<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Close icon
Search bar icon

HIPAA Compliance Checklist: Easy to Follow Guide for 2024

Summary: Following a HIPAA compliance checklist can help HIPAA-covered entities comply with the regulations and become HIPAA compliant. In this HIPAA compliance guide, we’ll review the 8 primary steps to achieving HIPAA compliance, tips on how to implement them, and frequently asked questions.

HIPAA Compliance Checklist Overview

Every organization that uses, handles, or discloses protected health information (PHI) needs to be aware of its compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA). However, not every organization must meet the same requirements to become compliant, which can make following HIPAA guidelines particularly confusing.

HIPAA-covered entities—like health plans, healthcare clearinghouses, and healthcare providers—are responsible for meeting all HIPAA compliance requirements. Meanwhile, business associates who handle PHI data and exempted entities must only comply with some aspects.

A HIPAA compliance requirements checklist provides an easy way for organizations to take the right steps to comply with the HIPAA guidelines that apply to them.

HIPAA Compliance Checklist: 8 Steps to Compliance

Mismanaging patients’ PHI can lead to dire consequences for both the patient and the organization that compromised their sensitive data. One such consequence for organizations that intentionally or unintentionally expose patient PHI data is a criminal or civil HIPAA violation.

HIPAA non-compliance can be extremely costly for organizations. And sometimes, a criminal HIPAA violation may even involve serving time in prison. Since exposing customers’ private medical data is such a serious offense, organizations that handle PHI data must comply with HIPAA regulations to protect patients.

This step-by-step HIPAA checklist can help you get started pursuing and maintaining HIPAA compliance.

1. Thoroughly understand HIPAA’s three rules

Implementing the right HIPAA compliance controls starts with understanding the several HIPAA compliance guidelines covered under the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The Privacy Rule and Security Rule explain what organizations must do to protect PHI and electronic PHI (ePHI), including detailing what safeguards to put in place to secure sensitive medical data. The Breach Notification Rule details remediation requirements an organization must take if a breach occurs.

Businesses need to understand the intention of these requirements and review the required technical specifications to create the correct safeguards, procedures, and policies for their organization.

2. Discover which rules apply to your organization

To start, determine if your organization qualifies as a covered entity. Covered entities will be responsible for implementing safeguards dictated by the Privacy Rule to protect all PHI—not just electronic data.

Even if your organization is an exempt entity or business associate, you may be subject to some Privacy Rule requirements based on agreements you maintain with covered entities.

3. Determine what data requires extra protection

Individually identifiable health information must be protected under HIPAA regulations, but that doesn’t include all of an organization’s data. 

Identify what data your organization collects, uses, or stores both physically on paper and within your IT infrastructure. Determine how much of that data qualifies as identifiable health information, and review how that data is collected, retrieved, and deleted. You’ll also want to note who has access to that data and how it’s accessed.

4. Perform a risk analysis

Recognizing the gaps in your existing data security practices can help you see where more controls or new procedures you need to become HIPAA compliant. The OCR’s Security Risk Assessment Tool serves as a great HIPAA Security Rule checklist to see how your current controls align with the requirements detailed in the Security Rule. 

Audit your current privacy and security policies and procedures to see how they align with the requirements detailed in the HIPAA guidelines. Your organization must maintain data security for PHI in use, at rest, and during transmission, which often requires updating outdated systems. 

Use your analysis to create your own HIPAA risk assessment checklist and develop a compliance plan to close your security gaps and maintain HIPAA standards.

5. Establish accountability in your compliance plan

Once you understand what your organization needs to do to achieve compliance, define who is accountable for which elements of your compliance plan to promote streamlined, transparent communication. 

Maintaining HIPAA compliance requires regular monitoring, audits, technology maintenance, and training. Establishing responsible parties for those steps early can help companies maintain HIPAA compliance.

6. Avoid violations by addressing gaps

Once you’ve created a compliance implementation and management plan, focus on introducing the privacy and security controls that will mitigate the most risk. Create a HIPAA compliance audit checklist to consistently review your improvements and detect more gaps to address.

Consider that internal users are often more likely to be responsible for HIPAA violations than external breaches, so prioritize both technical security safeguards—like encrypting data—with physical and administrative safeguards—like using strong passwords and training users to manage data safely.

7. Maintain detailed documentation

As you implement data privacy and security improvements to comply with HIPAA guidelines, track all progress with thorough documentation. That can include maintaining versions of your policies and procedures as they’re edited, tracking who attended compliance training sessions, and recording which entities you share PHI with.

Some documentation may be required for an OCR audit, like policies and procedures, written and electronic communications, and actions requiring a written or typed record. However, it’s best to record as much of your HIPAA compliance process as possible to recognize and mitigate security gaps quickly.

8. Report security incidents immediately

If your organization experiences a security incident, you are required to submit a breach report form to the Secretary of Health and Human Services within 60 days of discovering the breach. Following the Breach Notification Rule, the company must also notify all individuals whose PHI it exposed within the same period. For breaches affecting over 500 people, you must also notify local media.

