UNC HIPAA Training Checklist: Policies, Security Awareness, and Documentation Steps

Use this UNC HIPAA training checklist to align policies, reinforce security awareness, and document the steps that demonstrate compliance for ePHI protection. Tailor each item to your unit’s systems, vendors, and workflows, and follow your official UNC requirements.

Documentation Requirements

Establish a single source of truth for HIPAA documentation. Your goal is to prove what you planned to do (policies), what you actually did (procedures and logs), and how you verified it (HIPAA compliance auditing evidence).

What to document

• Approved policies and procedures covering administrative, technical, and physical security measures; include version history, owners, and effective dates.
• Workforce training documentation: completion rosters, dates, content outlines, scores, and signed attestations.
• Risk analysis results, risk register, and the risk management plan with owners and remediation deadlines.
• Incident response protocol, incident tickets, investigation notes, breach risk assessments, and post-incident reviews.
• Access control matrices mapping role-based access control to job duties; provisioning and deprovisioning records.
• System audit logs retention settings, monitoring reports, and HIPAA compliance auditing schedules and results.
• Business Associate Agreements (BAAs), vendor assessments, and data flow diagrams for ePHI systems.

Retention and review

• Retain required HIPAA documentation for at least six years from creation or last effective date.
• Review and update policies whenever systems, regulations, or risks change; aim for at least an annual review cycle.
• Store records in a searchable, access-controlled repository with clear naming and unique identifiers.

How to verify

• Sample training records monthly to confirm 100% required completion and timely remediation.
• Check that each policy shows a current owner, next review date, and documented approvals.
• Reconcile BAA inventory against purchasing and vendor lists to ensure coverage.

Risk Management

Drive down risk by continuously identifying threats to ePHI protection and treating them in a prioritized, evidence-based way. Document decisions so leadership can see residual risk over time.

Perform risk analysis

• Inventory assets that create, receive, maintain, or transmit ePHI; map data flows and trust boundaries.
• Identify threats and vulnerabilities; estimate likelihood and impact; score risks and record assumptions.
• Capture findings in a risk register tied to specific systems and controls.

Treat and track risks

• Mitigate with security patches, encryption, hardening, network segmentation, role-based access control, and targeted training.
• Address facility and device exposures with physical security measures and secure media handling.
• Assign owners and due dates; justify any risk acceptance and define compensating controls.

Monitor and improve

• Reassess at least annually and whenever significant changes occur (new apps, migrations, major incidents).
• Feed incident lessons into the register; close risks only after verifying control effectiveness.

Security Awareness and Training

Make training practical and role-specific so people know how to handle ePHI safely and how to react to threats. Track participation and effectiveness, not just attendance.

Core topics to cover

• HIPAA Privacy and Security fundamentals, minimum necessary, and acceptable use.
• Handling ePHI: secure transfer, encryption, labeling, storage, and disposal.
• Phishing and social engineering, reporting suspicious messages, and safe browsing.
• Password hygiene and multi-factor authentication; session locking and device encryption.
• Role-based access control responsibilities and least-privilege practices.
• Physical security measures: clean desk, badge use, visitor handling, and secure areas.
• Remote work and mobile device safeguards; basics of your data backup strategy.
• How to report incidents and follow the incident response protocol.

Delivery and tracking

• Provide onboarding, periodic refreshers, and timely micro-reminders tied to emerging risks.
• Maintain workforce training documentation: rosters, transcripts, content versions, and attestations.
• Measure outcomes with quizzes, simulated phishing, and targeted remedial training where needed.

Security Incident Procedures

Standardize how you detect, escalate, contain, investigate, and learn from security events. Speed and accuracy matter; everyone must know how to report and what details to capture.

Immediate actions

• Contain the issue (disconnect compromised devices, rotate credentials, revoke suspicious sessions).
• Preserve evidence: secure logs, take snapshots, and avoid wiping systems before triage.
• Report promptly through designated channels and open a formal incident record.

