HIPAA Compliance Checklist for Covered Entities: Requirements, Risks, and Remedies

Use this HIPAA compliance checklist for covered entities to align requirements, risks, and remedies into a practical program. If you create, receive, maintain, or transmit Electronic Protected Health Information (ePHI), the steps below show you what to assess, what to implement, and how to respond when issues arise.

The checklist follows the core Security Rule activities: risk analysis, risk management, sanction policy, information system activity review, workforce security, Business Associate Agreements, and an incident response plan. Throughout, apply Administrative Safeguards, Technical Safeguards, and Physical Access Controls appropriate to your organization’s size and complexity.

Risk Analysis

A thorough, documented risk analysis is your starting point. You identify where ePHI lives, how it moves, who can access it, and what could reasonably go wrong. Evaluate threats, vulnerabilities, likelihood, and impact to produce a current view of risk to confidentiality, integrity, and availability.

• Define scope: all systems, apps, devices, facilities, and vendors that create, receive, maintain, or transmit ePHI (including backups, messaging, telehealth, and cloud services).
• Inventory assets and data flows: map how ePHI enters, is used, stored, and leaves your environment; include portable media and remote work scenarios.
• Identify threats and vulnerabilities: human error, insider misuse, lost/stolen devices, ransomware, third-party failures, misconfigurations, and physical hazards.
• Evaluate controls: note existing Administrative Safeguards, Technical Safeguards, and Physical Access Controls and where gaps exist.
• Score likelihood/impact and rank risks; document assumptions, evidence, and methodology for repeatability.

Deliverables should include a risk register, rationale for ratings, recommended treatments, and accountable owners. Update the analysis at least annually and whenever material changes occur, such as new EHR modules, cloud migrations, mergers, or significant incidents.

Risk Management

Risk management turns analysis into action. You decide how to treat prioritized risks—mitigate, avoid, transfer, or accept—with deadlines, budgets, and owners. Track progress and residual risk as part of ongoing governance.

• Implement Technical Safeguards: unique user IDs, role-based access, MFA, encryption at rest/in transit, secure configurations, vulnerability management, and segmentation.
• Strengthen Administrative Safeguards: policies, procedures, training, vendor oversight, change management, and periodic access recertification.
• Reinforce Physical Access Controls: facility access badges, visitor management, locked server rooms, device security, and environmental protections.
• Establish metrics: patch SLAs, phishing failure rates, time to revoke access, backup success, and mean time to detect/contain incidents.
• Define risk acceptance: criteria, approvals, duration limits, and re-review triggers for any accepted high risks.

Integrate Security Incident Tracking into daily operations so trends (e.g., repeated misdirected faxes, failed logins, or endpoint alerts) inform control improvements and leadership reporting.

Sanction Policy

A written, consistently enforced sanction policy deters violations and supports a culture of accountability. Apply it to your entire workforce, including employees, contractors, students, and volunteers.

• Define prohibited behaviors: snooping in charts, password sharing, disabling security controls, unsafe use of ePHI, and bypassing Physical Access Controls.
• Calibrate tiers of violations and consequences: coaching and retraining, written warnings, suspension, and termination when warranted.
• Ensure due process: fair investigation, documentation, and HR/legal coordination; keep records in personnel files.
• Link to training and remediation: require refresher training and attestations after violations; address root causes to prevent recurrence.

Information System Activity Review

Regular reviews of system activity help you detect inappropriate access and other anomalies. Define what to log, how long to retain it, who reviews it, and how to escalate findings.

• Audit Logs: capture logins, access to ePHI, privilege changes, failed authentications, configuration changes, data exports, and use of “break-glass” access.
• Review cadence: daily for critical systems and elevated accounts; weekly for broader access reviews; monthly trend analysis for patterns and insider risks.
• Tooling and triage: use SIEM or centralized logging to correlate events; tune alerts to reduce noise; document investigations and outcomes.
• Access recertification: periodically confirm that users still need their roles and rights; remove stale or excessive access promptly.
• Retention: keep documentation of reviews, findings, and corrective actions for at least six years; retain underlying logs per risk and business needs.

Feed results into Security Incident Tracking so repeated or significant anomalies trigger control changes, additional monitoring, or sanctions.

