VA Hospitals HIPAA Compliance Checklist: Key Requirements and Audit Steps

Use this VA Hospitals HIPAA Compliance Checklist to verify alignment with HIPAA’s Privacy, Security, and Breach Notification Rules while meeting VHA HIPAA Policies. Each section outlines key requirements and clear audit steps so you can confirm controls, collect evidence, and remediate gaps before an audit.

Governance and Leadership

Strong governance anchors compliance. Establish clear Privacy Officer Accountability and Security Officer oversight, backed by a cross-functional committee that owns policy decisions, risk acceptance, and resource allocation. Documented governance ensures consistent adherence to VHA HIPAA Policies and enterprise standards.

Checklist: Key Requirements

• Designate and document a Privacy Officer and Security Officer with authority, training, and defined responsibilities.
• Stand up a privacy and security governance committee that meets routinely and records decisions and risk acceptances.
• Approve, version, and disseminate VHA HIPAA Policies and local procedures; maintain a single source of truth.
• Track policy attestations, workforce sanctions, and exceptions with leadership sign-off.
• Maintain an ePHI system inventory, data flows, and ownership to support downstream controls and audits.

Audit Steps

• Review appointment letters and position descriptions for Privacy Officer Accountability and Security Officer authority.
• Examine committee charters, agendas, and minutes showing policy approvals, risk acceptance, and funding decisions.
• Sample policy versions for currency, distribution logs, and staff attestations.
• Inspect ePHI inventories and data maps; verify owners and update cadence.
• Validate a documented sanctions process and evidence of consistent application.

Risk Assessment and Management

A rigorous ePHI Risk Analysis identifies threats, vulnerabilities, and the likelihood and impact of compromise across systems, workflows, and vendors. Translate results into a prioritized risk register and risk treatment plan; track through closure to demonstrate continuous management.

Checklist: Key Requirements

• Perform an enterprise ePHI Risk Analysis at least annually and after significant changes (new systems, major upgrades, incidents).
• Maintain a risk methodology with scoring, acceptance criteria, and documented roles.
• Produce a risk register that maps risks to assets, owners, and remediation actions with due dates.
• Integrate vulnerability scanning, penetration testing outputs, and lessons learned from incidents.
• Report risk posture and exceptions to leadership per VHA HIPAA Policies.

Audit Steps

• Review the latest ePHI Risk Analysis, scope, asset list, and threat modeling approach.
• Trace a sample of high risks from identification to closure; verify evidence of remediation or approved acceptance.
• Check that risk metrics and dashboards are routinely briefed to leadership.
• Validate that new systems undergo pre-production risk assessment and control selection.
• Confirm integration of scan results, POA&Ms, and incident findings into the risk register.

Administrative Safeguards

Administrative controls operationalize privacy by design. Focus on staffing, training, access governance, contingency planning, and documented processes that ensure minimum necessary use and proper oversight across the workforce lifecycle.

Checklist: Key Requirements

• Provide role-based HIPAA training at onboarding and at least annually per VHA HIPAA Policies; track completion and retraining.
• Enforce the minimum necessary standard with role definitions, access requests, approvals, and periodic re-certifications.
• Implement workforce clearance, onboarding, transfer, and termination procedures with timely access changes.
• Maintain contingency plans: data backup plan, disaster recovery plan, and emergency mode operations with tested results.
• Document incident escalation paths, sanction policy, and record retention (minimum six years for HIPAA documentation).

Audit Steps

• Sample training records across roles; verify completion rates, content currency, and remediation for delinquent staff.
• Review access request tickets and quarterly re-certifications; confirm adherence to minimum necessary.
• Test a sample of terminations and transfers for timely access revocation and role adjustments.
• Inspect contingency plans and recent test results; verify restoration times, data integrity checks, and lessons learned.
• Examine sanction case files to confirm consistent application and documentation.

Physical Safeguards

Physical protections restrict unauthorized presence and protect devices and media that handle ePHI. Effective Facility Access Controls and device/media procedures reduce theft, tampering, and improper disposal risks.

Checklist: Key Requirements

• Implement Facility Access Controls for data centers, telecom rooms, and records areas: badging, visitor logs, escorts, and cameras.
• Secure workstations with positioning, screen privacy, automatic screen lock, and cable locks where appropriate.
• Maintain device and media controls: asset inventory, secure transport, storage, re-use, and destruction with certificates.
• Protect environmental conditions (power, temperature, water) with monitoring and response procedures.

Audit Steps

• Conduct walk-throughs of restricted areas; verify access lists, logs, and camera coverage.
• Spot-check workstations for screen lock timing, privacy filters, and unattended sessions.
• Review a sample of device disposal records for chain of custody and destruction certificates.
• Inspect asset inventories for accuracy and reconciliation with procurement and disposal records.

