Buying a Medical Practice? HIPAA Compliance Due Diligence Checklist

Acquiring a medical practice means inheriting its privacy, security, and breach-handling obligations. Use this HIPAA-focused due diligence checklist to surface risks early, price them appropriately, and build a remediation plan that protects patients and your investment.

Regulatory Compliance and Legal Liabilities

Core reviews

• Request a summary of the practice’s regulatory posture: designated HIPAA Privacy Officer and Security Officer, latest HIPAA Risk Analysis, and status of corrective actions.
• Review evidence of prior Compliance Audits (internal or external), government inquiries, corrective action plans, and any open items.
• Ask for breach and incident logs, including risk assessments under the Breach Notification Rule and notifications sent to affected individuals, regulators, and media (if applicable).
• Identify overlapping laws that may increase exposure (state privacy rules, 42 CFR Part 2, consumer breach laws, and payer/contract requirements).

Liability exposure and deal mechanics

• Clarify whether you are structuring an asset or equity purchase; determine if liabilities tied to historical HIPAA violations remain with the seller or could follow operations.
• Evaluate insurance coverage: cyber liability, regulatory defense, and tail coverage for claims-made policies.
• Quantify remediation costs for identified gaps (encryption, MFA, archival clean‑up, policy rebuild, staff retraining) and reflect them in valuation or holdbacks.

Contractual protections

• Secure robust representations and warranties around HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule compliance.
• Include covenants to complete outstanding risk mitigation tasks pre‑close or within a defined post‑close timeline.
• Use indemnities, escrows, and special indemnity baskets for undisclosed incidents or failures to notify under the Breach Notification Rule.

HIPAA Compliance Documentation

Document request list

• Governance: appointment letters or memos designating the HIPAA Privacy Officer and Security Officer; compliance committee charters and minutes.
• Risk management: the latest HIPAA Risk Analysis (methodology, scope, findings), risk register, and a corresponding Risk Management Plan with closure evidence.
• Policies/procedures: complete, version‑controlled sets covering the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule; update history and approval records.
• Notices and forms: current Notice of Privacy Practices, authorization templates, restriction/confidential communication forms, and complaint intake/response logs.
• Incident/breach: incident response plan, playbooks, decision trees, risk assessment templates, breach log, notification letters, and annual reporting records.
• Access and disclosures: Designated Record Set definition, access/amendment request logs, accounting of disclosures, minimum necessary standards, and release‑of‑information workflows.
• Technical evidence: network diagrams, asset/system inventory, encryption standards, MFA configurations, audit logging standards, vulnerability scans, penetration test summaries, backup/restore tests, and disaster recovery results.
• Vendors: Business Associate Agreements for all relevant third parties, due diligence questionnaires, security attestations, and monitoring reviews.
• Training: curriculum, schedules, completion rates, quiz results, attestations, and other Staff Training Documentation; sanctions applied for non‑compliance.
• Audits and monitoring: internal Compliance Audit reports, privacy rounds results, access‑log reviews, and corrective action follow‑up.
• Records management: retention schedules for PHI, media/device control logs, and destruction certificates for paper and electronic media.

HIPAA Compliance Training and Enforcement

Training program essentials

• Verify onboarding and periodic refreshers tailored by role (clinical, billing, front desk, IT, leadership), covering the Privacy, Security, and Breach Notification Rules.
• Confirm scenario‑based modules on minimum necessary, patient access timelines, secure messaging, phishing, mobile device use, and incident reporting.
• Review delivery methods and measurement: learning platform reports, completion targets, knowledge checks, and re‑training triggers after incidents.

Enforcement and accountability

• Examine the sanctions policy and examples of applied corrective actions (coaching, warnings, access changes) for violations.
• Check how leadership reinforces compliance: town halls, privacy rounds, dashboards, and escalation paths to the Privacy/Security Officers.
• Ensure training ties to access provisioning; no access to ePHI until baseline training and acknowledgments are complete.

What buyers should verify

• Auditable Staff Training Documentation for the last three years, including rosters, dates, scores, and attestations.
• Evidence of annual security awareness activities (simulated phishing, reminders) and remediation for repeat offenders.
• Documentation showing that business associates with workforce handling PHI conduct comparable training.

HIPAA Compliance Policies and Procedures

Privacy Rule (uses/disclosures and patient rights)

• Policies on permitted uses/disclosures, authorizations, marketing/fundraising limits, and verification of requestors; minimum necessary standards by job role.
• Processes for patient rights: timely access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Notice of Privacy Practices distribution and acknowledgment; complaint intake, mitigation of harmful effects, and anti‑retaliation.

Security Rule (administrative, physical, technical)

• Administrative: HIPAA Risk Analysis cadence, risk management, workforce security, role‑based access, security awareness, incident response, and periodic evaluations.
• Physical: facility access controls, workstation positioning, device/media controls, secure storage, and escorted visitor protocols.
• Technical: unique user IDs, MFA, automatic logoff, encryption at rest and in transit, audit controls/log review, integrity controls, and transmission security for all ePHI flows.
• Contingency planning: data backup plans, disaster recovery plans, emergency mode operations, and documented test results.

Breach Notification Rule (assessment and notice)

• Presumption of breach unless low probability of compromise is documented via risk assessment; clear decision criteria and templates.
• Notification timelines and content requirements for individuals; annual reporting to regulators for incidents under 500 and timely reporting for 500+; media notice when required.
• Evidence of post‑incident mitigation, root‑cause analysis, and control enhancements to prevent recurrence.

