  • 2
    Disaster recovery plan
  • 3
    Emergency mode operation plan

Test the contingency plan periodically (A)

Of course, in the case of an emergency, effective execution of the contingency plan is paramount. 

Therefore it is important to test the contingency plan periodically to assess its effectiveness in various situations.

The most important thing to verify during testing is that there are accessible backups of ePHI and procedures in place to restore lost data in the event of an emergency

Formally train employees to be secure (A)

CEs must provide workforce training and management for security policies in order to be HIPAA compliant. 

Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware.

All training must be documented.

Develop a formal procedure to report security incidents (A)

A security incident does not necessarily mean a breach. If there is any indication that ePHI is under security threat, there needs to be a formal procedure in place to report such incidents and address the issue as soon as possible.

As mentioned earlier, alerts and security analytics should be set up so that you can prevent breaches in the first place.

Verify administrative safeguards are in place

If you have any comments regarding the status of administrative safeguards at your organization, state them below so they can be reviewed during the approval process. 

Final step:

Approval: Confirm standards for all three safeguards are being met

Will be submitted for approval:
  • Verify technical safeguards are in place
    Will be submitted
  • Verify administrative safeguards are in place
    Will be submitted
  • Verify physical safeguards are in place
    Will be submitted


Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.