End of Year HIPAA Compliance Checklist: Essential Tasks to Complete Before December 31

Use this end of year HIPAA compliance checklist to close gaps before December 31. Each task below helps you safeguard Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), reduce risk, and prove due diligence through clear Documentation Retention and Compliance Monitoring.

Complete HIPAA Training for Staff

Confirm every workforce member who creates, receives, maintains, or transmits PHI/ePHI has completed required training. Provide role-based refreshers at least annually and whenever policies or systems change, and ensure new hires and temporary staff are trained promptly.

• Deliver modules covering privacy, security, minimum necessary, secure messaging, phishing awareness, and incident reporting.
• Capture attestations, completion dates, scores, and supervisor sign-off; retain training logs for at least six years.
• Address remote work practices, mobile device use, and safeguards for ePHI (encryption, MFA, and secure storage).
• Track completion with Compliance Monitoring dashboards and remediate overdue items before December 31.

Verify Right of Access Procedures

Audit your Right of Access workflow to ensure patients can obtain their records quickly, in the format they request if readily producible, and at a reasonable, cost-based fee. Validate identity checks and ensure denials, when applicable, follow policy and are properly documented.

• Confirm requests are fulfilled within 30 days of receipt; if necessary, one 30-day extension is permitted with written notice explaining the delay.
• Standardize intake (portal, email, mail, in-person), tracking, and deadline alerts; assign owners for each request.
• Validate fee schedules, formats (digital vs. paper), and secure transmission methods for ePHI.
• Retain request logs, copies of correspondence, fees charged, and fulfillment proof as part of Documentation Retention.

Review and Update Business Associate Agreements

Inventory all vendors that create, receive, maintain, or transmit PHI/ePHI on your behalf and ensure a current Business Associate Agreement (BAA) is in place for each. Align BAAs with your security standards and breach reporting expectations.

• Verify BAAs define permitted uses/disclosures, minimum necessary, safeguards for ePHI, and subcontractor flow-down requirements.
• Specify breach and security incident reporting timelines, cooperation duties, and evidence preservation.
• Confirm vendor obligations for Security Risk Assessment (SRA), workforce training, and incident handling.
• Update BAAs when services change, systems are replaced, or new integrations accessing PHI are added.

Conduct Security Risk Assessment

Complete or update your Security Risk Assessment (SRA) to identify threats, vulnerabilities, likelihood, and impact to systems that store or process ePHI. Tie findings to a prioritized, time-bound risk management plan.

• Map data flows for PHI/ePHI, including EHRs, cloud storage, messaging tools, endpoints, and backups.
• Evaluate administrative, physical, and technical safeguards: access controls, MFA, encryption, patching, and device/media handling.
• Run vulnerability scans, review audit logs, and test backups and disaster recovery for integrity and restoration speed.
• Document remediation actions, owners, budgets, and dates; track progress with Compliance Monitoring.

Update Policies and Procedures

Align written policies with current operations, SRA results, and technology changes. Ensure staff can easily access the latest versions and know how to follow them.

• Refresh policies for access management, minimum necessary, data classification, mobile and remote work, and acceptable use.
• Strengthen authentication, account provisioning/deprovisioning, and change management for systems touching ePHI.
• Update contingency planning, backup/restore, Incident Response Plan, and breach notification procedures.
• Record approval dates, version histories, and training acknowledgments; maintain Documentation Retention for six years.

Develop Breach Reporting Plan

Establish a clear, tested Incident Response Plan that defines who does what, when, and how after a suspected breach. Focus on swift containment, investigation, and accurate notifications.

• Use a standardized triage and four-factor risk assessment to determine breach probability and required notifications.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery; for incidents affecting 500+ individuals, notify regulators and, when required, media in the same timeframe.
• For incidents affecting fewer than 500 individuals, log each event and report to regulators no later than 60 days after the end of the calendar year in which they were discovered.
• Preserve evidence, maintain decision logs, document mitigation steps, and conduct after-action reviews to harden controls.

Maintain Documentation and Audit Logs

Strong Documentation Retention proves compliance and accelerates investigations. Keep records for at least six years from the date of creation or last effective date, whichever is later.

• Retain BAAs, SRAs, policies, training records, breach assessments, access requests, and risk treatment plans.
• Enable and review system audit logs for EHRs, identity providers, email, file storage, and network security tools.
• Set log retention periods aligned to risk and legal needs; secure logs against alteration and restrict access.
• Implement routine Compliance Monitoring: define metrics, schedule reviews, and escalate anomalies for timely remediation.

By completing training, validating Right of Access, tightening BAAs, finishing your SRA, updating policies, finalizing breach response, and organizing records, you reduce risk and head into the new year with a defensible compliance posture.

FAQs.

What are the key end of year HIPAA compliance tasks?

Confirm staff training, verify Right of Access workflows, refresh BAAs, complete your SRA with a remediation plan, update policies and your Incident Response Plan, finalize breach reporting procedures, and organize Documentation Retention and audit logs for clear Compliance Monitoring.

How often should HIPAA training be completed?

Provide training to new workforce members promptly upon hire and deliver role-based refreshers at least annually. Retrain whenever policies, systems, or job duties change, and keep signed attestations and completion records for at least six years.

What is the timeline for fulfilling patient right of access requests?

Fulfill requests within 30 days of receipt. If you cannot meet that timeframe, you may take one additional 30-day extension by sending a written notice before the initial deadline that explains the reason for delay and the new completion date.

How should breaches be reported and documented?

Activate your Incident Response Plan to contain, investigate, and assess risk. Notify affected individuals without unreasonable delay and no later than 60 days after discovery. For incidents affecting 500+ individuals, also notify regulators (and media when required) within 60 days; for fewer than 500, log each event and report to regulators no later than 60 days after the end of the calendar year. Preserve evidence, document decisions, and record mitigation and lessons learned.