HIPAA compliance checklist: A 9-step plan to protect PHI and stay audit-ready
HIPAA compliance checklist: A 9-step plan to protect PHI and stay audit-ready
HIPAA compliance is intended to keep protected health information (PHI) safe and secure. For covered entities and business associates, “being HIPAA compliant” typically means you can show that you’ve implemented and documented administrative, physical, and technical safeguards aligned to the HIPAA Rules—and that you review and improve them over time.
Sound complicated? This HIPAA compliance checklist turns the broad requirements into a practical operating plan with clear ownership and evidence.
This guide covers:
- The 9 recurring actions most teams need to operationalize HIPAA compliance
- What to document so audits and customer reviews don’t become fire drills
- How to keep risk management running year-round (not just once per year)
GIF via GIPHY
Related guides:
- What is HIPAA compliance? Requirements, who it applies to, and how to stay compliant
- HIPAA regulations and rules explained
- Preparing for HIPAA compliance: An 8-step HIPAA compliance checklist
- HIPAA compliance for software development: A 7-step checklist
Key takeaways
- HIPAA compliance is a system, not a one-time project. The fastest way to “fall out of compliance” is to treat HIPAA as paperwork instead of owned workflows and evidence.
- Start by identifying what you must evaluate annually. HIPAA expects ongoing evaluations—your checklist should define what’s required, who runs it, and what “done” looks like.
- Documentation is part of the control. If you can’t produce evidence (risk analysis, training records, access reviews, BAAs, incident tickets), audits and investigations become painful.
- Third parties can expand your HIPAA scope quickly. Your vendor program should make it clear which vendors touch PHI and what agreements and reviews are required.
What this HIPAA compliance checklist is (and isn’t)
This checklist is designed to help you operationalize HIPAA compliance: assign ownership, schedule recurring evaluations, and maintain evidence for audits and security reviews.
It is not legal advice, and it doesn’t replace the detailed interpretation work you may need for your specific role (covered entity vs. business associate), data flows, and contracts. Use it as a repeatable plan and consult qualified counsel for role- and fact-specific guidance.
HIPAA compliance checklist (9 steps)
Step 1: Determine which annual audits and assessments you need
First, define what “required” means for your organization. HIPAA expects both technical and non-technical evaluations of safeguards, and your contracts (BAAs, customer requirements) often add additional expectations.
Practical actions:
- Perform a readiness assessment to evaluate current safeguards against HIPAA requirements
- Review the HHS Office for Civil Rights (OCR) Audit Protocol and use it as a common reference for evidence expectations
- Build your compliance calendar (risk analysis refresh, access reviews, incident tabletop, vendor reviews, policy refresh, training)
Step 2: Conduct your required HIPAA audits and assessments
Run the evaluations you scoped in Step 1 and capture results in a way that is auditable: findings, severity, owners, and remediation timelines.
Practical actions:
- Perform and document ongoing technical and non-technical evaluations
- Ensure findings turn into tracked remediation (tickets, change records, policy updates)
- If you don’t have in-house capacity, partner with a qualified security and compliance team—and keep ownership internal so the program doesn’t stall
Step 3: Document your plan and put it into action
HIPAA compliance becomes manageable when you treat it like an operating system: plan the work, execute it, and keep evidence current.
Practical actions:
- Document every step of building, implementing, and assessing your compliance program
- Maintain a living list of controls with owners, evidence, and review cadence
- Tie the plan to real workflows (access reviews, vendor reviews, training attestations, incident drills)
Step 4: Appoint a security and compliance point person
HIPAA compliance needs an accountable owner. Many organizations designate:
- A HIPAA Security Officer to oversee safeguarding ePHI
- A HIPAA Privacy Officer to oversee PHI use/disclosure policies and processes
In smaller organizations, this may be the same person. What matters is that the role has authority, time, and a clear escalation path.
Step 5: Schedule annual HIPAA training for all employees
Training reduces the most common cause of HIPAA violations: workforce mistakes.
Practical actions:
- Schedule annual HIPAA training and incorporate it into onboarding
- Distribute HIPAA policies and procedures and ensure staff read and attest
- Add role-based training where PHI exposure differs (support, billing, engineering, clinical)
Step 6: Document trainings and compliance activities
For HIPAA, proof matters. If training occurred but you can’t show it, you’ll struggle in audits and after incidents.
