A HIPAA compliance checklist helps healthcare organizations systematically verify that they meet the administrative, physical, and technical safeguard requirements mandated by the Health Insurance Portability and Accountability Act. Rather than treating compliance as a once-a-year exercise, the most effective approach is to use a comprehensive checklist as a living reference that your organization reviews and updates continuously throughout the year.
Whether you are a medical practice, clinic, hospital system, or business associate that handles protected health information (PHI), HIPAA compliance is not optional. The consequences of non-compliance range from significant financial penalties to reputational damage and loss of patient trust. This checklist covers the key requirements across all three safeguard categories so your organization can identify gaps and take action.
Understanding the Three HIPAA Safeguard Categories
The HIPAA Security Rule organizes its requirements into three categories of safeguards. Each addresses a different dimension of protecting electronic protected health information (ePHI). A complete HIPAA compliance checklist must cover all three.
- Administrative safeguards focus on policies, procedures, and workforce management
- Physical safeguards address the physical protection of systems and facilities that store ePHI
- Technical safeguards cover the technology controls that protect ePHI during storage, processing, and transmission
GXA® works with healthcare organizations across North Texas to implement and maintain these safeguards as part of a comprehensive managed IT and cybersecurity program.
Administrative Safeguard Checklist
Administrative safeguards are the foundation of HIPAA compliance. They define how your organization manages security at the policy and human level.
Security Management Process
- Conduct a thorough risk assessment that identifies vulnerabilities and threats to ePHI across all systems, workflows, and locations
- Document a risk management plan that addresses each identified risk with specific mitigation actions and timelines
- Implement a sanctions policy that defines consequences for workforce members who violate security policies
- Review information system activity through regular audit log reviews to detect unauthorized access or anomalies
Workforce Security
- Define role-based access so that each workforce member can access only the ePHI necessary for their job function
- Implement authorization procedures that require approval before granting access to systems containing ePHI
- Establish termination procedures that revoke access immediately when workforce members leave the organization or change roles
- Maintain workforce clearance procedures including background checks where appropriate
Security Awareness and Training
- Provide security awareness training to all workforce members upon hire and at regular intervals throughout the year
- Conduct simulated phishing exercises to test and reinforce employee vigilance against social engineering attacks
- Distribute security reminders through internal communications to keep best practices top of mind
- Train staff on password management including the use of strong, unique passwords and multi-factor authentication
- Educate staff on malware protection so they can recognize and report suspicious files, links, and email attachments
Contingency Planning
- Develop and maintain a data backup plan that defines backup frequency, storage locations, and encryption requirements
- Create a disaster recovery plan that documents how ePHI systems will be restored after an outage or disaster
- Establish an emergency mode operation plan for maintaining access to critical ePHI during an emergency
- Test your contingency plans at least annually through tabletop exercises or full recovery tests
- Assess and update plans after any significant infrastructure change, incident, or test failure
Evaluation
- Conduct periodic evaluations of your security program to assess whether policies and procedures meet HIPAA requirements
- Document evaluation results and track remediation of identified gaps
- Update policies when operational changes, technology changes, or new threats require it
Physical Safeguard Checklist
Physical safeguards protect the hardware, facilities, and physical media that store or provide access to ePHI.
Facility Access Controls
- Implement access controls for facilities that house systems containing ePHI, including locked server rooms, badge access, and visitor sign-in procedures
- Establish a facility security plan that documents physical protections for each location
- Maintain access control and validation procedures that verify the identity of anyone accessing restricted areas
- Document maintenance records for physical security equipment including locks, cameras, and access card systems
Workstation and Device Security
- Define workstation use policies that specify how and where workstations accessing ePHI may be used
- Implement workstation physical safeguards such as screen privacy filters, auto-lock timeouts, and positioning screens away from public view
- Maintain an inventory of all devices that store or access ePHI including laptops, tablets, mobile devices, and removable media
- Implement device and media controls covering the disposal, reuse, and movement of hardware and electronic media containing ePHI
- Encrypt portable devices and removable media so that lost or stolen hardware does not result in a data breach
Technical Safeguard Checklist
Technical safeguards are the technology controls that protect ePHI within your systems and networks. This is where your IT infrastructure and cybersecurity program intersect directly with HIPAA compliance.
