HIPAA Compliance Checklist: Where to Start

HIPAA compliance is not a single event — it is an ongoing program. But every program has to start somewhere. This guide walks you through the foundational requirements so you know what to tackle first, what can wait, and where most organizations get tripped up during audits.

The Three HIPAA Rules You Need to Know

• The Privacy Rule governs how protected health information (PHI) is used and disclosed. It establishes patient rights, minimum necessary standards, and notice requirements.
• The Security Rule focuses specifically on electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to protect it. This is where most of the technical work lives.
• The Breach Notification Rule requires you to notify affected individuals, HHS, and sometimes media when unsecured PHI is breached. The clock starts ticking from the date of discovery.

Step 1: Conduct a Security Risk Assessment

The Security Risk Assessment (SRA) is the single most important compliance requirement. It is explicitly required by the HIPAA Security Rule (§164.308(a)(1)) and is the most common finding in OCR audits and enforcement actions. If you do nothing else, do this.

• Inventory all systems that create, receive, maintain, or transmit ePHI — EHR systems, email, cloud storage, laptops, mobile devices, fax machines, and even paper records that are scanned.
• Identify threats and vulnerabilities for each system — unauthorized access, malware, lost devices, insider threats, natural disasters.
• Assess the likelihood and impact of each threat materializing.
• Document current safeguards and identify gaps.
• Produce a written report with risk scores and recommended remediations.

Step 2: Develop Policies and Procedures

HIPAA requires written policies covering access controls, data backup, incident response, workforce training, device and media controls, and more. These policies do not need to be long — they need to be specific to your organization and actually followed.

• Access control policy — who can access ePHI, how access is granted and revoked, authentication requirements.
• Backup and disaster recovery — how ePHI is backed up, where backups are stored, recovery procedures.
• Incident response — how to detect, report, and respond to security incidents and breaches.
• Workforce training — HIPAA training requirements, frequency, and documentation.
• Device and media controls — encryption requirements, procedures for disposing of devices containing ePHI.
• Business Associate management — how you vet and monitor vendors who handle PHI on your behalf.

Step 3: Business Associate Agreements

Any vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and must sign a BAA before accessing patient data. This includes your EHR vendor, cloud hosting provider, IT support company, billing service, shredding company, and email provider.

Step 4: Train Your Staff

HIPAA requires that all workforce members receive training on your organization's policies and procedures. Training should cover what PHI is, how to handle it, how to recognize and report security incidents, and what the consequences of non-compliance are. Document every training session with dates, attendees, and topics covered.

Step 5: Prepare for Audits and Incidents

• Maintain an audit trail — keep your SRA report, policies, BAAs, training records, and incident logs organized and readily accessible.
• Know your breach notification obligations — 60 days to notify individuals, annual report to HHS for breaches affecting fewer than 500, immediate report for larger breaches.
• Designate a HIPAA Security Officer and Privacy Officer (can be the same person in smaller organizations).
• Test your incident response procedures at least annually with a tabletop exercise.