Workforce Security

Protecting ePHI depends on managing people, not just technology. Formalize how you authorize access, verify identity, train staff, and remove access promptly.

• Onboarding: background checks where appropriate, confidentiality agreements, unique user IDs, and role-based access aligned to minimum necessary.
• Training: initial and periodic HIPAA security awareness, phishing simulations, secure remote work practices, and device handling expectations.
• Operations: screen locks, secure printing, clean desk, and safeguards for mobile/remote work (MDM, encryption, and lost-device procedures).
• Offboarding: same-day deprovisioning of accounts, retrieval/wipe of devices, and termination of facility badges and other Physical Access Controls.
• Oversight: quarterly access reviews for high-risk systems, separation of duties for admins, and monitoring of privileged activity.

Business Associate Agreements

Execute a Business Associate Agreement before a vendor or partner handles ePHI on your behalf. Identify all Business Associates and ensure downstream subcontractors are covered by equivalent terms.

• Core terms: permitted uses/disclosures, required safeguards, breach notification duties and timelines, minimum necessary, and data return/destruction.
• Security requirements: encryption expectations, Audit Logs, access controls, vulnerability management, and incident cooperation.
• Oversight: risk-based due diligence, right-to-audit or independent assurance, and periodic reviews of performance and incidents.
• Lifecycle controls: onboarding checklists, Security Incident Tracking for vendor events, and termination steps for data and access.

Ensure every cloud service, integration partner, revenue cycle vendor, or telehealth platform that touches ePHI has a signed, current Business Associate Agreement on file.

Incident Response Plan

A tested incident response plan minimizes harm and supports timely breach notifications. Define roles, communication paths, decision criteria, and handoffs from detection through recovery.

• Preparation: playbooks for common scenarios (lost device, ransomware, misdirected disclosure, insider snooping), evidence handling, and external contacts.
• Detection and analysis: triage alerts, confirm scope, and assess risk to ePHI; document all actions in Security Incident Tracking.
• Containment, eradication, recovery: isolate affected systems, remove malicious artifacts, restore from verified backups, and validate normal operations.
• Breach assessment: evaluate the nature/extent of PHI, who accessed it, whether data was actually viewed/acquired, and mitigation performed; presume breach unless a low probability of compromise is shown.
• Notifications: without unreasonable delay and no later than 60 calendar days of discovery, notify affected individuals; notify HHS and, when 500+ individuals in a state or jurisdiction are affected, the media as required. Track state-law timelines that may be shorter.
• Post-incident improvement: root-cause analysis, policy updates, added monitoring, sanctions where appropriate, and lessons-learned exercises.

Conclusion

Effective HIPAA compliance is an ongoing program: analyze risk, manage it with layered safeguards, enforce a fair sanction policy, continuously review activity, secure your workforce, bind vendors with strong Business Associate Agreements, and respond to incidents with discipline. Embed these practices into daily operations and iterate based on evidence.

FAQs.

What are the key components of HIPAA compliance for covered entities?

Core components include a current risk analysis, risk management plan, formal policies and procedures, workforce security and training, Information System Activity Review with robust Audit Logs, Security Incident Tracking, Business Associate Agreements for all vendors handling ePHI, and a tested incident response and breach notification process. These are implemented through Administrative Safeguards, Technical Safeguards, and Physical Access Controls.

How often should a risk analysis be conducted?

Conduct a risk analysis at least annually and whenever significant changes occur—new systems, major upgrades, migrations, acquisitions, or material incidents. Treat it as an ongoing process: update the risk register, validate assumptions, and re-evaluate residual risk as your environment evolves.

What are the consequences of non-compliance with HIPAA?

Consequences can include civil monetary penalties, corrective action plans with multi-year monitoring, contractual and payer impacts, litigation and state enforcement, operational disruption, and reputational damage. Strong documentation and consistent enforcement of safeguards substantially reduce both the likelihood and severity of these outcomes.

How should a covered entity respond to a data breach?

Activate your incident response plan: contain and eradicate the issue, assess the probability of compromise to ePHI, document all steps in Security Incident Tracking, and notify affected individuals and regulators within required timelines. Provide remediation (e.g., credit monitoring when appropriate), fix root causes, and update policies, controls, and training to prevent recurrence.