HIPAA Compliance Checklist for Functional Medicine Practices

Functional medicine practices handle extensive lab data, lifestyle histories, genomics, and remote monitoring streams. Protecting this Protected Health Information (PHI) is central to patient trust and regulatory compliance. This HIPAA Compliance Checklist for Functional Medicine Practices gives you practical, step-by-step actions aligned with the HIPAA Privacy Rule and the Security Rule.

Use these sections to formalize governance, complete a thorough Risk Analysis, implement Administrative, Physical, and Technical Safeguards, train your team, and prepare clear Breach Notification procedures. Tailor each step to your size, workflows, and vendor ecosystem.

Designate a HIPAA Compliance Officer

Role and responsibilities

• Oversee HIPAA Privacy Rule and Security Rule programs; coordinate privacy and security activities across the practice.
• Lead the Risk Analysis and risk management plan; track remediation through completion.
• Own policies, procedures, and workforce sanctions; monitor compliance and internal audits.
• Manage Business Associate Agreements (BAAs) with specialty labs, telehealth platforms, billing vendors, and cloud EHRs.
• Run incident response and Breach Notification; maintain all required documentation.

Who should serve

In small practices, your practice manager, lead clinician, or operations director can serve. Ensure they have decision-making authority, protected time, and direct access to leadership to escalate issues quickly.

Documentation to keep

• Designation memo and job description spelling out privacy and security duties.
• Annual work plan, audit schedule, and training calendar.
• Risk register, incident log, mitigation records, and BAA inventory.

Conduct Regular Risk Assessments

Map your PHI environment

Start your Risk Analysis by mapping how PHI and ePHI enter, move through, and leave your practice. Include patient portals, telehealth, wearable data, genomics results, supplements fulfillment, and coach communications.

Analyze and prioritize risk

• Identify assets (EHR, laptops, mobile devices), threats (loss, phishing), and vulnerabilities (weak MFA, open ports).
• Score likelihood and impact to prioritize remediation; document risk acceptance with justification where applicable.
• Address third-party risks for labs, billing, transcription, and remote scribe services.

Frequency and triggers

Perform a comprehensive Risk Analysis at least annually and whenever you introduce new technology, vendors, locations, or workflows—such as a new telemedicine platform or remote coaching program. Update your written risk management plan and track progress.

Deliverables

• Written assessment report with findings, risk ratings, and assigned owners.
• Time-bound remediation plan, testing/validation steps, and evidence of completion.

Implement Administrative Safeguards

Core policies and procedures

• Privacy policies under the HIPAA Privacy Rule: minimum necessary, uses/disclosures, patient rights (access, amendments, restrictions), and Notice of Privacy Practices.
• Security policies: role-based access, workforce clearance, sanction policy, incident response, contingency planning (data backup, disaster recovery, emergency operations), and security awareness.
• Vendor management: BAAs for each Business Associate; due diligence, security questionnaires, and ongoing monitoring.

Functional medicine–specific steps

• Standardize lab ordering and results workflows; restrict who may view raw genomics data.
• Define coach and nutritionist access under least-privilege; prohibit PHI in unsecured messaging.
• Use consent forms for telehealth, remote monitoring, and data sharing with external labs.
• Implement BYOD rules for mobile charting, photos, and supplement dispensing systems.

Proof of compliance

• Policy sign-offs, training records, audit logs, BAA list with renewal dates.
• Contingency test results (backup restoration drills) and incident postmortems.

Apply Physical Safeguards

Facilities and workstations

• Restrict access to records rooms; secure sample storage; maintain visitor logs.
• Position screens away from public view; enable privacy screens in reception and consult rooms.
• Adopt clean-desk and secure printing protocols; lock cabinets for paper PHI.

Devices and media

• Maintain an inventory of all devices handling PHI; assign owners and locations.
• Use cable locks for laptops and medical devices; control keys and badges.
• Sanitize or destroy media before reuse or disposal; shred paper with PHI promptly.

Remote and hybrid care

• Set standards for home-office privacy, sound masking, and locked storage.
• Prohibit family/shared devices for ePHI unless fully managed and encrypted.

