Preparing for HIPAA compliance: An 8-step HIPAA compliance checklist to meet privacy and security requirements
Preparing for HIPAA compliance: An 8-step HIPAA compliance checklist to meet privacy and security requirements
HIPAA (the Health Insurance Portability and Accountability Act) is one of the most important US regulatory frameworks for healthcare organizations and the vendors that support them. If your organization touches protected health information (PHI), HIPAA compliance becomes a practical requirement: you need repeatable safeguards for privacy and security—and the ability to prove they’re working.
Because HIPAA is designed to be flexible, it often describes what you must accomplish (reasonable and appropriate safeguards) rather than prescribing a single implementation. That’s helpful, but it can also make HIPAA feel ambiguous without a concrete operating plan.
This HIPAA compliance checklist covers:
- The foundational building blocks of HIPAA compliance (scope, roles, and core rules)
- Why a checklist helps you turn HIPAA language into owned work
- Eight practical steps to build and maintain an audit-ready HIPAA compliance program
GIF via GIPHY
Related guides:
- HIPAA compliance for software development: A 7-step checklist
- HIPAA violations in 2025: staff mistakes and vendor blind spots
- 5 healthcare cybersecurity regulations and frameworks to follow in 2025
Key takeaways
- HIPAA compliance is a system, not a document. Policies matter, but you also need owners, workflows, and evidence (risk analysis, training records, access reviews, vendor reviews, and audit logs).
- Scope first: where does PHI exist? Your compliance posture is only as strong as your PHI inventory across systems, users, and vendors.
- Third parties can expand your HIPAA exposure fast. BAAs, vendor risk management, and subcontractor oversight are essential.
- Audits are easier when compliance is continuous. Periodic reviews and internal audits prevent last-minute evidence scrambles.
What is HIPAA compliance?
HIPAA compliance refers to the security, privacy, and related practices your organization must implement to safeguard PHI. In day-to-day operations, it typically includes ongoing procedures, technical safeguards, access controls, audits, and documentation to meet the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
PHI is individually identifiable information related to a person’s health condition, healthcare treatment, or payment for healthcare services. For data to be PHI under HIPAA, it must be created, received, maintained, or transmitted by a covered entity or business associate.
If your organization handles PHI in any capacity, non-compliance can lead to significant civil penalties, corrective action plans, reputational damage, and—in severe cases—criminal enforcement.
Who needs to comply with HIPAA?
HIPAA compliance is mandatory for covered entities and (since the 2013 Omnibus Rule) their business associates.
| Organization type | Explanation | Common examples |
|---|---|---|
| Covered entity | Organizations that create, receive, maintain, or transmit PHI for treatment or payment | Healthcare providers, health plans, healthcare clearinghouses |
| Business associate | Organizations that perform services involving PHI for covered entities (or on their behalf) | Healthcare SaaS vendors, cloud hosting providers, consultants, billing services, IT support, attorneys, CPAs |
Before disclosing PHI to a business associate, a covered entity typically uses a business associate agreement (BAA) to define permitted uses/disclosures and required safeguards. If you subcontract PHI-related work, you may also need BAAs downstream.
Why use a HIPAA compliance checklist?
HIPAA’s requirements can be broad. A checklist helps you translate regulatory language into operational tasks that reduce risk and improve accountability.
Common benefits include:
- Reduced non-compliance risk: Fewer missed requirements that later become audit findings or breach drivers.
- Clear accountability: You can assign owners across IT, security, operations, HR, and legal (HIPAA is never “just a security thing”).
- Faster audits and reviews: A checklist becomes a record of compliance work and evidence, which simplifies internal audits and external investigations.
Checklist: 8 key steps toward HIPAA compliance
Whether you’re new to HIPAA or formalizing an existing program, these eight steps help you establish and maintain a practical compliance posture:
- Familiarize yourself with HIPAA’s key rules
- Designate a HIPAA compliance officer
- Identify PHI and perform a risk analysis
- Implement the necessary policies and procedures
- Develop a breach reporting plan
- Schedule and conduct HIPAA training
- Assess and manage third-party risks
- Monitor and audit your compliance posture
Step 1: Familiarize yourself with HIPAA’s key rules
HIPAA includes multiple “rules” that define requirements. Three are especially important because many obligations flow from them:
- Privacy Rule: sets standards for protecting PHI and defines permissible uses/disclosures and patient rights.
- Security Rule: requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
- Breach Notification Rule: defines what constitutes a breach and the timelines and processes for notifying affected parties and regulators.
HIPAA also includes additional components (for example, enforcement-related rules and updates). If you’re unsure how requirements apply to your organization, consult qualified counsel and compliance experts.
Step 2: Designate a HIPAA compliance officer
HIPAA compliance requires coordination across the organization. Commonly, organizations designate two roles:
| Role | Focus |
|---|---|
| Privacy Officer | Policies and procedures for use/disclosure of PHI, and patient rights |
| Security Officer | Safeguarding ePHI through technical, physical, and administrative security measures |
In smaller organizations, one person may handle both roles. In larger orgs, these are often separate.
Typical responsibilities include:
- Managing risk analysis and internal audits
- Maintaining incident response and breach notification workflows
- Coordinating training and workforce compliance
Step 3: Identify PHI and perform a risk analysis
Start by identifying what data qualifies as PHI and where it lives across your systems and vendors. Many programs struggle because PHI appears in more places than expected (support tools, exports, analytics, logs, backups, vendor platforms).
