⚠️ January 2025 HIPAA Security Rule Updates Now in Effect — New MFA, encryption, and notification requirements.

Interactive Checklist

Complete HIPAA Compliance Checklist

Comprehensive checklist covering all Administrative, Physical, and Technical Safeguards required for HIPAA compliance. Check off items as you complete them to track your progress.

Your Progress

0 of 57 items completed

Administrative Safeguards

0 of 23 completed

Security Management Process

Conduct comprehensive risk analysis to identify potential risks and vulnerabilities to ePHI

Document risk management policies and procedures to reduce identified risks

Establish formal sanction policy for workforce members who violate security policies

Regularly review information system activity logs (audit logs, access reports, security incidents)

Assigned Security Responsibility

Designate a Security Officer responsible for developing and implementing security policies

Workforce Security

Ensure workforce members have appropriate access to ePHI based on job function (least privilege)

Conduct background checks or verify credentials before granting access to ePHI

Implement formal procedures to terminate access when employees leave or change roles

Information Access Management

Establish policies and procedures for granting access to ePHI

Security Awareness and Training

Provide security awareness training to all workforce members, including management

Train staff on recognizing and protecting against malicious software (malware, phishing)

Security Incident Procedures

Establish procedures to identify, respond to, and report security incidents

Document all security incidents and their outcomes

Implement capability to notify affected parties within 72 hours of discovering a breach

Contingency Plan

Document data backup plan with procedures for creating retrievable copies of ePHI

Create disaster recovery plan to restore any loss of data

Develop emergency mode operation plan for critical business processes during emergencies

Periodically test and revise contingency plans (at least annually)

Evaluation

Conduct periodic technical and non-technical evaluations of security program

Business Associate Contracts

Establish Business Associate Agreements (BAAs) with all vendors who handle ePHI

Ensure BAAs require business associates to implement appropriate safeguards

Monitor business associates for compliance with BAA terms

Privacy Responsibility

Designate a Privacy Officer responsible for developing and implementing privacy policies

Physical Safeguards

0 of 11 completed

Facility Access Controls

Establish procedures for facility access during emergency situations

Implement facility security plan to safeguard facility and equipment from unauthorized access

Control and validate access to facilities based on role or function

Document repairs and modifications to physical security components (doors, locks, walls)

Workstation Use

Define proper functions and physical attributes of workstations accessing ePHI

Position workstation screens to prevent unauthorized viewing of ePHI

Workstation Security

Implement physical safeguards restricting access to workstations that can access ePHI

Device and Media Controls

Establish policies governing receipt and removal of hardware and media containing ePHI

Implement secure disposal procedures for hardware and media containing ePHI

Remove ePHI from electronic media before reuse (secure wiping)

Maintain records of hardware and electronic media movements

Technical Safeguards

0 of 15 completed

Access Control

Assign unique user identifications for identifying and tracking user identity (no shared accounts)

Establish procedures for obtaining necessary ePHI access during emergencies (break glass)

Implement automatic logoff after predetermined period of inactivity

Encrypt ePHI when stored (data at rest) - MANDATORY as of January 2025

Implement Multi-Factor Authentication (MFA) for all ePHI access - MANDATORY as of January 2025

Audit Controls

Implement mechanisms to record and examine activity in systems containing ePHI (audit logs)

Retain audit logs for appropriate period (typically 6 years)

Regularly review audit logs for suspicious activity (at least monthly)

Integrity

Establish policies and procedures to protect ePHI from improper alteration or destruction

Implement mechanisms to corroborate that ePHI has not been altered or destroyed

Person or Entity Authentication

Verify that persons or entities seeking access to ePHI are who they claim to be

Transmission Security

Encrypt ePHI when transmitted over electronic networks (TLS/SSL) - MANDATORY

Implement integrity controls to ensure ePHI is not improperly modified during transmission

Use secure email or encrypted messaging for sending ePHI

Implement network segmentation to isolate systems containing ePHI

Privacy Rule

0 of 8 completed

Individual Rights

Provide Notice of Privacy Practices to all patients

Honor patient requests for access to their PHI within 30 days

Allow patients to request amendments to their PHI

Provide accounting of disclosures when requested by patients

Honor patient requests for confidential communications

Uses and Disclosures

Obtain patient authorization before using/disclosing PHI for marketing

Limit use and disclosure of PHI to minimum necessary (except for treatment)

Comply with reproductive health privacy protections (April 2024 rule)

Need Help Achieving Compliance?

Our HIPAA compliance experts can guide you through every item on this checklist and ensure your organization is fully compliant.