HIPAA Compliance Checklist for Healthcare Nonprofits: Everything You Need to Get and Stay Compliant

For healthcare nonprofits, HIPAA compliance is a continuous program—not a one-time project. This HIPAA compliance checklist for healthcare nonprofits gives you a practical roadmap to protect Protected Health Information (PHI), reduce risk, and demonstrate accountability to patients, donors, and regulators.

You’ll move step by step through a Security Risk Analysis (SRA), Administrative, Physical, and Technical Safeguards, Business Associate Agreements (BAAs), Breach Notification Requirements, documentation, audits, and an Incident Response Plan. Use and adapt these actions to your size, mission, and resources.

HIPAA Compliance Overview

HIPAA sets national standards for privacy, security, and breach notification for PHI and electronic PHI (ePHI). As a nonprofit handling care delivery, case management, or benefits coordination, you must implement policies, procedures, and controls proportionate to your risks and operations.

What counts as PHI

• Identifiers tied to health data: names, addresses, phone/email, dates, medical record numbers, account numbers, and Social Security numbers.
• Clinical and billing details: diagnoses, treatment notes, lab results, claims, EOBs, and care coordination records.
• Digital traces: device IDs, IP addresses, patient portal logs, and images or scans containing identifiers.

HIPAA rules at a glance

• Privacy Rule: governs how you may use and disclose PHI and enforces the minimum necessary standard.
• Security Rule: requires safeguards—administrative, physical, and technical—to protect ePHI’s confidentiality, integrity, and availability.
• Breach Notification Rule: requires timely notice to affected individuals, regulators, and sometimes the media when unsecured PHI is compromised.

HIPAA includes “required” and “addressable” specifications. Addressable does not mean optional—it means you must implement the control or document a reasonable, equivalent alternative.

Conduct Security Risk Analysis

A Security Risk Analysis (SRA) is the foundation of your program. It identifies where ePHI lives, your specific threats and vulnerabilities, and the measures you need to reduce risk to reasonable and appropriate levels.

How to perform an SRA

• Scope and inventory: list systems, applications, databases, cloud services, email, mobile devices, medical devices, and backups that create, receive, maintain, or transmit ePHI.
• Map data flows: trace how PHI enters, moves through, and exits your environment, including third parties and manual processes.
• Identify threats and vulnerabilities: phishing, ransomware, lost or stolen devices, misconfigurations, insider misuse, physical hazards, and vendor failures.
• Assess likelihood and impact: rate each risk to prioritize remediation based on realistic scenarios.
• Evaluate existing controls: determine what already reduces risk and where gaps remain.
• Create a risk management plan: define corrective actions, owners, budgets, and deadlines.
• Document methods and decisions: maintain your SRA report and supporting evidence.
• Review and update: repeat at least annually and whenever significant changes or incidents occur.

Key SRA deliverables

• Risk register with ratings and justifications.
• Time-bound remediation plan aligned to resources and mission priorities.
• Executive summary for board or leadership oversight.
• Evidence repository: inventories, diagrams, screenshots, and policies tied to findings.

Implement Administrative Safeguards

Administrative Safeguards translate your risk posture into governance, policies, and workforce practices that keep PHI safe day to day.

• Assign a security official and define roles for privacy, IT, compliance, and program leaders.
• Adopt written policies and procedures covering access, minimum necessary, offboarding, sanctions, remote work, and acceptable use.
• Workforce management: background checks consistent with mission, role-based access, and timely removal of access upon role change.
• Training and awareness: provide onboarding and at least annual HIPAA training; refresh after policy changes or incidents and track completion.
• Contingency planning: data backup, disaster recovery, and emergency mode operations; test these plans and document results.
• Vendor management: risk-rank vendors, require BAAs before sharing PHI, and monitor performance and security attestations.
• Risk management: drive SRA remediation to closure with metrics and leadership reviews.
• Policy lifecycle and attestations: version control, approvals, and workforce attestations to current policy sets.

Deploy Physical Safeguards

Physical Safeguards control who can physically reach systems and media that store or display PHI. They prevent opportunistic access and reduce the impact of environmental events.

• Facility access control: keys/badges, visitor logs, locked areas for servers/network gear, and secure storage for paper records.
• Workstation security: position screens away from public view, use privacy filters, auto-lock on inactivity, and secure laptops during travel.
• Device and media controls: inventory assets, enable full-disk encryption on portable devices, sanitize or destroy media before reuse or disposal, and maintain chain of custody.
• Environmental protections: surge/UPS for critical systems, temperature control, and safeguards against water or fire damage.

Practical tips for nonprofits

• Consolidate sensitive operations to fewer, better-controlled locations.
• Issue encrypted loaner devices for volunteers instead of allowing personal devices for PHI access.

Establish Technical Safeguards

Technical Safeguards protect ePHI with access controls, monitoring, and cryptography. Implement controls appropriate to your systems and threat landscape.

• Access control: unique user IDs, least-privilege roles, multi-factor authentication, and timely deprovisioning.
• Audit controls: centralize logs, retain them for investigations, and review high-risk events with alerts.
• Integrity controls: validated backups, anti-malware/EDR, and tamper-evident logging to prevent or detect unauthorized changes.
• Authentication: strong passwords or passphrases with MFA and, where feasible, SSO to reduce password sprawl.
• Transmission security: enforce TLS for portals, APIs, and email gateways; use secure messaging or encrypted email for PHI exchange.
• Encryption-at-Rest: enable disk/database encryption for servers, laptops, and cloud storage; protect keys with sound key management practices.
• Session management: automatic logoff and short idle timeouts on shared workstations.
• Patch and vulnerability management: routine updates, vulnerability scans, and prompt remediation of critical findings.