Practical actions:
- Document training processes, activities, and attestations
- Maintain policy acknowledgement records and version history
- Keep evidence for recurring processes (access reviews, vendor reviews, incident drills)
Step 7: Establish and communicate breach reporting processes
Your team should know what constitutes a potential HIPAA breach and how to report it internally—before something happens.
Practical actions:
- Define a clear internal reporting channel (ticketing + on-call escalation)
- Implement systems to track security incidents and preserve evidence (logs, timelines, approvals)
- Run table-top exercises so reporting doesn’t break down under pressure
Step 8: Institute an annual review process
HIPAA is not static. Your policies, safeguards, vendors, and systems change—so your program needs a formal annual review.
Practical actions:
- Annually assess your compliance activities against HIPAA Rules and updates
- Refresh the PHI inventory and data flows (new systems, integrations, vendors)
- Review audit findings, corrective actions, and “near misses” to improve controls
Step 9: Continuously assess and manage risk
The safest HIPAA programs are built around a year-round risk management rhythm.
Practical actions:
- Maintain a risk register with owners and remediation timelines
- Integrate continuous monitoring and recurring evidence collection
- Track third-party risk continuously (BAAs, vendor changes, subprocessors, renewals)
Owners and evidence (what to keep audit-ready)
Use this table to turn the checklist into owned work—and to make sure you can prove it later.
| Checklist step | Typical owner(s) | Evidence to keep current | Cadence |
|---|---|---|---|
| Annual audits and assessments defined | Compliance + Security + Legal | Compliance calendar, scope statement, OCR protocol mapping notes | Annual + on change |
| Audits and evaluations completed | Security / GRC | Evaluation reports, findings register, remediation tickets, internal audit notes | Quarterly / annual |
| Plan documented and executed | Compliance + Ops | Control list with owners, policy set, version history, task completion evidence | Ongoing |
| Officer appointed | Leadership | Officer designation, responsibilities, escalation path | Annual review |
| Training scheduled | HR + Compliance | Training plan, modules, onboarding checklist | Annual + onboarding |
| Training and activities documented | HR + Compliance + Security | Completion exports, attestations, policy acknowledgements | Ongoing |
| Breach reporting implemented | Security + Legal | IR plan, reporting channel, incident tickets, tabletop notes | Semiannual exercises |
| Annual review completed | Compliance + Security | Annual review memo, updated PHI inventory, corrective actions | Annual |
| Continuous risk management | Security / GRC | Risk register, monitoring signals, access review evidence, vendor review evidence | Monthly/quarterly |
Streamline HIPAA work with SecureSlate
HIPAA compliance is easiest when requirements become assigned tasks and continuously updated evidence—not scattered documents and last-minute screenshot hunting.
SecureSlate helps teams:
- Centralize HIPAA policies, procedures, and acknowledgements
- Track audits, risk analysis findings, and remediation plans with clear owners
- Manage vendor oversight (BAAs, vendor evidence, review cadence)
- Maintain audit-ready evidence for internal audits and customer security reviews
Get started for free to turn this HIPAA compliance checklist into a program your team can run all year.
FAQ: HIPAA compliance checklists
How often do we need to review HIPAA compliance?
Commonly, organizations formalize an annual review and run smaller recurring evaluations (monthly/quarterly) for high-risk areas like access, vendors, and incident readiness. The right cadence depends on your scope and risk profile.
What’s the first step if we’re behind on HIPAA compliance?
Start by mapping where PHI exists (systems, users, vendors) and defining your annual evaluation plan. That prevents you from writing policies for systems that don’t matter—or missing the ones that do.
Do we need a third party to “certify” HIPAA compliance?
HIPAA is not a single certification in the same way as some frameworks. Many organizations still use third-party assessments, audits, or platforms to structure work and evidence, especially when customer reviews require it.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
May 4, 2026 · HIPAAComparisons and reviews
The 5 best HIPAA compliance software options for 2026
SecureSlate Team
May 4, 2026 · HIPAA
5 practical tips to navigate AI, security, and compliance in healthcare
SecureSlate Team
May 4, 2026 · HIPAA
HIPAA compliance for software development: A 7-step checklist
SecureSlate Team