Access Controls
- Assign unique user identifications so that every person accessing ePHI has their own login credentials
- Implement emergency access procedures that allow authorized personnel to access ePHI during emergencies
- Configure automatic logoff on systems that access ePHI after a defined period of inactivity
- Encrypt ePHI at rest on all servers, databases, workstations, and portable devices
- Implement role-based access controls that restrict ePHI access to the minimum necessary for each role
Audit Controls
- Enable audit logging on all systems that create, store, process, or transmit ePHI
- Define a log review process that includes regular review of audit logs for unauthorized access or anomalies
- Retain audit logs for a minimum of six years as required by HIPAA
- Protect audit logs from tampering or unauthorized deletion
Integrity Controls
- Implement mechanisms to verify ePHI integrity ensuring that data has not been altered or destroyed in an unauthorized manner
- Use checksums or digital signatures where appropriate to detect unauthorized changes
- Monitor for unauthorized modifications through automated alerting
Transmission Security
- Encrypt ePHI in transit using TLS, VPN, or equivalent encryption for all data transmitted over networks
- Implement integrity controls for data in transit to ensure transmitted ePHI is not improperly modified
- Secure email communications containing PHI through encryption or a secure messaging platform
- Protect wireless networks with strong encryption and segmentation from guest access
Ongoing Compliance Activities
HIPAA compliance is not a project with a finish line. It is an ongoing operational requirement. The following activities should be part of your regular compliance cadence.
Monthly
- Review audit logs for access anomalies
- Verify backup completion and test sample restores
- Review and resolve any security monitoring alerts
- Process access changes for new hires, terminations, and role changes
Quarterly
- Conduct security awareness refresher training
- Run simulated phishing exercises
- Review and update user access lists
- Assess compliance with documented policies and procedures
Annually
- Conduct a comprehensive risk assessment
- Review and update all HIPAA policies and procedures
- Test disaster recovery and contingency plans through tabletop exercises
- Evaluate the effectiveness of your overall security program
- Review business associate agreements for completeness and accuracy
- Update your HIPAA compliance documentation
How a Managed IT Partner Supports HIPAA Compliance
Many healthcare organizations, especially those with 20 to 500 employees, do not have the internal resources to manage all of these requirements on their own. A managed IT partner with healthcare experience can take ownership of the technical safeguards, support the administrative and physical safeguards, and provide the documentation and evidence needed for audits.
Key capabilities to look for in a partner:
- ISO 9001:2015 certification and SOC 2 Type II attestation demonstrating that the provider’s own processes meet rigorous quality and security standards
- Dedicated security services such as GXA’s gShield™ cybersecurity framework, which includes managed detection and response, phishing simulation, vulnerability scanning, and security awareness training
- Strategic IT leadership through a vCIO and vITM who conduct regular reviews and maintain your compliance posture as part of ongoing operations
- 24/7/365 monitoring through a Network Operations Center and Security Operations Center
Frequently Asked Questions
How often should a healthcare organization conduct a HIPAA risk assessment?
HIPAA does not specify an exact frequency, but the requirement is for risk assessments to be conducted regularly. Best practice is to perform a comprehensive risk assessment annually and to conduct supplemental assessments whenever there are significant changes to your IT environment, organizational structure, or threat landscape.
What is the difference between administrative, physical, and technical safeguards?
Administrative safeguards are the policies, procedures, and training programs that govern how your workforce manages ePHI. Physical safeguards protect the facilities and devices that store ePHI. Technical safeguards are the technology controls, such as encryption, access controls, and audit logging, that protect ePHI within your systems.
Do business associates need to comply with HIPAA?
Yes. Any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate and must comply with applicable HIPAA requirements. A business associate agreement (BAA) must be in place between covered entities and their business associates.
Can a managed IT provider serve as our HIPAA compliance officer?
A managed IT provider can support your HIPAA compliance program by managing technical safeguards, conducting risk assessments, maintaining documentation, and providing security training. However, the compliance officer role itself is an internal organizational responsibility. Your provider should augment your compliance program, not replace your organizational accountability.
What should we do if we discover a HIPAA compliance gap?
Document the gap, assess the risk it poses, develop a remediation plan with specific actions and timelines, and implement the fix. Maintain documentation of both the gap and the remediation for your records. If the gap involves a breach of unsecured PHI, you may have notification obligations under the HIPAA Breach Notification Rule.
Take the Next Step
HIPAA compliance does not have to be overwhelming when you have the right partner managing your technology and security. With over 21 years of experience, ISO 9001:2015 certification, and SOC 2 Type II attestation, GXA® helps healthcare organizations across Texas implement and maintain the safeguards that keep patient data protected and compliance on track.
Schedule a consultation to discuss how GXA can strengthen your HIPAA compliance posture.