HIPAA also defines identifiers commonly associated with PHI (for example: names, addresses below the state level, Social Security numbers, medical record numbers, biometric data, and contact information).
Once you have a PHI inventory, perform a risk analysis to identify vulnerabilities that could lead to unauthorized access, disclosure, or loss of availability. The output should be an actionable risk register: findings, severity, owners, and remediation timelines.
Step 4: Implement the necessary policies and procedures
HIPAA requires documented policies and procedures. The exact set depends on your role, systems, and risk profile, but the table below shows common categories.
| HIPAA rule | Example policies and procedures |
|---|---|
| Privacy Rule | Record retention, minimum necessary access, confidential communications, access restrictions, workforce sanctions |
| Security Rule | Password/identity policy, access management, risk management, workstation/device controls, disaster recovery |
| Breach Notification Rule | Internal notification policy, incident response plan, mitigation procedures, breach notice templates |
Pay special attention to data handling and role-based access. In practice, access control breakdowns and unclear PHI workflows are common contributors to HIPAA incidents.
Step 5: Develop a breach reporting plan
HIPAA defines breach notification requirements with specific timelines (often referenced as “without unreasonable delay” and within required windows, depending on circumstances).
Your internal plan should include:
- Who triages a suspected breach (often the Security Officer)
- How you preserve evidence and conduct a breach risk assessment
- Who approves notification decisions (security + legal)
- How you notify affected individuals, covered entities (if applicable), and regulators
Even if your external reporting timelines are clear, teams often get stuck on internal execution—especially without a practiced incident workflow.
Step 6: Schedule and conduct HIPAA training
HIPAA training is a practical requirement for governed organizations. The goal is to reduce errors, improve security behavior, and build a culture that treats PHI handling as a first-class operational responsibility.
Common training practices include:
- Annual organization-wide training (and training for new hires)
- Training after major policy updates or workflow changes
- Targeted training after incidents or near misses
Step 7: Assess and manage third-party risks
HIPAA’s third-party risk exposure typically shows up through business associates and subcontractors. If a vendor can access PHI, your program needs to manage that risk continuously.
A practical vendor program usually includes:
- Vendor inventory and tiering (critical vs non-critical)
- Vendor due diligence (security posture, safeguards, incident reporting expectations)
- BAAs in place before PHI access (and tracked renewal/version control)
- Ongoing reviews at a cadence aligned to vendor risk
Step 8: Monitor and audit your compliance posture
HIPAA is ongoing. Monitor controls, document results, and run periodic internal audits to find gaps early.
Typical audit areas include:
- Access controls and access review evidence
- Vendor BAAs and vendor oversight artifacts
- HIPAA training completion
- Incident response readiness (tabletops, tickets, corrective actions)
HIPAA also expects record retention. Treat documentation as part of the control, not a separate “paperwork step.”
Owners and evidence (what to document)
Use this table to turn the checklist into repeatable operations and audit-ready evidence.
| Step | Typical owner(s) | Evidence you should be able to produce | Cadence |
|---|---|---|---|
| HIPAA rules understanding | Compliance / Legal | Program scope statement, rule mapping notes, training for key stakeholders | On change |
| Officer designation | Leadership | Role assignments, job descriptions, escalation path | Annual review |
| PHI inventory + risk analysis | Security / GRC | PHI data flow map, asset inventory, risk register, remediation tickets | Quarterly |
| Policies + procedures | Compliance + Security + IT | Approved policies, acknowledgements, version history, control procedures | Quarterly |
| Breach reporting plan | Security + Legal | IR plan, breach playbooks, tabletop notes, incident tickets | Semiannual exercises |
| Training | HR + Compliance | Training records, role-based modules, completion exports | Annual + onboarding |
| Third-party risk management | Procurement + Security | Vendor register, BAAs, vendor assessments, renewal calendar | Annual (or risk-based) |
| Monitoring + audits | Security + Internal audit | Audit reports, access review evidence, monitoring alerts, corrective actions | Monthly/quarterly |
Ensure comprehensive HIPAA compliance with SecureSlate
HIPAA compliance goes faster when you can turn requirements into owned tasks and continuously updated evidence—without chasing screenshots and spreadsheets.
SecureSlate helps teams:
- Centralize HIPAA policies, procedures, and acknowledgements
- Track PHI scope, risk analysis findings, and remediation plans with clear owners
- Manage vendor oversight (BAAs, vendor evidence, and review cadences)
- Maintain audit-ready evidence for internal audits and customer security reviews
Get started for free to turn HIPAA requirements into clear, actionable steps your team can actually run.
FAQ: HIPAA compliance
Is HIPAA compliance only for hospitals and clinics?
No. HIPAA applies to covered entities and also to business associates and subcontractors that handle PHI (many healthcare vendors fall into these categories).
What’s the fastest way to start preparing for HIPAA compliance?
Start with a PHI inventory and data flow mapping, then perform a risk analysis. Those two steps tell you where safeguards and documentation matter most.
Do we need BAAs with all vendors?
Typically, you need BAAs with vendors that create, receive, maintain, or transmit PHI on your behalf. Data minimization and tight PHI boundaries can reduce how many vendors require BAAs.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
May 4, 2026 · HIPAAComparisons and reviews
The 5 best HIPAA compliance software options for 2026
SecureSlate Team
May 4, 2026 · HIPAA
5 practical tips to navigate AI, security, and compliance in healthcare
SecureSlate Team
May 4, 2026 · HIPAA
HIPAA compliance checklist: A 9-step plan to protect PHI and stay audit-ready
SecureSlate Team