HIPAA Security 101 Checklist for Covered Entities: Safeguards, Risk Analysis, Examples

This HIPAA Security 101 checklist helps covered entities operationalize the Security Rule for Electronic Protected Health Information (ePHI). You’ll find practical steps for administrative, physical, and technical safeguards, plus clear guidance on risk analysis, risk management, data encryption, and access control—with examples to make adoption easier.

Administrative Safeguards

Checklist

• Designate a security official responsible for Security Rule compliance and decision-making.
• Perform an enterprise-wide risk analysis covering all ePHI systems, data flows, and locations.
• Implement a risk management plan with prioritized remediations, owners, timelines, and metrics.
• Establish workforce security processes: background checks as appropriate, role-based onboarding, and least-privilege access.
• Deliver role-based security awareness training at hire and at least annually; track completion.
• Document Security Incident Procedures for detection, reporting, triage, containment, eradication, recovery, and post-incident review.
• Execute and maintain Business Associate Agreements with all vendors handling ePHI; review annually.
• Create an information system activity review process (e.g., log and Audit Controls review) with defined cadence.
• Define a sanctions policy for workforce noncompliance; enforce consistently and document actions.
• Develop contingency planning: data backup, disaster recovery, emergency mode operations, and periodic testing.
• Conduct periodic technical and nontechnical evaluations, especially after major changes.
• Maintain thorough documentation to demonstrate Security Rule Compliance.

Examples

• New-hire workflow auto-provisions only required EHR roles, enrolls users in MFA, and schedules training before ePHI access.
• Standard BAA templates are used for a cloud EHR provider and a claims clearinghouse, with security addenda on encryption and breach notice timelines.
• Security Incident Procedures include a one-page runbook for lost devices and a 24-hour log review checklist after suspicious activity.

Physical Safeguards

Checklist

• Control facility access with badges, visitor logs, and escort requirements for data rooms.
• Define workstation use and placement standards: privacy screens, auto-lock, and restricted locations.
• Secure workstations and mobile devices when unattended; prohibit shared logins.
• Implement device and media controls: inventory, secure storage, chain-of-custody, and approved disposal methods with certificates of destruction.
• Harden portable media policies: default encryption, no unapproved USB storage, and secure transfer procedures.
• Plan for environmental and emergency events: UPS for critical systems, fire suppression, and alternate workspace procedures.

Examples

• Server room doors require badge plus keypad during business hours and badge plus key after hours.
• Decommissioned laptops undergo cryptographic wipe and vendor-certified physical destruction; records retained for six years.
• Front-desk workstations use privacy filters and face away from public areas to protect ePHI on screen.

Technical Safeguards

Checklist

• Access control: unique user IDs, role-based access, least privilege, break-glass procedures, and emergency access workflows.
• Authentication: multi-factor authentication for remote, administrative, and EHR access.
• Automatic logoff and session management aligned to risk (e.g., 10–15 minute inactivity timeouts).
• Encryption and decryption capabilities for data at rest and in transit across all systems handling ePHI.
• Audit Controls: enable, retain, and regularly review logs for EHR, network, databases, and APIs; alert on anomalies.
• Integrity controls: hashing, digital signatures, or application checksums to detect unauthorized changes.
• Transmission security: enforce TLS 1.2+ for all ePHI transmissions; use secure email portals or S/MIME for messages containing ePHI.

Examples

• EHR access requires MFA via authenticator app; privileged users additionally use a hardware security key.
• API gateways log all FHIR requests with patient identifiers and user IDs; logs feed a SIEM for correlation and alerts.
• Database encryption at rest uses AES-256; keys are managed in an HSM-backed key management service with rotation every 12 months.

Risk Analysis

Conduct a systematic, organization-wide risk analysis that scopes all Electronic Protected Health Information, including cloud, on-premises, endpoints, mobile devices, and third parties. Identify assets, data flows, threats, vulnerabilities, existing controls, and potential impacts to confidentiality, integrity, and availability.

Practical Steps

• Inventory systems and repositories containing ePHI; map data flows end-to-end.
• Identify threats (e.g., ransomware, misconfiguration, insider error) and vulnerabilities (e.g., missing patches, weak access controls).
• Evaluate current controls and determine likelihood and impact; assign risk levels and document rationale.
• Prioritize risks, define remediation options, and record decisions, owners, and timelines.
• Repeat at least annually and after significant changes (e.g., new EHR, merger, or cloud migration).

Examples

• Cloud migration assessment reveals public storage misconfiguration risk; remediation enforces private buckets, encryption by default, and continuous compliance checks.
• Remote-work review identifies unsecured Wi‑Fi exposure; mitigation requires VPN, endpoint protection, and user training.

