What Your HIPAA Compliance Checklist Needs to Include

Last Updated by
Executive marking a HIPAA compliance checklist.

HIPAA compliance takes continuous effort. And to that end, never underestimate the value of a good checklist to help you stay on track.

In this Articles …

 
When was the last time you thought seriously about your compliance with the HIPAA regulations? Did you have a consultant hand you a binder of policies and procedures on how to comply with HIPAA Privacy regulations, and promptly put it on a shelf in an office? Do you require employees to complete training in HIPAA regulations and participate in a HIPAA security awareness training program? Have you cataloged your Business Associate Agreements, and are your BA agreements up to date? Have you tried using a HIPAA compliance checklist to review the effectiveness of your HIPAA compliance process?

If you haven’t, you have a lot of company. On the other hand, if you, or one of your business associates who had electronic protected health information (ePHI) you shared, had a significant data breach, you may wish you had taken the time to complete a HIPAA compliance checklist recently. This could only improve your results in a HIPAA audit by the Office for Civil Rights (OCR).

 

What are the main components of a HIPAA Compliance Checklist?

Naturally, any HIPAA Compliance Audit Checklist has to be organized in some fashion. Although there is some overlap between policies and activities required under the HIPAA Privacy Rule and the HIPAA Security Rule, a good HIPAA compliance audit checklist covers both rules, plus the Breach Notification Rule. It also addresses relationships and agreements with business associates and includes a HIPAA risk assessment checklist. As you look at more information below, you may want to download a copy of our free HIPAA compliance checklist!

 

Download your free HIPAA Compliance Checklist!

Get it Now

 

HIPAA Privacy Rule Policies and Procedures in a HIPAA Compliance Checklist

Both the HIPAA Privacy Rule and the HIPAA Security Rule require extensive systems of policies and procedures. Some of the policies and procedures you may need to revise based on recent changes to HIPAA regulations include:

  • Changes to your Notice of Privacy Practices (NPP) due to the HIPAA Privacy Rule update for reproductive health information (RHS). The regulatory amendments are not due to be enforced until February 16, 2026. The long lead time is due to the Department of Health and Human Services (HHS) also working on rules related to the confidentiality of substance abuse disorder information. These changes will also affect the requirements for NPPs, so HHS decided to make the compliance dates the same. However, providers who are providing reproductive health services to out-of-state residents may want to revise their NPPs immediately to include some of the definitions and provisions on disclosure of RHS, especially to out-of-state law enforcement authorities.
  • Business Associate Agreements (BAAs) may need review and updating. The HITECH Act of 2009 made business associates directly liable for compliance with several provisions of the HIPAA Privacy, Security, Breach Notifications and Enforcement Rules. Your Business Associate Agreements should reflect the business associate’s responsibility for these functions, as well as address issues like cyber liability insurance.
  • Many covered entities have problems with human services issues such as employee snooping and sanctions for HIPAA violations. The OCR, which investigates data breaches, will want to see evidence of your policies and procedures on this subject, as well as evidence you follow your policies!
  • Privacy complaints are another area to review for both language and implementation of policies and procedures. In the past few years, the OCR has put a special emphasis on complaints related to the untimely release of patient medical records to patients. Dozens of providers have been fined for not complying with the requirements to make medical records available within 30 days of a patient or patient representative request. Physician office staff members have even told patients that their records cannot be released to them due to HIPAA requirements!
  • This behavior underlines the need for another item on the checklist: Employee training. HIPAA compliance is a required and never-ending chore, so ongoing employee training is paramount for HIPAA-covered entities. There are many online training courses covering most aspects of HIPAA requirements for front-line employees. However, this training must be supplemented with exposure to the specific policies and procedures of healthcare providers. Otherwise, employees may still make mistakes that result in letters from the OCR and even a spot on the HIPAA Wall of Shame.

These are just a few of the areas that must be addressed by policies and procedures. There are many other areas you will see on our specific HIPAA Compliance Checklist, including a Privacy Officer and amendments to medical records.

 

HIPAA Security Rule Policies and Procedures in a HIPAA Compliance Checklist

If the Privacy Rule policies and procedures are extensive, policies and procedures for the Security Rule are downright daunting. The HIPAA Security Rule checklist covers the three divisions of the Security Rule: Administrative safeguards, physical safeguards, and technical safeguards. There have been relatively fewer changes to the Security Rule since it was first adopted, and many of those have been technical changes to systems such as to permit electronic submission of attachments and signatures. Nevertheless, there are a few areas of special importance in a HIPAA Compliance requirements checklist.

  • A HIPPA Risk Analysis has been a requirement for covered entities who are creating, maintaining, or transmitting electronic protected health information (ePHI). This element of the HIPAA rules is part of the Administrative safeguards. A HIPAA risk assessment checklist helps you analyze the threats, and the risks of those threats, to your ePHI. In many investigations of a HIPAA complaint or HIPAA violations, the OCR finds that covered entities have failed to complete a HIPAA Risk Analysis. And risk assessments must be completed periodically, and whenever there is a major change to the hardware or software used to create and maintain ePHI.
  • A component of the Physical safeguards for data security is a standard for facility access controls. Since the physical facilities that house the equipment used by a covered entity to create and maintain ePHI can change, this is an area of policies and procedures to review and update whenever there are changes. Many healthcare providers utilize third-party data centers. Healthcare providers must ensure they understand the physical and administrative safeguards employed by the data center, and how they are HIPAA compliant.
  • The Technical safeguards cover data security issues such as access controls and person authentication. One reason there are fewer changes to the HIPAA Security Rule is that the OCR strives to make rules that do not specify particular types of technology. The focus is on the outcome of the standard, e.g., making sure that users are only authorized to view or make changes to information needed in their jobs. Further, user access must be terminated when a user is no longer part of the organization. Requirements for data encryption, especially when transmitting ePHI or storing it in offline sources like flash drives or laptops, must also be addressed as part of technical safeguards.

 

HIPPA Breach Notification rules provisions in HIPAA Checklists

Policies and procedures related to the HIPAA Breach notification rule are another important component of a HIPAA Checklist. Healthcare organizations bent on achieving HIPAA compliance should have several policies and procedures, including:

This is another area to address in your HIPAA compliance checklist: whether there are state government entities that must be notified of a HIPAA violation that results in unauthorized disclosure of protected health information.

 

HIPAA Privacy and Security Officer

Finally, don’t forget to periodically review the duties, responsibilities, and performance of the HIPAA Privacy Officer and the HIPAA Security Officer. There are distinctions between these two roles, but it is not impossible to combine them, especially for small healthcare providers.

And if you are a small health care provider, take a look at our Ultimate Guide to Medical Office HIPAA Compliance. It is a comprehensive review of HIPAA compliance requirements for medical offices.

When you need proven expertise and performance

Contact Us Today

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Filed under: HIPAA & Compliance