HIPAA Compliance Checklist

The checklist covers administrative, physical, and technical requirements, with specific focus on business associate obligations most relevant to technology companies.

Key Takeaways

Aspect	Details
Foundation	Risk assessment is the starting point for all compliance
Documentation	Policies, procedures, and evidence must be maintained
Ongoing	HIPAA compliance is continuous, not one-time
Technology focus	Most safeguards for SaaS are technical and administrative
Timeline	Initial compliance typically takes 2-4 months

Quick Answer: HIPAA compliance requires implementing administrative, physical, and technical safeguards based on a risk assessment. For technology companies, key areas include security policies, access controls, encryption, audit logging, workforce training, vendor management, and incident response.

Before You Start

Determine Your HIPAA Status

• Confirmed you handle PHI on behalf of covered entities (business associate)
• Identified all covered entities you serve
• Understood your obligations under existing BAAs
• Identified all subcontractors who access PHI

Establish Ownership

• Designated HIPAA Security Officer
• Designated HIPAA Privacy Officer (can be same person)
• Established compliance reporting to leadership
• Allocated budget and resources

Phase 1: Risk Assessment

The risk assessment is the foundation of HIPAA compliance. Everything else flows from understanding your risks.

Scope and Inventory

• Identified all systems that create, receive, maintain, or transmit ePHI
• Documented data flows showing how PHI moves through systems
• Inventoried all locations where PHI is stored
• Identified all personnel with PHI access
• Documented all third parties with PHI access

Threat and Vulnerability Assessment

• Identified potential threats to ePHI (natural, human, environmental)
• Identified vulnerabilities in systems and processes
• Assessed current security controls
• Determined likelihood of threat occurrence
• Assessed potential impact of threats

Risk Analysis and Documentation

• Calculated risk levels for identified threats
• Prioritized risks for remediation
• Documented risk assessment methodology and findings
• Created risk register with all identified risks
• Established risk acceptance criteria and process

Risk Management Plan

• Developed remediation plan for unacceptable risks
• Assigned ownership for each remediation item
• Established timeline for remediation
• Defined process for tracking remediation progress
• Documented risk acceptance decisions with rationale

See our detailed guide on HIPAA Risk Assessment.

Phase 2: Administrative Safeguards

Policies and Procedures

Core policies required:

• Information Security Policy
• Acceptable Use Policy
• Access Control Policy
• Data Classification Policy
• Encryption Policy
• Incident Response Policy
• Business Continuity/Disaster Recovery Policy
• Vendor Management Policy
• Physical Security Policy
• Workforce Security Policy (hiring, termination, sanctions)
• Risk Management Policy
• Privacy Policy (PHI handling)
• Breach Notification Policy

Policy management:

• Policies approved by leadership
• Policies accessible to workforce
• Policy review schedule established (at least annual)
• Policy version control implemented
• Policy acknowledgment process for workforce

Workforce Security

Access authorization:

• Defined roles requiring PHI access
• Documented access authorization procedures
• Implemented access request and approval workflow
• Established access review process (at least quarterly)

Workforce clearance:

• Background check process for PHI access roles
• Verification of access appropriateness before granting
• Documentation of clearance decisions

Termination procedures:

• Access revocation process for terminations
• Access revocation process for role changes
• Device and credential return procedures
• Access revocation within 24 hours of termination

Security Awareness Training

• Initial HIPAA training for all workforce members
• Role-specific training for PHI handlers
• Annual refresher training program
• Training on recognizing security threats (phishing, social engineering)
• Training completion tracking and documentation
• Regular security awareness communications

Incident Response

• Incident response plan documented
• Incident types defined and categorized
• Response procedures for each incident type
• Escalation procedures defined
• Communication templates prepared
• Incident response team identified
• Incident response testing (at least annual tabletop exercise)

Breach Notification

• Breach assessment procedures documented
• Breach notification procedures documented
• Notification templates prepared
• Breach log/register maintained
• Process for notifying covered entities (within required timeframe)
• Process for supporting covered entity notifications

Contingency Planning

Backup:

• Automated backup procedures implemented
• Backup encryption implemented
• Backup testing performed regularly
• Backup restoration procedures documented
• Off-site backup storage (separate from production)

Disaster recovery:

• Disaster recovery plan documented
• Recovery Time Objective (RTO) defined
• Recovery Point Objective (RPO) defined
• Recovery procedures documented
• Recovery testing performed (at least annually)

Business continuity:

• Critical systems identified
• Emergency mode operations procedures
• Communication plan for outages

Vendor Management

• Vendor inventory maintained
• PHI-accessing vendors identified
• BAAs obtained from all PHI-accessing vendors
• Vendor security assessment process
• Vendor monitoring process
• Vendor termination procedures

Phase 3: Physical Safeguards

For SaaS companies, most physical safeguards are handled by cloud providers. Focus on your office environment and endpoint devices.

