HIPAA Compliance Checklist
- Home
- Download HIPAA Compliance Checklist
Our experts have compiled an easy-to-read HIPAA Compliance Checklist to make sure your company stays in compliance.
Download a HIPAA Compliance Checklist
Review our HIPAA compliance checklist in order to ensure your organization complies with HIPAA requirements for the privacy and security of Protected Health Information (PHI).
- Identify which of the audits and assessments apply to your organization;
- Document remediation plans & put them into action;
- Help appoint a HIPAA Compliance Officer;
- Ensure HIPAA training, policies, and procedures are documented;
- Perform due diligence on Business Associates to assess HIPAA compliance;
- Review processes to report breaches and how breaches are notified.
HIPAA Compliance Checklist PDF
Take the self-assessment HIPAA checklist to ensure your organization is compliant
As HIPAA requires compliance to ensure your organization maintains compliant standards in the healthcare industry, we recommend that you review our compliance checklist, which can be found here. Ensure your organization is compliant with HIPAA regulations for the security of PHI.
HIPPA requires you to ensure the protection of all Protected Health Information. Failure to comply can result in major fees while breaches can have serious legal consequences. In addition to reporting HIPAA violations, you must also establish procedures for informing patients about such incidents.

What does HIPAA Compliant mean?
“Keep people’s healthcare data private” – HIPAA compliance can be difficult to understand. We make sure we keep people’s personal information private and secure. Below are the specific areas that HIPAA compliance covers.
Protected Health Information (PHI) is any data related to someone’s healthcare history. Whether it be your, mine, or anyone else’s. The Health Insurance Portability and Accountability Act (HIPAA) was created in order to keep this data personal & private. The Safe Harbor Rule sets guidelines for what classifies data as PHI which you must
Covered entities are people in the healthcare field that have patients’ PHI. Doctors, nurses, and insurance companies are all examples of these.
Business associates are individuals that work with a covered entity in a non-healthcare capacity and help to ensure HIPAA compliance. Some of the most common examples of business associates with PHI access in the medical and healthcare industry are lawyers, accountants, administrators and IT personnel.
What is an HIPAA audit?
HIPAA is overseen by the Department of Health and Human Services and is enforced by its Office for Civil Rights.
In response to a growing concern about data breaches, the OCR started the first phase of a new Privacy Security and Breach Notification Audit Program in 2014.
In 2017 the OCR announced phase 3: on-site audits. This is a major expansion of the audit program and means that the OCR can now show up unannounced to view evidence that an individual or organization is HIPAA compliant.
OCR audits are becoming more common. To provide proof of compliance with HIPAA, it is recommended that all covered entities and business associates keep a checklist of practices. This can be done to help you show regulators that you’re following HIPDA regulations.


Should IT be concerned with HIPAA?
In order to be HIPAA compliant, there are a number of steps that IT departments have to take. They may have to establish written business associate agreements with contractors, develop policies for e-mail communication, and more.
Potential security problems with your employees using personal phones at work can be avoided. These are eliminated with a secure messaging solution that allows authorized personnel to access ePHI and send attachments, too.
It’s important to encrypt emails with PHI that are sent externally. When they’re not encrypted, security breaches might happen and your data could leak. It’s important to keep in mind that emails containing ePHI are an essential component of a patient’s medical history and should be securely archived for at least six years.
Medical records are worth more than credit card numbers on the black market so take preventative measures against phishing scams.
What is the Security Rule?
The HIPAA Security Rule is intended to prevent the distribution of personal health information. If you violate this, then you may be charged with a crime and fined up to $50 000. The rule was introduced in 2003 and has helped put an end to many violations.
These safeguards come with a variety of different standards that need to be met in order to be fully compliant. Legal jargon can make it difficult to figure out which of these standards apply to your business, so we’ve outlined the various safeguards and their various requirements in order to help you identify what safeguards are most pertinent for your business.


What is the privacy rule?
The HIPAA Privacy & Security Rule is designed to protect patients’ PHI and medical records. It establishes primary ownership, which gives you the right to control your own health information.
The Privacy rule applies to health plans, healthcare clearinghouses, and health care providers. These groups are required to have appropriate limitations and conditions on the use and disclosure of electronic healthcare transactions.
To ensure that employees are aware of the requirements set for them to achieve their objectives, it is essential that written policies, procedures and standards of conduct be instituted. Written training standards and appropriate penalties (written) for wrongdoing should also be put into place.
To avoid liability in the event of a breach, you should always have BA agreements with your partners in place. That way if their employees or subcontractors release confidential information or misuse data, you won’t be liable.
Data protection: Ensure that administrative, technical, and physical safeguards are in place so you can monitor how PHI is being used or disclosed.
Complaints process: Implement a process where patients can file complaints about the CE’s HIPAA compliance to the HHS. Patients should be informed that they are able to contact the HHS with their complaints.
Retaliation and waiver: You can’t punish a patient who exercises their rights under the Privacy Rule. Patients cannot be forced to waive their Privacy Rule rights in order to get treatment, payment, or enrollment in a program.
You must save all documentation related to privacy policy creation for six years.
Hire an expert to ensure you establish your privacy policy. This individual should take charge of ensuring that you implement the policies.
HIPAA Compliance Checklist PDF

Get Peace of Mind

Talk with an expert

Discover true IT service
