Your complete HIPAA compliance checklist
Not sure if your organization is fully HIPAA compliant? This checklist covers every requirement — from the Privacy Rule to the Security Rule to employee training. Use it as a guide, or let Accountable handle it for you.
10,000+
Companies trust Accountable
30 Days
Average time to compliance
100%
Audit protection included
Why You Need a Checklist
HIPAA compliance has a lot of moving parts
HIPAA isn't a single requirement — it's a set of rules covering how you handle, store, transmit, and protect patient health information. Most organizations know they need to be compliant, but aren't sure if they've covered everything.
This checklist breaks HIPAA down into clear, actionable items organized by category. Check off what you've done, identify what's missing, and close the gaps — or let Accountable automate the entire process.
Who needs this checklist?
-
Healthcare providers
Doctors, dentists, therapists, pharmacies, hospitals, clinics, and any practice that treats patients.
-
Business associates
IT companies, billing services, cloud providers, consultants, and anyone who handles PHI on behalf of a covered entity.
-
Health tech startups
SaaS platforms, telehealth tools, health analytics companies, and any startup that touches patient data.
The Checklist
HIPAA Compliance Requirements
Work through each category to ensure your organization meets every HIPAA requirement.
Administrative Safeguards
Policies, procedures, and management processes to protect PHI.
-
Designate a HIPAA Privacy Officer and Security Officer
Appoint individuals responsible for developing and implementing your HIPAA policies and security measures.
-
Conduct a Security Risk Assessment (SRA)
Identify threats and vulnerabilities to PHI across your organization. Required annually under the updated HIPAA Security Rule.
-
Develop and implement HIPAA policies and procedures
Create written policies covering privacy, security, breach notification, access controls, and data handling.
-
Train all workforce members on HIPAA
Provide HIPAA training to every employee who handles PHI — at hire and annually thereafter.
-
Establish a sanctions policy
Document consequences for workforce members who violate HIPAA policies.
-
Create an incident response and breach notification plan
Document how your organization will detect, respond to, and report breaches of PHI.
-
Implement a contingency plan
Establish data backup, disaster recovery, and emergency mode operations to protect PHI in an emergency.
Physical Safeguards
Physical measures to protect electronic systems and buildings where PHI is stored.
-
Control physical access to facilities
Limit access to areas where PHI is stored or accessed. Use locks, badge systems, or other access controls.
-
Implement workstation security policies
Define how workstations that access PHI should be used and positioned to prevent unauthorized viewing.
-
Manage device and media controls
Track hardware and electronic media that contain PHI. Document how devices are disposed of, reused, or moved.
-
Secure mobile devices
Require encryption, passcodes, and remote wipe capability for any mobile device that accesses PHI.
Technical Safeguards
Technology and related policies to protect PHI and control access.
-
Implement access controls
Assign unique user IDs, set up role-based access, and implement automatic logoff for systems containing PHI.
-
Implement audit controls
Record and monitor activity in systems that contain or use PHI. Maintain audit logs for review.
-
Ensure data integrity
Implement mechanisms to protect PHI from being altered or destroyed improperly.
-
Encrypt PHI at rest and in transit
Use encryption for stored PHI and for PHI transmitted over networks. This is an addressable requirement — but strongly recommended.
-
Conduct penetration testing
Test your systems for vulnerabilities at least once every 12 months, as required by the updated HIPAA Security Rule.
-
Conduct vulnerability scanning
Scan your systems for known vulnerabilities at least every 6 months, as required by the updated HIPAA Security Rule.
-
Implement multi-factor authentication
Require MFA for all systems that access PHI, as mandated by the updated HIPAA Security Rule.
Vendor & Business Associate Management
Managing third parties that handle PHI on your behalf.
-
Identify all business associates
List every vendor, contractor, and service provider that creates, receives, maintains, or transmits PHI on your behalf.
-
Execute Business Associate Agreements (BAAs)
Sign a BAA with every business associate before sharing PHI. BAAs must define permitted uses and require safeguards.
-
Monitor vendor compliance
Regularly assess whether your business associates are meeting their HIPAA obligations. Document any compliance issues.
-
Maintain a data inventory
Document where PHI flows through your organization — who collects it, where it's stored, who it's shared with, and how it's disposed of.
Privacy Rule Requirements
Protecting the privacy of individually identifiable health information.
-
Publish a Notice of Privacy Practices (NPP)
Inform patients how their PHI will be used and disclosed. Make it available in your office and on your website.
-
Apply the Minimum Necessary Rule
Limit PHI access and disclosure to the minimum amount necessary for each use case.
-
Obtain patient authorizations when required
Get written authorization before using or disclosing PHI for purposes not covered by treatment, payment, or healthcare operations.
-
Honor patient rights
Allow patients to access their records, request amendments, receive an accounting of disclosures, and request restrictions on use.
-
Implement a Privacy Center
Provide a way for patients to submit data access requests and manage their privacy preferences.
Ongoing Compliance
HIPAA compliance isn't a one-time event — it requires continuous maintenance.
-
Conduct annual risk assessments
Reassess threats and vulnerabilities to PHI at least once a year — more frequently if your environment changes.
-
Provide annual HIPAA training refreshers
Retrain all workforce members on HIPAA policies and procedures at least annually.
-
Review and update policies regularly
Review policies whenever regulations change, your organization changes, or at least annually.
-
Document everything
HIPAA requires documentation of all compliance activities — training records, risk assessments, policies, incident reports, and BAAs. Retain for 6 years.
-
Monitor for breaches and incidents
Maintain a process for detecting, documenting, and reporting breaches. Notify affected individuals and HHS as required.
Skip the Spreadsheet
Accountable automates this entire checklist
Instead of tracking compliance manually, let Accountable handle the policies, training, risk assessments, and documentation for you.
Answer a few questions
Tell us about your organization — size, industry, how you handle patient data. Accountable builds a customized compliance program automatically.
We handle the hard parts
Accountable generates your policies, assigns training, runs your risk assessment, tracks your vendors, and documents everything — all from one platform.
Stay compliant year-round
Accountable monitors your compliance status, sends reminders when things are due, and keeps your documentation audit-ready at all times.
Automate your HIPAA compliance checklist.
Sign up and check off every item on this list — in weeks, not months.
"We needed HIPAA compliance fast when we started working with healthcare clients. Accountable made the entire process feel manageable — from training our staff to getting our certificate. It gave us the confidence to take on new business."
Don't just check the boxes — get compliant
Accountable turns this checklist into a living compliance program. Training, policies, risk assessments, vendor management, and documentation — all in one platform.
Frequently Asked Questions
Can't find the answer you're looking for? Please reach out to our team.