Facility Security

If you have office space with PHI access:

• Office access controls (badges, keys)
• Visitor policies and logs
• Clean desk policy
• Secure disposal of paper documents

If using cloud providers:

• Cloud provider BAA in place
• Cloud provider compliance documentation reviewed (SOC 2, etc.)
• Cloud provider security practices understood

Workstation Security

• Workstation use policy documented
• Screen lock requirements (automatic after inactivity)
• Private screen filters (if working in public spaces)
• Secure storage when not in use

Device and Media Controls

• Device inventory maintained
• Full disk encryption on all devices
• Secure disposal procedures
• Media sanitization procedures
• Device tracking for PHI-capable devices
• Remote wipe capability for mobile devices

Phase 4: Technical Safeguards

Access Control

Authentication:

• Unique user IDs for all users
• No shared accounts
• Strong password requirements
• Multi-factor authentication (MFA) for all PHI access
• MFA for all administrative access
• Password management procedures

Authorization:

• Role-based access control (RBAC) implemented
• Principle of least privilege applied
• Access levels documented by role
• Access reviews performed quarterly
• Access revocation process

Session management:

• Automatic session timeout implemented
• Session timeout configured appropriately (15-30 minutes)
• Secure session handling

Encryption

Data at rest:

• Database encryption enabled
• File storage encryption enabled
• Backup encryption enabled
• Encryption key management procedures

Data in transit:

• TLS 1.2+ for all connections
• HTTPS enforced on all endpoints
• Certificate management procedures
• Internal traffic encryption where appropriate

Audit Controls

• Audit logging enabled on all systems
• User access logging (logins, logouts, access to PHI)
• Administrative action logging
• Data modification logging
• Log retention (minimum 6 years recommended)
• Centralized log management
• Log monitoring and alerting
• Regular log review process

Integrity Controls

• Data validation at input
• Database integrity constraints
• Checksums or hashing for critical data
• Version control for data changes
• Backup integrity verification

Transmission Security

• All PHI transmitted over encrypted channels
• API authentication implemented
• Secure file transfer mechanisms
• Email encryption for PHI (or secure messaging alternative)

See our detailed guide on HIPAA Technical Safeguards.

Phase 5: Business Associate Agreements

Upstream (Customer) BAAs

• BAA template developed
• BAA includes all required provisions
• BAA execution process established
• BAA tracking system in place
• BAAs executed before PHI sharing

Downstream (Vendor) BAAs

• All PHI-accessing vendors identified
• BAAs obtained from cloud providers (AWS, GCP, Azure)
• BAAs obtained from SaaS tools handling PHI
• BAAs obtained from professional services with PHI access
• BAA status tracked for all vendors

See our detailed guide on Business Associate Agreements.

Phase 6: Documentation and Evidence

Required Documentation

• Risk assessment documentation
• Policies and procedures
• Training records
• Access authorization records
• Incident documentation
• BAA copies
• System configurations (as evidence)

Retention

• Documentation retained for 6 years
• Secure storage for documentation
• Version control for documents
• Easy retrieval when needed

Evidence Collection

• Regular evidence collection process
• Screenshots and exports of configurations
• Access review documentation
• Training completion records
• Incident response documentation

Ongoing Compliance Activities

HIPAA compliance requires ongoing activities, not just initial implementation.

Periodic (Monthly/Quarterly)

• Access reviews (quarterly)
• Security awareness communications (monthly)
• Vulnerability scanning (at least quarterly)
• Log review and monitoring (ongoing)
• Vendor monitoring (quarterly)
• Incident response readiness check (quarterly)

Annual

• Risk assessment update
• Policy review and update
• Security awareness training
• Penetration testing
• Disaster recovery testing
• Business continuity plan review
• Vendor re-assessment
• Compliance program evaluation

Event-Driven

• Risk assessment when significant changes occur
• Policy updates when processes change
• Access reviews when roles change
• Incident response after incidents
• Vendor assessment when new vendors onboarded

Quick Reference: Minimum Viable Compliance

For early-stage companies needing to establish baseline compliance quickly:

Must Have (Before Handling PHI)

• Risk assessment completed
• Core security policies documented
• BAAs in place (customers and vendors)
• Encryption implemented (at rest and in transit)
• Access controls with MFA
• Audit logging enabled
• Workforce training completed
• Incident response plan

Should Have (Within 30 Days)

• Comprehensive policies and procedures
• Regular access reviews
• Backup and recovery testing
• Vulnerability scanning
• Log monitoring

Nice to Have (Within 90 Days)

• Automated compliance monitoring
• Advanced threat detection
• SOC 2 report (for customer assurance)
• Penetration testing

How Bastion Helps

Bastion helps technology companies work through this checklist efficiently:

• Gap assessment: Evaluate your current state against requirements
• Risk assessment: Conduct the required analysis with proper documentation
• Policy development: Create policies tailored to your operations
• Technical guidance: Implement safeguards correctly
• Training: Develop and deliver workforce training
• Ongoing support: Maintain compliance with regular check-ins

Ready to start your HIPAA compliance journey? Talk to our team

---

Sources

• HIPAA Security Rule - Official HHS Security Rule requirements
• HIPAA Privacy Rule - Official HHS Privacy Rule requirements
• NIST HIPAA Security Rule Toolkit - Implementation guidance