Reporting a breach will prompt an investigation by OCR. Conduct your own investigation into HIPAA violations and document what you find. Combined with OCR’s investigation, this can help you close security gaps and restore your organization’s HIPAA compliance. 

HIPAA Compliance Implementation Tips

Implementing all the changes necessary to become HIPAA compliant can be time-consuming and costly. However, there are a few easy ways that you can improve your security operations while you pursue HIPAA compliance, like:

  • Prioritizing training to reduce risky employee behavior
  • Reviewing access logs to understand how, when, and why users are accessing PHI
  • Conducting unannounced facility walkthroughs to see if procedures are followed and physical documents are secure
  • Storing ePHI backups securely offsite
  • Using Administrative Simplification standards to streamline electronic communications and transactions
  • Dictating higher security standards within your business associate agreements

HIPAA Compliance Checklist FAQ

What is a HIPAA compliance checklist?

A HIPAA compliance checklist is a resource organizations use to understand the steps involved in achieving and maintaining HIPAA compliance. With a HIPAA compliance checklist, organizations can also discover how to create safeguards that protect their PHI.

Who is responsible for HIPAA compliance?

HIPAA-covered entities in the United States must comply with all HIPAA regulations. These entities include health plans and most medical insurance companies; healthcare providers like hospitals, clinics, and nursing homes; medical professionals like doctors and nurses; and healthcare clearinghouses, which process medical claim and billing data.

Business associates—or external professional organizations that handle PHI data like accountants, lawyers, and IT personnel—are responsible for some elements of HIPAA compliance. Similarly, exempt entities like life insurance companies or on-campus health centers only need to comply with certain HIPAA requirements. 

Is there a specific HIPAA compliance checklist for IT?

While there is not a dedicated HIPAA IT compliance checklist, IT teams are often responsible for implementing and managing administrative, technical, and physical security controls to secure electronic PHI and safeguard against a data breach.

Is your website HIPAA compliant?

Ensuring your website is HIPAA compliant involves implementing encryption, secure data transmission, regular audits, and access controls.

How do you verify HIPAA compliance?

The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) verifies and enforces HIPAA compliance through regular compliance reviews and complaint investigations.

What happens if you fail a HIPAA audit?

When an organization fails an OCR HIPAA audit, OCR will work with the organization to create a corrective action plan to help the organization become compliant. These plans often involve a data risk analysis, data encryption, creating and documenting new policies and procedures, and/or training your workforce under OCR supervision.

Even when an organization completes its corrective action plan after a failed audit, the organization will be fined based on the four tiers defined in HIPAA’s Omnibus Rule. Individuals may also face criminal charges for some HIPAA violations.

How StrongDM Can Help You Simplify HIPAA Compliance

Access management is an important part of any HIPAA technical requirements checklist. For organizations to keep their ePHI secure, they need to thoroughly control which people have access to sensitive patient data … without making it harder for their employees to work effectively.

StrongDM’s Zero Trust Privileged Access Management (PAM) platform gives organizations the power to give the right people access to the right information at the right time. With StrongDM, your team gains access to comprehensive monitoring and logging capabilities that offer deep insight into who has access to ePHI and how they’re using that data. 

Plus, StrongDM helps organizations like yours automate least-privilege access and deprovisioning, too. Now, your organization can secure your data without extra legwork.

🕵 Learn how Coveo seriously simplifies HIPAA compliance maintainance with easy infrastructure access and auditing.

Check HIPAA Compliance Off Your List with StrongDM

Now that you have your free HIPAA compliance checklist in hand, it’s time to start implementing!

Still not sure where to begin? Try StrongDM free for 14 days and see how better access management can bring you one step closer to HIPAA compliance.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

What Is Continuous Compliance? Examples & How To Achieve It
What Is Continuous Compliance? Examples & How To Achieve It
Continuous compliance is the ongoing process of ensuring that an organization consistently adheres to regulatory standards and internal policies for its systems, applications, employees, partners, and engagement with stakeholders. It involves continuous monitoring, auditing, and real-time updates of both technology and human behavior to maintain compliance with government and industry standards frameworks.
Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.
What is Healthcare Data Security? Challenges & Best Practices
What is Healthcare Data Security? Challenges & Best Practices
Healthcare data security protects sensitive patient information and related data from unauthorized access, use, or disclosure. The effective implementation of healthcare data security requires implementing cybersecurity measures to ensure healthcare data confidentiality, integrity, and availability. It must also include compliance with relevant regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
Leveraging CSA Cloud Security Matrix (CMM) for Enhanced Cloud Security
Leveraging CSA CCM with StrongDM for Enhanced Cloud Security
The CSA CCM is a cybersecurity control framework specifically designed for cloud computing. It outlines a comprehensive set of best practices and security controls across 17 domains that are designed to ensure that cloud environments are secure and resilient against an ever expanding threat landscape. The CCM framework is structured to provide clarity and actionable guidance for the implementation of security measures in a prescriptive and adaptable way for recognized compliance standards and control frameworks.