HIPAA Compliance Checklist for Skilled Nursing Facilities (SNFs)

Ensure Patient Health Information Privacy

Define Protected Health Information (PHI)

Begin by mapping where Protected Health Information (PHI) lives across your SNF—paper charts, EHRs, nurse call systems, voicemail, fax, email, and vendors. Identify who touches PHI and for what purpose so you can apply the “minimum necessary” standard consistently.

Follow the HIPAA Privacy Rule

The HIPAA Privacy Rule governs how you use and disclose PHI. Issue and post your Notice of Privacy Practices, honor resident rights (access, amendment, restrictions, confidential communications), and verify requestors before releasing records. Use role-based access to limit who can view what, and document all authorizations for non-routine disclosures.

Prevent Everyday Privacy Risks

Control conversations in hallways and dining areas, avoid visible whiteboards containing identifiers, and position screens away from public view. Use secure shredding for paper, and double‑check fax numbers and recipient identities before sending PHI.

Manage Business Associates

Inventory all vendors that handle PHI and execute Business Associate Agreements (BAAs) detailing permitted uses, safeguards, and breach reporting duties. Reassess vendors periodically and document due diligence.

Quick Privacy Checklist

• Publish and distribute the Notice of Privacy Practices.
• Apply minimum-necessary, role-based access to PHI.
• Standardize authorization, verification, and disclosure logs.
• Secure paper handling, faxing, and verbal communications.
• Maintain BAAs and vendor oversight records.

Implement Administrative Safeguards

Assign Leadership and Accountability

Designate a Privacy Officer and a Security Officer with authority to implement and enforce HIPAA policies. Establish a cross‑functional committee to review incidents, approve controls, and track remediation.

Perform a Security Risk Assessment

Conduct a comprehensive Security Risk Assessment at least annually and whenever major changes occur. Identify threats to confidentiality, integrity, and availability of ePHI, evaluate current controls, score residual risk, and create a time‑bound risk management plan with owners and budgets.

Strengthen Policies and Procedures

• Access management: onboarding, role changes, and rapid termination processes.
• Workforce security and sanction policy: define expectations and consequences.
• Security incident response: intake, triage, investigation, and escalation paths.
• Contingency planning: data backup, disaster recovery, and emergency‑mode operations.
• Periodic evaluations: test controls and update policies as your environment evolves.

Plan for Continuity of Care

Back up critical systems and paper records, document downtime procedures, and run drills so nursing staff can deliver care safely during outages. Keep vendor and utility contacts ready for rapid coordination.

Embed Vendor Governance

Tier vendors by risk, require Administrative Safeguards in contracts, and obtain evidence of controls (e.g., SOC 2 summaries, penetration tests). Track obligations and renewal dates to prevent lapses.

Apply Physical Safeguards

Facility and Physical Access Controls

Restrict entry to areas housing PHI using Physical Access Controls such as keycards, locks, and visitor sign‑in. Separate public spaces from nursing stations and records rooms, and secure medication and chart carts.

Workstation Security

Position screens away from public view, use privacy filters where needed, auto‑lock after short inactivity, and disable local storage on shared stations. Prohibit unattended sessions in common areas.

Device and Media Controls

Maintain an asset inventory for laptops, tablets, and removable media. Apply secure storage, chain‑of‑custody for transport, and NIST‑grade wiping or physical destruction before disposal or reuse.

Paper Record Protection

Store paper files in locked rooms or cabinets, limit keys, sign records in and out, and shred promptly when retention periods end. Ensure vendors handling destruction follow documented, witnessed processes.

Use Technical Safeguards Effectively

Access Controls and Authentication

Assign unique user IDs, enforce strong passwords, and implement multi‑factor authentication for remote and privileged access. Use least‑privilege, role‑based provisioning and promptly revoke access for departures.

Audit Controls and Monitoring

Enable audit logs across EHRs, email, and file systems. Review alerts for anomalous access (after hours, bulk downloads, VIP charts) and document investigations and outcomes.

