Checklist: The HIPAA Security Rule Requires Covered Entities to Implement Safeguards

This practical checklist helps you implement the safeguards the HIPAA Security Rule requires to protect electronic protected health information (ePHI). You will align administrative, physical, and technical safeguards, conduct ongoing risk analysis, train your workforce, prepare contingency plans, and manage business associate agreements—without guesswork.

Use each section to confirm what is in place, identify gaps, and document decisions. Keep concise evidence for every control you adopt or deem not reasonable, so you can show due diligence during audits or investigations.

Implement Administrative Safeguards

Administrative Safeguards are the policies, procedures, and oversight you use to select, implement, and maintain security measures for ePHI. They establish governance, define roles, and ensure security is part of daily operations.

Checklist

• Designate a security official with authority to implement and enforce the security program; document responsibilities and reporting lines.
• Perform and maintain a documented Risk Analysis and ongoing risk management program that drives all safeguard decisions.
• Create, approve, and enforce security policies and procedures (passwords, acceptable use, remote work, mobile/BYOD, change management).
• Implement information access management: role-based provisioning, approval workflows, minimum necessary access, and timely deprovisioning.
• Define workforce security processes: onboarding, supervision, transfer and termination procedures, and periodic access reviews.
• Establish security incident procedures: detection, response, reporting, post-incident lessons learned, and metrics.
• Schedule periodic evaluations to verify that safeguards, operations, and risks are still aligned with your environment.
• Coordinate contingency planning, vendor oversight, and Business Associate oversight with documented responsibilities.

Evidence to keep

• Security program charter, role assignments, and org chart.
• Risk analysis, risk register, and risk treatment plans.
• Approved policy manual and revision history.
• Access authorization records and periodic access review reports.
• Incident response plan, incident logs, and after-action reports.
• Evaluation results and remediation tracking.

Implement Physical Safeguards

Physical Safeguards protect facilities, workstations, and devices that create, receive, maintain, or transmit ePHI. They reduce the chance that unauthorized individuals can physically access systems or media.

Checklist

• Facility access controls: visitor management, badging, escort procedures, locked server rooms, and emergency access methods.
• Workstation use and security: defined placement and usage rules, privacy screens, automatic screen lock, and clean-desk standards.
• Device and media controls: hardware inventory, secure storage, encryption where feasible, chain of custody, re-use procedures, and certified destruction.
• Environmental and utility protections: UPS/generators, temperature/humidity monitoring, and secure offsite storage for backups.
• Portable devices: clear rules for transport, secure storage when unattended, and documented loss/theft reporting.

Evidence to keep

• Access logs, visitor logs, and maintenance records.
• Workstation and device inventory with ownership and location.
• Media sanitization and destruction certificates.
• Backup location details and environmental control records.

Implement Technical Safeguards

Technical Safeguards are the technology and related processes that protect ePHI and control access. Focus on Access Controls, Audit Controls, Transmission Security, integrity protections, and authentication.

Access Controls

• Unique user IDs, least-privilege role design, and privileged access management for admins.
• Multi-factor authentication for remote access and sensitive roles; strong password standards and secure resets.
• Automatic logoff and session timeouts; “break-glass” emergency access with monitoring and justification.
• Encryption at rest where reasonable and appropriate, with documented exceptions if not implemented.

Audit Controls

• Enable detailed logging in EHRs, applications, databases, and network devices for read/view, create, modify, and delete events.
• Centralize logs, monitor for anomalies, and review high-risk access routinely; retain logs per policy.
• Generate periodic audit reports and document follow-up on alerts or suspected incidents.

Integrity and Authentication

• Integrity controls such as hashing, tamper-evident storage, backups, and change monitoring for ePHI repositories.
• Person or entity authentication: MFA, certificates or device trust for endpoints, and secure API keys or tokens.

Transmission Security

• Encrypt ePHI in transit with current protocols (for example, TLS 1.2+), including email, portals, APIs, SFTP, and VPNs.
• Disable insecure protocols and ciphers; protect wireless networks with strong authentication and segmentation.
• Use secure messaging for clinical communications; document exceptions and compensating controls when needed.

Evidence to keep

• Access control matrices, MFA configuration summaries, and exception justifications.
• Audit log retention policy, SIEM reports, and sample audit trails.
• Encryption and key management standards; network diagrams showing protected flows.

Conduct Risk Analysis and Management

Risk Analysis identifies where ePHI lives, what could go wrong, and how likely and severe those events would be. Risk Management selects and implements safeguards to reduce risk to a reasonable and appropriate level.