Operational Processes and Technology

Systems, data flows, and interoperability

• Map ePHI across the environment: EHR, practice management, billing/RCM, imaging, labs, patient portal, telehealth, messaging, and data exports.
• Validate data flow diagrams, minimum necessary enforcement points, and controls on interfaces/APIs that exchange ePHI with business associates.

Identity, access, and endpoint security

• Centralized identity management with role‑based access, least privilege, and rapid provisioning/deprovisioning tied to HR events.
• MFA for remote access, email, and privileged accounts; password standards and device encryption on laptops, tablets, and phones.
• Mobile/BYOD governance: containerization, remote wipe, and restrictions on local PHI storage.

Security operations

• Patch/vulnerability management with defined SLAs; EDR/antimalware coverage; email security with phishing defense.
• Centralized logging and periodic access‑log and audit‑log reviews; alert triage and documented incident handling.
• Backup integrity verification, recovery time objectives, and offsite/immutable backups for ransomware resilience.

Data lifecycle and records management

• Retention schedules aligned to clinical, payer, and state requirements; legal hold procedures when litigation is anticipated.
• Secure disposal: shredding consoles for paper, certified media destruction for drives, and wipe/reimage standards for device reuse.

Third parties and Business Associate Agreements

• Inventory all vendors handling PHI; confirm signed Business Associate Agreements that mirror your security and breach obligations.
• Assess vendor security through questionnaires, attestations, and periodic reviews; track remediation of vendor findings.
• Ensure offboarding steps for vendors include data return/termination clauses and destruction certifications.

Staffing, Employment Contracts, and Culture

Key roles and competencies

• Confirm dedicated HIPAA Privacy Officer and Security Officer with defined authority, budget, and reporting lines.
• Review job descriptions for PHI‑intensive roles (billing, HIM, nursing, IT admins) and verify access aligns with duties.

Workforce management

• Pre‑hire screening appropriate to roles, confidentiality agreements, and clear codes of conduct referencing HIPAA.
• Onboarding checklists that gate system access on completed training; periodic access recertifications.
• Termination/offboarding playbooks: asset return, credential revocation, exit attestations, and timely deprovisioning.

Culture signals

• Anonymous reporting channels, non‑retaliation policies, and manager escalation expectations.
• Regular communication from leadership on privacy and security priorities; visible follow‑through on corrective actions.

Employment contracts

• Review agreements for confidentiality, acceptable use, BYOD, telework, and sanctions language consistent with HIPAA policies.
• Validate coverage for moonlighting, research, or side agreements that could expose PHI or create competing obligations.

Physical Assets and Infrastructure

Facility and workspace controls

• Badge or key control, visitor sign‑ins with escorts, and restricted areas for records, servers, and networking gear.
• Privacy safeguards at front desks and nursing stations; screen privacy filters and policies against leaving PHI in view.
• Printer, copier, and fax safeguards: secure release, empty trays, and controlled disposal of misprints and cover sheets.

Devices, media, and storage

• Full‑disk encryption for all portable devices; secure cabinet or dock storage; inventory with unique asset IDs and lifecycle tracking.
• Media controls: chain‑of‑custody for drives, validated wipe methods, and certificates of destruction.
• Paper records: locked storage, clean‑desk enforcement, and documented shredding pickups.

Continuity and environment

• Server room controls: access logs, temperature/humidity monitoring, fire suppression, and uninterruptible power.
• Disaster response: flood, fire, and severe‑weather readiness tied to contingency and emergency mode operations.

Summary

A thorough HIPAA due diligence review validates documentation, training, and policies; probes operations and technology; evaluates people and culture; and inspects physical safeguards. Capture gaps in a remediation roadmap, assign owners and timelines, and reflect residual risk in price, reps, and post‑close plans.

FAQs.

What are the key HIPAA policies required for medical practice acquisition?

You should see comprehensive, version‑controlled policies addressing the HIPAA Privacy Rule (uses/disclosures, patient rights, minimum necessary, NPP), the HIPAA Security Rule (administrative, physical, and technical safeguards, contingency planning), and the Breach Notification Rule (incident response, risk assessment, notification workflows). Confirm approval dates, review cadence, and evidence the workforce follows them.

How can a buyer verify HIPAA training compliance?

Request Staff Training Documentation for at least the past three years: curricula, schedules, completion reports by role, quiz scores, attestations, and sanctions for non‑completion. Cross‑check training dates against HR start dates and system access logs to ensure no one accessed ePHI before completing required training and acknowledgments.

What documentation is essential for HIPAA due diligence?

At minimum: the latest HIPAA Risk Analysis and Risk Management Plan, full policy sets for the Privacy, Security, and Breach Notification Rules, incident/breach logs and notifications, Business Associate Agreements with due diligence files, internal/external Compliance Audit reports, access/disclosure logs, NPP and forms, vendor inventory, technical security evidence (encryption, MFA, logs, backups), and records‑retention/destruction records.

How are HIPAA breaches handled during practice transition?

The seller should follow the Breach Notification Rule using a documented risk assessment and issue required notices within regulatory timelines. The purchase agreement should allocate responsibility and costs for pre‑close incidents, define cooperation for investigations, and require prompt disclosure of any newly discovered events. Post‑close, the buyer continues incident response under updated policies and notifies affected parties as required.