Use Technical Safeguards

Access controls

• Unique user IDs, multi-factor authentication, and role-based permissions.
• Automatic logoff and session timeouts; emergency access procedures.
• Least-privilege defaults for coaches, contractors, and rotating trainees.

Audit controls and integrity

• Enable audit logs across EHR, telehealth, e-fax, and patient portal.
• Review access reports for anomalies; document investigations and outcomes.
• Use integrity checks and change tracking for critical records and interfaces.

Transmission security

• Encrypt data in transit (e.g., TLS for portals and APIs) and at rest where feasible.
• Use secure email or patient portal for PHI; replace SMS with secure messaging apps.
• Protect telehealth with encrypted sessions; restrict screen-sharing to necessary content.

Contingency and resilience

• Maintain versioned, offsite backups; test restores regularly.
• Document Recovery Time and Recovery Point Objectives appropriate to your clinic.

Vendor considerations

• Require BAAs; verify encryption, access logging, and breach support obligations.
• Clarify shared responsibilities for security configurations and incident response.

Train Staff on HIPAA

Training program

• Provide new-hire orientation on privacy, security, and acceptable use before PHI access.
• Offer role-based refreshers at least annually and whenever policies or systems change.
• Run ongoing security awareness on phishing, social engineering, and mobile safety.

What to cover

• Definition and examples of Protected Health Information and minimum necessary use.
• Patient rights under the HIPAA Privacy Rule and how to process requests.
• How to report incidents quickly; do’s and don’ts for texting, photos, and remote work.

Track and enforce

• Maintain attendance, assessments, and acknowledgments of policies.
• Apply a consistent sanction policy for violations and document corrective actions.

Establish Breach Notification Procedures

Identify and assess incidents

• Define what constitutes a privacy or security incident; presume breach unless a documented risk assessment shows low probability of compromise.
• Use the four-factor assessment (nature of PHI, unauthorized person, whether acquired/viewed, mitigation) to decide if notification is required.

Respond and notify

• Contain and investigate immediately; preserve logs and evidence.
• Notify affected individuals without unreasonable delay and no later than 60 days when required.
• Report to HHS as required and to prominent media if 500+ individuals in a state/area are affected.
• Document decisions, timelines, and mitigation steps; update policies to prevent recurrence.

Compose clear communications

• Describe what happened, the types of PHI involved, steps individuals should take, what you are doing, and your contact information.
• Offer support such as dedicated hotlines and, when appropriate, credit monitoring.

Conclusion

HIPAA compliance is an ongoing program, not a one-time task. By assigning ownership, completing a robust Risk Analysis, enforcing Administrative, Physical, and Technical Safeguards, training your team, and rehearsing Breach Notification, you strengthen privacy, security, and patient confidence across your functional medicine practice.

FAQs

What are the key HIPAA requirements for functional medicine practices?

You must protect PHI through Administrative, Physical, and Technical Safeguards; complete and maintain a documented Risk Analysis and risk management plan; honor patient rights under the HIPAA Privacy Rule; train your workforce; manage Business Associates with BAAs; and maintain incident response and Breach Notification procedures with thorough documentation.

How often should a risk assessment be conducted?

Perform a comprehensive Risk Analysis at least annually and whenever significant changes occur—such as adopting a new EHR, adding telehealth, onboarding a lab vendor, relocating offices, or enabling remote coaching. Update your remediation plan and verify that fixes are implemented and effective.

What training is required for staff under HIPAA?

Train all workforce members on your policies and procedures before they access PHI, then provide role-based refreshers at least annually and when policies, systems, or roles change. Cover the HIPAA Privacy Rule, security awareness, minimum necessary, acceptable use, remote work expectations, and how to report suspected incidents promptly.

How should breaches be reported?

First, contain and investigate the incident and complete a documented risk assessment. If notification is required, notify affected individuals without unreasonable delay and no later than 60 days, report to HHS per volume thresholds, and notify media when 500 or more individuals in a state/area are affected. Keep detailed records of findings, decisions, timelines, and mitigation.