HIPAA Compliance Checklist for Healthcare Office Renovations

Secure Transport of PHI

Before any box is packed or a workstation is unplugged, complete a Security Risk Assessment focused on the move. Map what protected health information (PHI) will travel, who will handle it, and where risks are highest along the route.

• Assign a move coordinator and define Role-Based Access Control so only authorized staff can pack, carry, or receive PHI.
• Inventory PHI and label containers with unique IDs; keep a chain-of-custody log from pickup to sign-off at the new site.
• Use tamper-evident, locked cases for paper and encrypted devices that meet recognized Data Encryption Standards for digital media.
• Prohibit unencrypted USB drives; if portable media is unavoidable, encrypt and document decryption keys separately.
• Use vetted couriers under applicable Business Associate Agreements when third parties will touch PHI; verify driver identity at handoff.
• Escort shipments, enable GPS tracking where feasible, and never leave PHI unattended in vehicles or unsecured staging areas.
• Predefine Incident Reporting Procedures for lost, stolen, or mishandled PHI, including a contact tree and time-bound actions.

On arrival, reconcile manifests against the chain-of-custody. Investigate discrepancies immediately and document responses in accordance with your incident procedures.

Update HIPAA Documentation

Renovations and relocations change your risk profile and operations. Update documentation so it reflects the new facility, workflows, and responsibilities.

• Revise your HIPAA policies and procedures to reflect the new address, floor plan, workstation use, and secure disposal processes.
• Update the Security Risk Assessment, asset inventory, data flow diagrams, and network topology.
• Refresh the contingency plan with new recovery time and recovery point objectives, site contacts, and vendor escalation paths.
• Review and update your Incident Reporting Procedures, including internal ticketing, breach evaluation steps, and notification timelines.
• Amend the Notice of Privacy Practices if contact information, mail routing, or patient communication channels change.
• Reissue role descriptions and Role-Based Access Control matrices for workforce members in their new locations.
• Document training on move-related privacy and security procedures; retain attendance logs and materials.
• Update directory of systems, service accounts, and privileged access; remove or modify any location-bound permissions.

Safeguard ePHI Systems

Your electronic PHI (ePHI) stack is most vulnerable during cutover. Protect integrity, confidentiality, and availability from planning through post-move validation.

Pre-move hardening and backups

• Create verified, offline backups of all ePHI systems; test restores to confirm integrity before you relocate.
• Apply current patches and firmware to servers, endpoints, and network gear prior to shutdown.
• Harden devices with full-disk encryption that aligns with your Data Encryption Standards policy and enforce MFA for all administrative access.
• Freeze non-essential changes two weeks before cutover and document approved exceptions.

Secure cutover and validation

• Segment the new network; place EHR and ancillary systems in protected VLANs with firewall rules and deny-by-default posture.
• Re-establish Role-Based Access Control and least-privilege permissions after directory and identity services come online.
• Enable TLS for data in transit; disable weak ciphers; reissue certificates if domain or hostnames change.
• Log and monitor authentication, admin actions, and data exports; route logs to a centralized, write-once repository.
• Conduct vulnerability scans and remediate critical findings before go-live; document results in the risk register.

Availability and Contingency Planning

• Activate downtime procedures with paper forms or read-only replicas while systems move; reconcile entries post-restoration.
• Protect critical racks with lockable cabinets, UPS, and environmental monitoring; test generator failover for clinical spaces.
• Stage spare endpoints and network hardware to reduce recovery time if devices are damaged in transit.

Handle Paper Records Carefully

Paper charts and printed PHI require meticulous controls from packing to final shelving. Aim to minimize what you move and track every container.

• Apply your retention schedule first; shred what is eligible using on-site or witnessed destruction and retain certificates.
• Pack remaining records in numbered, locked containers; record contents at a box-level summary without PHI on exterior labels.
• Restrict staging rooms to authorized staff; maintain sign-in/out sheets and supervise loading and unloading.
• Use tamper-evident seals and document seal numbers in chain-of-custody logs; verify seals at each transfer point.
• If digitizing, validate scanning quality, confirm index accuracy, and destroy paper only after you verify complete, readable images.