Risk Management

Use the risk analysis to drive a living risk management program that reduces risk to reasonable and appropriate levels. Track remediation to closure, verify effectiveness, and document residual risk and acceptance where justified.

Action Plan

• Create a remediation roadmap with quarterly milestones and measurable outcomes.
• Address high-impact items first: privileged access, patching, backups, and Audit Controls visibility.
• Integrate Security Incident Procedures into playbooks and tabletop exercises; update after each event.
• Run vendor risk management: due diligence, BAAs, security questionnaires, and periodic reassessments.
• Report program status to leadership; include metrics like mean time to remediate and percentage of critical risks closed.

Examples

• A 90-day plan deploys endpoint detection and response, enforces MFA, and closes critical vulnerabilities across servers and workstations.
• Vendor review flags a billing service without encryption at rest; contract updated via Business Associate Agreement to mandate encryption and breach notification SLAs.

Data Encryption

Encryption is an addressable specification that is strongly recommended for ePHI at rest and in transit. Properly implemented, it materially reduces breach impact and supports Security Rule compliance and state breach-safe harbor provisions.

Implementation Essentials

• At rest: use AES‑256 (or equivalent) for databases, file systems, and backups; enable full-disk encryption for laptops and mobile devices.
• In transit: enforce TLS 1.2/1.3; use secure portals, S/MIME, or approved secure messaging when emailing ePHI.
• Key management: segregate duties, protect keys in HSM/KMS, rotate keys on schedule, and log all key operations.
• Configuration baselines: disable weak ciphers, require certificate validation, and automate compliance checks.
• Documentation: record encryption scope, algorithms, key custodians, rotation schedules, and exceptions with compensating controls.

Examples

• All clinician laptops use full‑disk encryption with pre‑boot authentication; lost devices are remotely wiped and documented.
• Lab results transmitted via SFTP over SSH; receiving system verifies file integrity with checksums before ingestion.
• Backups are encrypted before leaving the facility and stored in a separate, access-controlled vault account.

Access Control

Strong access control ensures only authorized individuals can view or alter ePHI. Combine identity governance, authentication strength, and continuous monitoring to enforce least privilege and detect misuse.

Checklist

• Use role-based access control with documented role definitions and approved access requests.
• Enforce MFA for all remote and administrative access; prefer phishing-resistant factors for privileged accounts.
• Implement joiner–mover–leaver workflows with prompt deprovisioning and periodic access recertification.
• Set session timeouts, IP and device restrictions where feasible, and require break-glass justification logging.
• Segment networks and limit administrative pathways; use privileged access management for elevated tasks.
• Continuously monitor access with Audit Controls, alert on anomalies, and investigate promptly.

Examples

• Clinician role grants chart view and order entry; research role accesses only de-identified datasets via a separate workspace.
• Vendors receive time-bound, least-privilege accounts with MFA and no shared credentials; access is disabled automatically at expiration.
• Emergency “break-glass” access requires reason entry, generates alerts, and is reviewed within 24 hours.

Conclusion

Use this HIPAA Security 101 checklist to align administrative, physical, and technical safeguards, drive risk analysis and risk management, and apply encryption and access control consistently. Document decisions and outcomes to demonstrate Security Rule compliance while protecting ePHI across your environment.

FAQs.

What are the main types of HIPAA safeguards for covered entities?

HIPAA organizes safeguards into three categories: Administrative (policies, procedures, training, BAAs, and incident processes), Physical (facility controls, workstation security, and device/media protections), and Technical (access control, encryption, authentication, integrity, transmission security, and Audit Controls). Together, they protect the confidentiality, integrity, and availability of ePHI.

How is a HIPAA risk analysis conducted?

You scope all systems and processes that create, receive, maintain, or transmit ePHI, then inventory assets and data flows. Next, identify threats and vulnerabilities, assess likelihood and impact, assign risk levels, and document results. Finally, prioritize mitigations and repeat the analysis at least annually and after significant changes.

What role do business associate agreements play?

Business Associate Agreements contractually require vendors that handle ePHI to implement HIPAA-compliant safeguards, report incidents, and support breach notification. BAAs align responsibilities, set minimum security expectations, and provide a basis to monitor and enforce vendor obligations.

How can covered entities ensure compliance with documentation requirements?

Create and maintain written policies, procedures, risk analyses, remediation plans, training records, BAAs, incident reports, audit reviews, and contingency test results. Keep versioned records for at least six years, review and update after changes or incidents, and ensure documents reflect actual practices.