Technical Safeguards

Technical controls enforce who can access ePHI, how it is protected, and how activity is monitored. Prioritize strong authentication, Encryption and Audit Logging, and disciplined configuration management to prevent and detect misuse.

Checklist: Key Requirements

• Access controls: unique user IDs, multi-factor authentication, automatic logoff, and least-privilege roles.
• Encryption at rest and in transit using federally approved algorithms; manage keys securely and rotate per policy.
• Audit controls: centralized Audit Logging, time synchronization, alerting, and routine review with documented follow-up.
• Integrity controls: hashing, secure backups, and change control to prevent unauthorized alteration of ePHI.
• Transmission security: TLS for network traffic, VPN for remote access, and hardened wireless configurations.
• Patch and vulnerability management with defined SLAs, endpoint protection, and configuration baselines.

Audit Steps

• Sample user accounts for unique IDs, MFA enrollment, and timely deprovisioning.
• Verify disk/database encryption settings and key management procedures on a sample of ePHI systems.
• Confirm logs are generated, forwarded to a SIEM, retained per policy, and reviewed with tracked findings.
• Inspect vulnerability scan and patch reports; validate remediation meets defined SLAs.
• Test TLS configurations and session timeout policies; review exceptions and approvals.

Business Associate Agreements

Vendors that create, receive, maintain, or transmit ePHI must meet Business Associate Compliance requirements. A robust BAA program inventories partners, sets enforceable safeguards, and verifies ongoing performance.

Checklist: Key Requirements

• Maintain an up-to-date inventory of business associates and subcontractors handling ePHI.
• Execute Business Associate Agreements before ePHI exchange; include permitted uses, safeguards, subcontractor flow-downs, and termination/disposal terms.
• Define Breach Notification Procedures and reporting timelines in the BAA.
• Conduct risk-based due diligence (security questionnaires, independent assessments) and ongoing monitoring.
• Track BAA expirations, points of contact, and performance metrics.

Audit Steps

• Sample executed BAAs to confirm required clauses, signatures, and current contacts.
• Match BAAs to data flows; verify least-necessary data sharing and secure transfer methods.
• Review due diligence artifacts and follow-up on identified gaps.
• Confirm subcontractor flow-down language and evidence of vendor oversight.
• Check termination records for timely data return or destruction certificates.

Incident Response and Breach Notification

An effective response program ensures rapid containment, accurate assessment, and timely notifications. Define roles, decision criteria, and communications ahead of time to meet regulatory deadlines and reduce harm.

Checklist: Key Requirements

• Maintain an incident response plan with 24/7 intake, triage, investigation, containment, and recovery procedures.
• Use a breach risk assessment that evaluates the nature of ePHI, the unauthorized recipient, whether data was acquired/viewed, and mitigation achieved.
• Follow HIPAA Breach Notification Procedures: notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For breaches affecting 500+ individuals in a state/jurisdiction, notify HHS and prominent media without unreasonable delay and no later than 60 days.
• For breaches affecting fewer than 500 individuals, log and report to HHS within 60 days after the end of the calendar year.
• Document all decisions, notifications, and corrective actions; conduct post-incident reviews and tabletop exercises.

Audit Steps

• Review the incident response plan, call trees, playbooks, and exercise reports.
• Examine a sample of incidents for timelines, containment actions, breach assessments, and notification letters.
• Verify reporting to HHS and media where applicable; confirm annual submissions for smaller breaches.
• Check root-cause analyses and corrective action tracking to closure.

Summary and Next Steps

Applying this VA Hospitals HIPAA Compliance Checklist across governance, risk, safeguards, vendor oversight, and response will help you prove due diligence, close gaps quickly, and sustain compliance with VHA HIPAA Policies. Use the audit steps as a repeatable playbook before internal or external reviews.

FAQs

What are the key HIPAA safeguards for VA hospitals?

The three safeguard families are administrative (policies, training, access governance, contingency planning), physical (Facility Access Controls, workstation and device/media protections), and technical (authentication, encryption, and Audit Logging, integrity, and transmission security). Effective BAAs and documented Breach Notification Procedures complete the program.

How is risk assessment conducted in VA hospitals?

You perform an ePHI Risk Analysis that inventories systems and data flows, evaluates threats and vulnerabilities, scores likelihood and impact, and records risks in a register with owners and remediation plans. Update it at least annually and after major changes, and brief leadership per VHA HIPAA Policies.

What are the notification requirements after a data breach?

Notify affected individuals without unreasonable delay and no later than 60 days after discovery. For incidents involving 500+ individuals in a state or jurisdiction, notify HHS and prominent media within the same timeframe; for fewer than 500, log and report to HHS within 60 days after the calendar year ends. Document your breach assessment and corrective actions.

How often should HIPAA training be conducted for VA staff?

Provide role-based training at onboarding and at least annually in line with VHA HIPAA Policies, supplemented with just-in-time updates after incidents or policy changes. Track completion, remediate delinquencies, and tailor content to job functions.