HIPAA Compliance Checklist (2026)

A compliance programme is only as strong as its last review. HIPAA does not specify how often you must audit your own compliance — but the expectation is clear: regularly enough to ensure safeguards remain effective and policies reflect current operations.

For most organisations, an annual review is the minimum. This checklist covers every major area of HIPAA compliance and gives you a structured framework for conducting that review.

Administrative Safeguards

Risk Analysis and Management

• Conduct or update the comprehensive security risk analysis
• Document all identified threats and vulnerabilities
• Rate each risk by likelihood and impact
• Develop or update the risk management plan
• Assign responsibility and timelines for remediation

Security Management

• Review and update the sanction policy
• Verify that all workforce sanctions have been applied and documented
• Review vendor and contractor access — revoke unnecessary permissions
• Confirm that information access management policies are current

Workforce Security

• Verify unique user IDs for all workforce members
• Review and update role-based access controls
• Remove access for terminated employees within required timeframes
• Document all access modifications

Training

• Conduct annual HIPAA privacy and security training for all workforce members
• Provide specialised training for staff with PHI access
• Deliver security awareness updates (at minimum, periodic reminders)
• Document all training sessions — dates, content, attendance
• Verify that new hires received training within required timeframes

Contingency Planning

• Test data backup and recovery procedures
• Verify that backups are stored securely and encrypted
• Update the disaster recovery plan to reflect current systems
• Test the emergency mode operation plan
• Review and update the business continuity plan

Physical Safeguards

Facility Access Controls

• Review building access logs and visitor management procedures
• Verify that areas containing PHI are physically secured
• Test physical locks, badge readers, and surveillance systems
• Review maintenance records for access control systems

Workstation Security

• Verify that all workstations have automatic screen lock enabled
• Position screens to prevent unauthorised viewing of PHI
• Inspect workstations in public areas for adequate privacy protections
• Review and update the workstation use policy

Device and Media Controls

• Inventory all devices that store or access PHI
• Verify encryption on all portable devices (laptops, phones, tablets, USB drives)
• Review the media disposal procedure — confirm shredding or degaussing
• Document the movement of any devices containing PHI

Technical Safeguards

Access Control

• Audit user accounts — remove inactive or unnecessary accounts
• Review password policies and enforce minimum requirements
• Verify that emergency access procedures are documented and tested
• Confirm that automatic logoff is enabled on all systems containing PHI

Audit Controls

• Verify that audit logging is enabled on all systems containing PHI
• Review audit logs for unusual access patterns
• Document the periodic audit log review process
• Retain audit logs for the required period (minimum six years)

Integrity Controls

• Verify that ePHI integrity controls are in place
• Test data backup integrity
• Review mechanisms for detecting unauthorised alterations to ePHI

Transmission Security

• Verify that all PHI transmissions are encrypted (email, file transfers, APIs)
• Review VPN and network security configurations
• Test wireless network security
• Confirm that messaging platforms used for PHI are approved and encrypted

Privacy Rule Compliance

Patient Rights

• Verify that the Notice of Privacy Practices is current and distributed
• Review processes for handling patient access requests (30-day requirement)
• Verify procedures for amendment requests
• Confirm accounting of disclosures processes are functional
• Review complaint handling procedures

Uses and Disclosures

• Review the minimum necessary standard implementation
• Audit authorisation forms for completeness
• Verify that disclosures are tracked and documented
• Review marketing and fundraising communications for compliance

Business Associate Management

• Inventory all business associates with PHI access
• Verify that signed BAAs exist for every business associate
• Review BAAs for completeness — all required provisions must be present
• Assess business associate compliance (questionnaires, certifications, audit rights)
• Review subcontractor arrangements for PHI access

Breach Notification Preparedness

• Review and update the breach response plan
• Verify notification templates are current (individual, HHS, media)
• Test the breach notification process with a tabletop exercise
• Confirm contact information for OCR regional offices is current
• Review the breach notification log from the past year

Documentation

• Verify that all policies and procedures are current and versioned
• Confirm that the compliance programme documentation is retained for six years
• Update the organisational chart and designated privacy and security officers
• File all documentation in an organised, accessible manner
• Schedule the next annual review

After the Review

1. Document findings — Record every gap, risk, and corrective action
2. Prioritise remediation — Address high-risk items first
3. Assign ownership — Every corrective action needs a responsible person and deadline
4. Track progress — Review remediation status quarterly
5. Report to leadership — Brief senior leadership on compliance status and resource needs

This checklist is not a substitute for a comprehensive compliance programme, but it provides a structured framework for the annual review that should be a cornerstone of every HIPAA compliance effort.

Further Reading

• HIPAA risk assessment guide
• Security Rule safeguards
• HIPAA training requirements