Execute Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate. You must have executed Business Associate Agreements (BAAs) before sharing PHI.

• Maintain a vendor inventory and classify which vendors are Business Associates.
• Sign BAAs before onboarding and verify security practices proportionate to risk.
• Ensure BAAs cover permitted uses/disclosures, required safeguards, breach reporting timelines, subcontractor flow-down, and right to audit.
• Require return or destruction of PHI at contract end unless infeasible, with continued protections if retained.
• Track BAA versions, signatures, and expirations; review material changes annually.

Develop Breach Notification Procedures

Define clear Breach Notification Requirements so your team responds quickly and lawfully when PHI may be compromised. Align legal, privacy, security, and communications roles in advance.

Workflow and timelines

• Detect and report: establish easy, well-known channels to report suspected incidents.
• Contain and investigate: preserve evidence, secure accounts/devices, and analyze scope.
• Risk assessment: evaluate the nature and extent of PHI, the unauthorized recipient, whether data was actually acquired/viewed, and mitigation actions.
• Notification decision: if a breach of unsecured PHI occurred, notify affected individuals without unreasonable delay and no later than 60 calendar days.
• Regulatory reporting: for 500+ individuals in a state/jurisdiction, notify HHS and local media; for fewer than 500, log and report to HHS annually.
• Documentation: record decisions, timelines, notices, and corrective actions.

Content of notices

• What happened, including dates of the incident and discovery.
• Types of PHI involved (e.g., names, MRNs, diagnoses, SSNs).
• What you have done to mitigate harm and prevent recurrence.
• What affected individuals can do and how to get help.
• Contact information for questions and assistance.

Maintain Documentation and Record Retention

HIPAA requires you to retain policies, procedures, and other program records for at least six years from creation or last effective date. Strong documentation shows due diligence and speeds audits or investigations.

• Keep policies/procedures, SRAs, risk management plans, training logs, BAAs, system inventories, incident and breach logs, and audit results.
• Centralize records in a secure repository with version control, approvals, and retention schedules.
• Traceability: link risks to controls, tickets, and evidence to demonstrate closure.
• Readiness: maintain exportable packages for leadership reviews and regulator requests.

Perform Regular Audits and Assessments

Audits verify that safeguards work as intended and that staff follow policy. Right-sized, recurring checks reduce both risk and operational surprises.

• Access reviews: quarterly user and role recertifications; validate minimum necessary access.
• Technical health: vulnerability scans, prompt patching, secure configuration baselines, and periodic penetration tests commensurate with risk.
• Log and alert reviews: investigate anomalous access, failed logins, and data exports.
• Privacy spot checks: verify authorization and accounting of disclosures where required.
• Backup/DR testing: prove you can restore systems and data within required timeframes.
• Vendor governance: sample BA performance, evidence of safeguards, and breach reporting readiness.
• Training effectiveness: track participation, quizzes, and phishing simulations.

Develop Incident Response Plan

An Incident Response Plan defines how you detect, contain, eradicate, and recover from security events involving ePHI. It connects directly to your SRA and breach processes so you act decisively under pressure.

• Define team and roles: incident lead, security, privacy, IT, legal, communications, and program leadership.
• Severity and escalation: classify incidents and set response timelines and authority levels.
• Playbooks: create step-by-step runbooks for ransomware, lost/stolen devices, misdirected email/fax, and compromised accounts.
• Forensics and evidence: preserve logs, images, and artifacts; maintain chain of custody.
• Recovery: rebuild or restore from clean, encrypted backups; validate integrity before returning to service.
• Communications: coordinate internal updates and external notices, including to impacted individuals and regulators when required.
• Lessons learned: conduct post-incident reviews, update controls, and feed changes into training and policies.
• Exercises: run tabletop and technical drills at least annually and after major changes.

Compliance is sustained through repetition: assess risks, implement safeguards, document, test, and improve. Use this HIPAA compliance checklist to build a program that protects PHI, supports your mission, and stands up to scrutiny.

FAQs.

What is required in a HIPAA Security Risk Analysis?

A HIPAA SRA must identify where ePHI resides and flows, catalog threats and vulnerabilities, assess likelihood and impact, evaluate existing controls, and document residual risks. It must produce a written risk register and a risk management plan with prioritized remediation, owners, and deadlines, then be reviewed at least annually and after major changes or incidents.

How often should nonprofits update their HIPAA training?

Provide training at onboarding and at least annually for all workforce members with PHI access. Update training promptly after policy or technology changes, audit findings, or security incidents, and keep signed attestations and completion logs as part of your documentation and retention program.

What must be included in a Business Associate Agreement?

A BAA should define permitted uses and disclosures of PHI, require appropriate safeguards, set breach and incident reporting timelines, mandate subcontractor compliance, allow audits or provision of assurances, address access and amendment support, and require PHI return or destruction at contract end (or continued protection if retention is necessary).

What are the key breach notification procedures for healthcare nonprofits?

Establish intake and triage, contain the event, and perform a risk assessment to decide if a breach of unsecured PHI occurred. If so, notify impacted individuals without unreasonable delay and no later than 60 days, include required notice content, report to HHS (and local media if 500+ individuals in a state/jurisdiction), log smaller breaches for annual submission, and document all decisions and corrective actions.