Notify Patients Securely

Communicate changes to patients without overexposing PHI. Use secure channels and honor patient preferences on file.

• Announce new location and hours via patient portal, recorded phone messages, and signage; avoid including diagnoses or sensitive details.
• When using mailers, include only minimal necessary information; keep address lists updated and suppress returned mail promptly.
• If a mailing vendor or call center assists, ensure applicable Business Associate Agreements cover data handling and suppression workflows.
• Train staff on scripts for disclosing directions and scheduling changes without revealing unnecessary PHI.
• Escalate any misdirected communications through your Incident Reporting Procedures and document corrective actions.

Review Business Associate Agreements

Renovations often add new vendors and expand the roles of existing ones. Ensure Business Associate Agreements address move-related access and protections.

• Inventory all vendors touching PHI during the project: movers, records storage, shredding, cabling, cloud backup, EHR, imaging, and courier services.
• Confirm BAAs specify permitted uses, safeguards aligned to your Data Encryption Standards, subcontractor flow-downs, and breach notification timelines.
• Include provisions for audits, minimum insurance coverage, personnel screening, and termination assistance for return or destruction of PHI.
• Verify incident reporting points of contact and testing of secure data transfer methods before any export or import occurs.

Implement Physical Safeguards

The new environment must enforce Facility Access Controls that match your risk profile and daily operations. Build privacy and security into the floor plan.

• Control ingress with badges or keys, visitor logs, and escort policies; restrict access to server rooms, records areas, and pharmacy spaces.
• Deploy surveillance for entrances, loading docks, and data closets; retain footage per policy and position cameras to avoid capturing PHI screens.
• Use lockable cabinets for charts and prescription pads; place shredding consoles in clinical zones to encourage immediate disposal.
• Position workstations to reduce shoulder-surfing; add privacy screens and auto-lock with short inactivity timers.
• Secure network closets and exam-room devices with cable locks; document hardware locations in the asset inventory.
• Mark confidential zones, reinforce clean-desk practices, and schedule after-hours security sweeps during the renovation period.

Conclusion

This HIPAA Compliance Checklist for Healthcare Office Renovations helps you protect PHI from packing to post-move validation. By updating documentation, enforcing Role-Based Access Control, applying Data Encryption Standards, and strengthening Facility Access Controls and Contingency Planning, you reduce risk and sustain compliant, uninterrupted care.

FAQs.

How do you secure PHI during an office renovation?

Complete a targeted Security Risk Assessment, limit handlers with Role-Based Access Control, and maintain chain-of-custody logs. Use locked, tamper-evident cases for paper and encrypt all digital media to your Data Encryption Standards. If third parties help, ensure Business Associate Agreements are in place and define Incident Reporting Procedures for any loss or mishandling.

What documentation needs updating after relocating a healthcare office?

Update HIPAA policies and procedures, the Security Risk Assessment, asset inventory, and network diagrams. Refresh the contingency plan, Incident Reporting Procedures, and Role-Based Access Control matrices. Amend the Notice of Privacy Practices and verify that Business Associate Agreements reflect the new site and contact details.

How can ePHI systems be protected during a move?

Back up and test restores before shutdown, then harden systems with full-disk encryption, TLS, and MFA. Rebuild RBAC on the new network, segment sensitive systems, and monitor logs centrally. Use downtime procedures as part of Contingency Planning and validate restores, patches, and certificates before resuming normal operations.

What physical safeguards are essential for HIPAA compliance in a new facility?

Implement Facility Access Controls with badges or keys, visitor logs, and restricted server rooms. Add surveillance for critical areas, lockable storage for charts and prescriptions, privacy screens, and auto-locking workstations. Secure network closets and devices, place shredding consoles in clinical zones, and enforce clean-desk and after-hours sweep routines.