Annual HIPAA Compliance Tasks Checklist: What You Need to Do Every Year
Staying compliant with HIPAA is a year‑round commitment. Each year, you should revisit your risk posture, privacy program, and security operations to protect Electronic Protected Health Information (ePHI). The steps below align with Privacy, Security, and Breach Notification Rule expectations and help you build repeatable, auditable practices.
Conduct Risk Assessment
Scope and approach
Identify every system, vendor, and workflow that creates, receives, maintains, or transmits ePHI. Map data flows, including shadow IT and legacy apps, and evaluate threats, vulnerabilities, likelihood, and impact as required by Security Rule Requirements. Use a consistent methodology so results are comparable year over year.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Key actions
- Inventory assets handling ePHI (applications, devices, databases, backups, paper).
- Evaluate administrative, physical, and technical controls against Security Rule Requirements.
- Rate risks, prioritize remediation, and produce a time‑bound risk management plan.
- Test controls where feasible (audit log sampling, access reviews, vulnerability scans).
Evidence to retain
- Risk Analysis Documentation: scope, methodology, findings, decisions, owners, and sign‑off.
- Remediation plan with milestones, due dates, and completion evidence.
Maintain Privacy Practices
Key actions
- Review and, if needed, update your Notice of Privacy Practices and authorization forms.
- Validate “minimum necessary” access and disclosure workflows across departments.
- Confirm processes for patient rights (access, amendment, restrictions, confidential communications).
- Audit disclosures (including research, marketing, and fundraising) and refresh privacy training content.
Evidence to retain
- Updated privacy policies, forms, version history, and approval records.
- Disclosure logs and documentation of privacy complaints and resolutions.
Implement Safeguards
Administrative safeguards
- Review policies, workforce security, security awareness, and incident response procedures.
- Reconfirm role‑based access, workforce clearance, and sanction procedures align with policy.
Physical safeguards
- Assess facility access controls, workstation security, device/media disposal, and visitor management.
- Verify secure storage and transport procedures for removable media and printed PHI.
Technical safeguards
- Require unique IDs, strong authentication (preferably MFA), and session timeouts.
- Enable audit controls and log retention; review alerts and anomalous access.
- Protect data in transit and at rest with encryption where appropriate; harden endpoints and servers.
Evidence to retain
- Annual control review checklist mapped to Security Rule Requirements.
- Configuration baselines, change logs, and sample audit reports.
Execute Business Associate Agreements
Key actions
- Refresh your vendor inventory and confirm which partners handle ePHI.
- Review each Business Associate Agreement to ensure required clauses remain accurate.
- Flow down obligations to subcontractors and validate incident reporting expectations.
- Terminate or update agreements when services change; ensure secure data return or destruction.
Evidence to retain
- Executed agreements, due‑diligence questionnaires, and security assurance artifacts.
- Annual vendor risk attestation records and issue‑tracking logs.
Provide Workforce Training
Training plan
- Deliver role‑based annual training covering Privacy, Security, and Breach Notification Rule duties.
- Include phishing awareness, secure use of messaging and cloud tools, and incident reporting.
- Train new hires promptly and retrain upon policy, system, or role changes.
Evidence to retain
- Attendance/completion records, test results, content outlines, and schedules.
- Documentation of remedial coaching or Sanctions and Disciplinary Actions for noncompliance.
Document Access Controls
Key actions
- Run joiner‑mover‑leaver reviews to confirm appropriate role‑based access and rapid deprovisioning.
- Enforce unique user IDs, least privilege, emergency (“break‑glass”) access, and MFA for remote access.
- Audit high‑risk permissions (EHR admins, database admins, billing exports) and third‑party access.
Evidence to retain
- Access review certifications, exception approvals, and change tickets.
- Sampling of audit logs showing monitoring and follow‑up on anomalies.
Operate Breach Notification Process
Key actions
- Maintain an incident response plan that distinguishes security incidents from reportable breaches.
- Perform a four‑factor risk assessment for suspected breaches of unsecured PHI.
- Use preapproved notification templates and a decision log to document determinations.
Timelines and thresholds
- Notify affected individuals without unreasonable delay and no later than 60 calendar days.
- Report breaches of 500+ individuals to HHS and prominent media within 60 days; log and report smaller breaches to HHS within 60 days after year‑end.
Evidence to retain
- Incident tickets, risk assessments, notification letters, and regulator submissions.
- Annual breach log consistent with the Breach Notification Rule.
Maintain Sanctions Policy
Key actions
- Keep a written, tiered Sanctions and Disciplinary Actions framework for workforce violations.
- Apply sanctions consistently, coordinate with HR, and communicate expectations to staff and contractors.
- Analyze trends to address root causes through training or process fixes.
Evidence to retain
- Sanction determinations, notices, and proof of corrective actions.
- Aggregate metrics demonstrating fair and consistent enforcement.
Document Contingency Planning
Contingency Planning Procedures checklist
- Data backup plan with tested restores and offsite, immutable copies.
- Disaster recovery plan with defined RTO/RPO and application criticality analysis.
- Emergency mode operations for critical processes when systems are degraded.
Testing and improvement
- Conduct tabletop exercises and at least one live restore test annually.
- Review vendor dependencies, communication trees, and failover runbooks.
Evidence to retain
- Test plans, results, issues, and remediation tracking.
- Updated diagrams, contact lists, and change logs for contingency assets.
Review Policies and Re-Attest Compliance
Annual governance cadence
- Version‑control all HIPAA policies; review for regulatory or operational changes.
- Secure leadership approval and budget for prioritized risk remediation.
- Obtain workforce re‑attestations to key policies and code of conduct.
- Compile audit‑ready packets: Risk Analysis Documentation, training records, BAA inventory, and breach logs.
Evidence to retain
- Policy repository with redlines, approvals, and effective dates.
- Attestation records and an annual compliance report summarizing outcomes and next‑year objectives.
Conclusion
By cycling through this checklist each year—risk, privacy, safeguards, vendor oversight, training, access, incident handling, sanctions, contingency, and governance—you create a defensible HIPAA program. The result is stronger protection of ePHI, clear accountability, and faster, more consistent responses to change.
FAQs.
What are the key annual HIPAA compliance tasks?
Reassess risks and update your remediation plan, refresh privacy practices, validate administrative/physical/technical safeguards, review every Business Associate Agreement, deliver role‑based training, certify access controls, test breach response, enforce your sanctions policy, exercise contingency plans, and finalize an audit‑ready compliance report with current attestations.
How often should workforce training be conducted?
Provide training at least annually for all workforce members and promptly upon hire, role change, or when policies or systems change. Reinforce with periodic security awareness touchpoints—such as phishing simulations or micro‑modules—to keep practices fresh.
What is required in a HIPAA risk assessment?
You must identify where ePHI resides and flows, evaluate threats and vulnerabilities, assess likelihood and impact, determine risk levels, and select mitigations. The assessment must be documented, repeatable, and produce a prioritized risk management plan with accountable owners and timelines.
How should breaches be reported according to HIPAA?
After a four‑factor risk assessment determines a reportable breach of unsecured PHI, notify affected individuals without unreasonable delay and within 60 days. Report incidents affecting 500 or more individuals to HHS and prominent media within 60 days; for fewer than 500, log them and report to HHS within 60 days after the calendar year ends.
Table of Contents
- Conduct Risk Assessment
- Maintain Privacy Practices
- Implement Safeguards
- Execute Business Associate Agreements
- Provide Workforce Training
- Document Access Controls
- Operate Breach Notification Process
- Maintain Sanctions Policy
- Document Contingency Planning
- Review Policies and Re-Attest Compliance
- FAQs.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.