Document the event

• Record who reported, what happened, when detected, where it occurred, and how it was identified.
• List affected systems, data elements, and whether ePHI was involved; estimate scope.
• Track containment steps, contacts notified, preliminary root cause, and risk-of-harm analysis.
• Note breach notifications, if required, and final disposition with closure date.

After-action improvement

• Hold a lessons-learned session; update procedures, controls, and training content.
• Feed confirmed control gaps back into risk management and verify remediation.

Contingency Planning

Prepare to maintain or quickly restore access to ePHI during outages. Define how you will back up, recover, and operate in emergency mode until normal service returns.

Data backup strategy

• Set recovery time and point objectives (RTO/RPO) for each system that handles ePHI.
• Use encrypted, verified backups with off-site or geo-redundant storage; protect backup credentials.
• Document schedules (full, differential, incremental) and retention periods.
• Test restores regularly and document success rates and fix actions.

Disaster recovery and emergency operations

• Maintain step-by-step runbooks for prioritized systems and dependencies.
• Plan for alternate processing locations and failover communications.
• Conduct tabletop and technical recovery exercises; track findings to closure.

Access Controls and User Authentication

Control ePHI exposure with precise authorization, strong authentication, and disciplined account lifecycle management. Verify that actual access matches job need.

Role-based access control

• Define roles and minimum necessary privileges; map users to roles with documented approvals.
• Implement break-glass access for emergencies with enhanced logging and review.
• Run periodic access reviews and reconcile exceptions quickly.

Authentication and session management

• Require unique user IDs, strong passwords, and multi-factor authentication for sensitive access.
• Use SSO where feasible; enforce session timeouts and automatic device locking.
• Encrypt endpoints and storage; set standards for remote and mobile access.

Access lifecycle controls

• Provision, modify, and remove access through documented workflows tied to HR events.
• Restrict and monitor privileged access; log administrative actions to immutable storage.
• Integrate logs into monitoring and HIPAA compliance auditing routines.

Administrative Safeguards

Strengthen governance so security is operationalized across people, processes, and vendors. Clarify accountability and verify performance against policy.

Program oversight

• Designate a security official and define roles for data owners, custodians, and stewards.
• Apply workforce clearance procedures and a graduated sanction policy.
• Maintain a current inventory of systems and vendors; execute and track BAAs.
• Publish policy management and training schedules; monitor gaps and corrective actions.
• Include physical security measures in site standards: facility access controls, visitor logs, and media handling.
• Run a documented HIPAA compliance auditing calendar covering policies, technical controls, and operational practices.

Conclusion

This UNC HIPAA training checklist helps you align documentation, risk management, training, incident handling, contingency plans, and access control into a cohesive program. Use it to verify that safeguards work in practice and to show evidence of ongoing compliance.

FAQs

What is the required documentation timeframe for HIPAA policies?

Retain HIPAA-required documentation—policies, procedures, and related records—for at least six years from creation or last effective date. Review and update policies at least annually and after significant changes. Keep workforce training documentation, incident logs, risk analyses, and audit records for the same period or longer if contract or state rules require.

How often must HIPAA risk assessments be conducted?

Perform a comprehensive risk analysis at least annually and whenever significant changes occur, such as deploying new systems, migrating environments, integrating vendors, or after major incidents. Track results in a risk register, assign owners, and verify completion of mitigation actions.

What topics are covered in HIPAA security awareness training?

Cover HIPAA basics and minimum necessary, ePHI protection and secure handling, phishing and social engineering, passwords and multi-factor authentication, role-based access control responsibilities, physical security measures, mobile and remote safeguards, disposal practices, data backup strategy basics, and how to report incidents via your incident response protocol.

How should security incidents be documented and reported?

Report promptly through designated channels and open an incident record. Document who, what, when, where, and how; affected systems and ePHI; containment steps; preliminary root cause; risk-of-harm analysis; decisions on breach notifications; and closure details. Preserve relevant logs and evidence, escalate to the appropriate security and privacy contacts, and capture lessons learned for program improvement.