Integrity and Transmission Security

Protect ePHI with encryption in transit and at rest, deploy anti‑malware and allow‑listing, and verify data integrity with checksums or hashing where feasible. Secure messaging, e‑fax, and patient portals should use TLS and robust authentication.

System Hardening and Patch Management

Baseline configurations for servers, workstations, and EHR components should disable unnecessary services and default accounts. Apply patches on a defined cadence with testing, rollback plans, and proof of deployment.

Mobile and Remote Controls

Use mobile device management for SNF‑owned devices, enforce encryption and remote wipe, and restrict copy/paste of ePHI. Require VPN or zero‑trust access for off‑site connections.

Conduct Regular Employee Training

Build a Role‑Based Program

Train new hires before system access and provide annual refreshers at minimum. Tailor modules for nursing, admissions, therapy, dietary, housekeeping, and billing so each role understands the HIPAA Privacy Rule and Technical Safeguards relevant to daily tasks.

Use Scenarios and Simulations

Rehearse realistic events—misdirected faxes, lost devices, social engineering calls, and phishing emails. Include just‑in‑time tips, job aids at workstations, and quick escalation paths.

Measure and Document

Track completion, scores, and attestations. Follow up with coaching where errors recur, and document sanctions when policy violations occur to demonstrate enforcement.

Develop Breach Notification Policies

Define and Assess Incidents

Standardize how you identify, triage, and investigate suspected breaches. Use a structured risk assessment to evaluate the nature and extent of PHI exposed, who received it, whether it was actually viewed, and the effectiveness of mitigation.

Meet the Breach Notification Rule

Set timelines and templates to notify affected individuals without unreasonable delay and no later than 60 days from discovery. For incidents affecting 500+ residents of a state or jurisdiction, notify prominent media and the federal regulator within required timeframes; maintain a log and submit smaller breaches annually.

Improve After Every Incident

Perform root‑cause analysis, close corrective actions, retrain staff as needed, and update controls. Keep a complete evidence file for each incident to show due diligence.

Maintain Compliance Documentation

Know What to Keep—and for How Long

Retain HIPAA policies, risk assessments, training records, BAAs, incident reports, access logs, and evaluations for at least six years from creation or last effective date, whichever is later.

Maintain an Audit‑Ready Record

Version‑control policies, record approvals, and keep change histories. Store documents securely with role‑based access and searchable indexing so you can respond quickly to audits or surveys.

Operationalize Documentation

Use checklists tied to your Security Risk Assessment, meeting minutes that track remediation, and dashboards showing control status, due dates, and owners. Align documentation with what staff actually do on the floor.

Summary

This checklist helps you protect PHI under the HIPAA Privacy Rule, implement Administrative and Technical Safeguards, strengthen Physical Access Controls, train your workforce, and meet the Breach Notification Rule. Treat compliance as an ongoing program—measure, improve, and document continuously.

FAQs

What are the key administrative safeguards for HIPAA in SNFs?

Core Administrative Safeguards include a current Security Risk Assessment with a written risk management plan; designated Privacy and Security Officers; workforce security, access management, and sanction policies; incident response and contingency plans; periodic evaluations; and vendor governance with signed BAAs. Each safeguard must be documented, assigned an owner, and reviewed on a defined schedule.

How often should employee HIPAA training be conducted?

Provide training before granting system access, then at least annually, with targeted refreshers after incidents, role changes, or technology updates. Reinforce learning through short micro‑modules, phishing simulations, and huddles so staff apply the Privacy Rule and Technical Safeguards correctly in daily workflows.

What steps should SNFs take after a data breach?

Activate your incident response plan: contain the event, preserve evidence, and investigate quickly. Perform a documented risk assessment, decide if notification is required under the Breach Notification Rule, and notify impacted individuals and regulators within required timelines. Execute corrective actions, retrain involved staff, and update controls to prevent recurrence.

How can SNFs ensure secure electronic health records?

Harden EHR systems with role‑based access, MFA, encryption in transit and at rest, and timely patching. Enable audit logs and proactive alerts, restrict data exports, and secure interfaces and APIs. Support clinical workflows with downtime procedures and validated backups so care continues safely during outages.