HIPAA Compliance Checklist for Adding a New Office Location (Step-by-Step)

Expanding to a new site is exciting—and risky for protected health information (PHI). Use this HIPAA compliance checklist to plan, move, and reopen with confidence, keeping both paper PHI and ePHI protected at every step.

This step-by-step guide covers secure transport, documentation updates, technical safeguards, patient notification, Business Associate Agreements, and a post-move HIPAA check so you can launch the new location without disrupting privacy or security.

Secure Transport of PHI

Plan and Inventory

• Map what PHI exists (paper files, removable media, workstations, servers, backups) and where it will go.
• Minimize what moves: archive or securely destroy what you no longer need under your retention policy.
• Assign a move lead and define a documented chain-of-custody from packing to receipt.

Protect Paper PHI

• Pack records in numbered, sealed containers; record contents ranges and seal numbers in the custody log.
• Limit access to authorized staff; require sign-in/sign-out at each handoff and at vehicle loading/unloading.
• Use locked transport cases; never leave PHI unattended in vehicles or open areas.

Protect Electronic Media

• Encrypt laptops, drives, and backups before movement; verify encryption status and device inventory tags.
• Disable or remove local PHI caches from workstations; transport servers in shock-resistant, locked cases.
• Escort movers; if using a vendor, verify a Business Associate Agreement and include custody and loss reporting terms.

Documentation to Retain

• Signed custody logs, seal records, vehicle/route details, and receipt confirmations at the new site.
• Incident log of any anomalies (broken seal, delay, lost item) and the corrective action taken.

Update HIPAA Documentation

Policies, Plans, and Notices

• Revise facility-specific policies to reflect the new address, hours, emergency contacts, and physical access controls.
• Update your Notice of Privacy Practices where contact information, complaint addresses, or privacy official details change.
• Review and refresh your incident response process and breach notification procedures to include the new location.

Security Risk Analysis and Management

• Perform a security risk analysis focused on the new site’s layout, networks, and devices.
• Document risks, assign owners, and execute a risk management plan with timelines and verification steps.

Facility and Device Records

• Update floor plans, equipment inventories, and workstation assignments; record where PHI is created, received, maintained, or transmitted.
• Refresh training content and sign-offs for staff who will operate at the new location.

Safeguard ePHI During Transition

Network and Access Controls

• Segment networks; separate clinical, administrative, and guest Wi‑Fi. Use strong encryption for wireless and VPN for remote access.
• Harden switches, firewalls, and servers; enforce MFA, least privilege, and role-based access to EHR and ancillary systems.
• Enable logging and alerting; forward logs to a secure repository before go-live.

Endpoint and Workstation Security

• Standardize images, apply patches, and enable full-disk encryption, screen-lock timers, and anti-malware.
• Position monitors to prevent shoulder-surfing; add privacy filters where needed to strengthen workstation security.
• Control portable media; disable autorun and restrict USB access to approved, encrypted devices.

Data Protection and Continuity

• Verify secure, tested backups before disconnecting any system; perform a test restore post-move.
• Securely wipe or destroy decommissioned drives; record serials and destruction certificates.
• Document failover and downtime workflows to maintain care and billing continuity during the cutover.

Notify Patients

Timing and Channels

• Communicate the new location as early as practical—well before the first appointment there.
• Use multiple channels: mailed notices, patient portal messages, appointment reminders, on-site signage, and phone system updates.

Content and Compliance

• Include address, effective date, parking/entry details, and how to reach you for questions.
• Avoid including PHI in notifications; if unavoidable, use secure messaging or obtain consent for electronic delivery.
• Ensure any changes to contacts in your Notice of Privacy Practices are reflected and available at the new site.

Proof of Communication

• Retain samples, distribution lists, send dates, and portal/audit reports as evidence of notification.

Review Business Associate Agreements

What to Verify

• Confirm that each Business Associate Agreement lists correct contacts and addresses and covers services at the new location.
• Recheck required safeguards, subcontractor oversight, breach notification procedures, and security incident reporting timelines.
• Ensure pickup/delivery details (e.g., shredding, imaging, courier) include custody requirements and site-specific instructions.

When to Amend

• Amend BAAs if scope changes (new systems, on-site services, new data flows) or if terms require site-specific attachments.
• Document vendor readiness: background checks, training attestations, and proof of insurance/certifications if required.

Evidence to Keep

• Signed amendments, vendor risk assessments, and communications confirming operational changes and go-live dates.

Conduct a Post-Move HIPAA Check

Physical Walk-Through

• Verify locked server/network rooms, badge-controlled areas, camera coverage, visitor logs, and clean desk practices.
• Spot-check record storage, shred bins, and reception privacy (no PHI on sign-in sheets).

Technical Validation

• Confirm access rights, MFA, encryption, and backups; review security logs for anomalies after cutover.
• Run a quick vulnerability scan of the new subnet; remediate and retest.

Administrative Follow-Through

• Conduct a brief tabletop exercise of your incident response process to validate roles and escalation.
• Reinforce staff training; capture sign-ins and address any workflow gaps discovered during the first weeks.

By inventorying PHI, tightening transport, updating documentation, hardening systems, notifying patients responsibly, aligning BAAs, and auditing after go-live, you can open your new office smoothly while protecting privacy and security.

FAQs.

How do you ensure PHI security during an office move?

Create a detailed inventory, move only what’s necessary, encrypt all devices and media, and enforce a documented chain-of-custody with sealed containers and signed handoffs. Use authorized staff or vetted vendors, escort throughout transit, and log receipt at the new site with immediate reconciliation.

What documentation needs updating after relocating?

Revise policies and procedures for the new address and operations, update your Notice of Privacy Practices if contact details change, refresh the security risk analysis and risk management plan, and align the incident response process and breach notification procedures. Update floor plans, device inventories, and training records.

When should patients be notified of the new office location?

Notify patients as early as practical—well before appointments occur at the new site—and repeat via multiple channels (mail, portal, reminders, signage, phone system). Keep messages free of PHI or send via secure methods, and ensure the updated notice and contact information are available at the new location.

How are Business Associate Agreements affected by a move?

Most BAAs need contact/address updates and confirmation that services and safeguards extend to the new site. Amend agreements when scope or data flows change, and verify requirements for subcontractors, security incident reporting, and custody terms for on-site services like shredding or courier pickups.