Checklist

• Define scope: all systems, apps, endpoints, networks, cloud services, and vendors that create, receive, maintain, or transmit ePHI.
• Inventory ePHI and map data flows, including backups and temporary storage.
• Identify threats and vulnerabilities (technical, physical, administrative, human, and environmental).
• Estimate likelihood and impact; calculate inherent and residual risk; prioritize with a clear methodology.
• Document existing controls and gaps; decide on 'required' and 'addressable' measures and justify choices.
• Create a risk treatment plan with owners, timelines, and milestones; track through completion.
• Reassess risks periodically and whenever significant changes occur (new systems, migrations, incidents, mergers).

Evidence to keep

• Risk analysis report, risk register, and treatment plans with leadership approvals.
• Change logs showing trigger events and reassessment dates.
• Progress dashboards and closure documentation for mitigations.

Provide Workforce Training

Your workforce is central to security. Training ensures people understand how to protect ePHI and follow policies every day.

Checklist

• Provide security awareness and role-based training to all workforce members, including management and contractors with access.
• Deliver training at onboarding before system access, with periodic refreshers and just-in-time updates.
• Cover practical topics: phishing, social engineering, secure passwords and MFA, device and workstation security, remote work, acceptable use, reporting incidents.
• Run simulated phishing and targeted exercises; reinforce lessons with leadership messaging.
• Apply and document sanctions for violations; integrate with HR processes.
• Track attendance, completion, knowledge checks, and policy acknowledgments.

Evidence to keep

• Training plan and curricula by role.
• Attendance rosters, completion certificates, and assessment results.
• Policy acknowledgement records and sanction logs when applicable.

Establish Contingency Plans

Contingency planning keeps critical operations running and protects ePHI during disruptions such as cyber incidents, outages, or disasters.

Checklist

• Data Backup Plan: automated, encrypted backups with defined frequency, retention, and offsite storage; test restores regularly.
• Disaster Recovery Plan: set RTO/RPO targets, create runbooks, validate failover for critical applications, and maintain vendor contacts.
• Emergency Mode Operation Plan: define minimal processes to continue care and billing; include emergency access procedures.
• Testing and Revision Procedures: conduct tabletop and functional exercises; record after-action items and update plans.
• Applications and Data Criticality Analysis: rank systems to guide restoration order and resource allocation.
• Alternates and Communications: identify alternate sites, secure remote access, and internal/external communication trees.

Evidence to keep

• Backup and restore test reports, DR drill results, and updated plan versions.
• Criticality analysis worksheets and decision logs.
• Emergency contact lists and communications templates.

Ensure Business Associate Agreements

Business Associates that handle ePHI for you must contractually commit to protecting it. Effective agreements and oversight reduce third‑party risk.

Checklist

• Inventory all Business Associates and subcontractors that create, receive, maintain, or transmit ePHI on your behalf.
• Execute written Business Associate Agreements (BAAs) before sharing ePHI; centralize storage and renewal tracking.
• Require Administrative Safeguards, Physical Safeguards, and Technical Safeguards; ensure Access Controls, Audit Controls, and Transmission Security are addressed.
• Mandate prompt reporting of security incidents and breaches, cooperation with investigations, and compliance with breach notification requirements.
• Flow down obligations to subcontractors; limit uses/disclosures; require return or destruction of ePHI at termination where feasible.
• Obtain reasonable assurance of security (e.g., assessments, attestations); monitor high‑risk vendors and remediate findings.

Evidence to keep

• BAA inventory, signed agreements, and renewal calendar.
• Vendor due‑diligence checklists, assessment results, and remediation plans.
• Incident notifications and correspondence history.

By following this checklist, you implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards in a risk‑based, auditable way. Continuous Risk Analysis, workforce training, tested contingency plans, and strong BAAs work together to keep ePHI secure and demonstrate compliance.

FAQs.

What are the three types of safeguards required by the HIPAA Security Rule?

The HIPAA Security Rule requires Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Together they establish policy and oversight, protect facilities and devices, and enforce Access Controls, Audit Controls, integrity protections, authentication, and Transmission Security for ePHI.

How often must risk assessments be conducted under the Security Rule?

HIPAA requires a Risk Analysis and ongoing risk management that are performed periodically and whenever significant environmental or operational changes occur. Many organizations reassess at least annually and after material changes such as new systems, migrations, major incidents, or acquisitions.

What are the requirements for workforce training on ePHI security?

You must provide security awareness and training to all workforce members with access to ePHI, including management. Training occurs at onboarding before access and periodically thereafter, is role‑appropriate, covers practical threat scenarios, and is documented with attendance, assessments, and policy acknowledgments.

How do business associate agreements support HIPAA compliance?

BAAs contractually require Business Associates to safeguard ePHI through Administrative, Physical, and Technical Safeguards, restrict uses and disclosures, report incidents and breaches promptly, flow obligations to subcontractors, assist with individual rights where applicable, and return or destroy ePHI at termination—thereby extending your security and compliance program to third parties.