HIPAA Compliance Checklist: What Healthcare Organizations Need to Verify

Our free HIPAA compliance checklist is designed for businesses in the healthcare industry. It’s perfect for:

• Doctor offices
• Hospitals
• Urgent care facilities
• Any organization that handles sensitive information.

We’ll provide a list of measures you can take to remain compliant in 2026.

Need help with your IT or security? Schedule a call with us.

Why a HIPAA Checklist Matters in 2025

It’s the law. You’re responsible for keeping patient information secure. Our HIPAA compliance requirements checklist helps at a time when:

• Cyberattack sophistication is increasing: Data is more valuable than ever before. Multi-layered security prevents breaches, ransomware and phishing attacks.
• Digital footprints: Healthcare is expanding, and companies must consider the adoption of electronic health records. More endpoints increase the surface risk that must be secured.
• Strict enforcement: OCR enforcement means companies must follow a HIPAA security checklist to remain audit-ready.

The onus is on you – business owners and managers – to follow a HIPAA security requirements checklist.

What Are the HIPAA Compliance Requirements?

Three core rules dictate whether you’re compliant:

• Privacy
• Security
• Breach Notification

Within the Security category, we come across the three sections we’ll talk about extensively in this HIPAA compliance checklist:

1. Administrative
2. Physical
3. Technical

Work through all of these examples below and you’ll have an easier time maintaining compliance.

Administrative Safeguards Checklist

Compliance programs hinge on the following:

Risk Assessments and Risk Management Plans

Limiting incidents is a major component of any compliance program. You’ll focus on risk:

• Analysis. Annual reports must be performed to identify where your organization creates, stores, receives and transmits ePHIs.
• Management. What measures are in place to better manage risks? Policies and measures must be in place to mitigate and reduce incidents to “acceptable levels.”

Vulnerabilities must also be considered. Sanction policies further help outline disciplinary actions if violations occur.

Employee Training and Access Management

A HIPAA audit protocol checklist must include your workforce, too. Limits must be put in place to prevent access to certain data.

Start with:

• Designated officers. Privacy and security are the two areas where one or more workers must be responsible for formal documentation.
• Training. New employees must undergo routine onboarding to prevent threats, such as phishing. Annual workshops will strengthen your policies and prevent breaches.

Add access management to your HIPAA compliance checklist. Controls on who can access what information prevent in-house breaches.

Contingency and Incident Response Plans

You can take every measure and follow our HIPAA IT compliance checklist, but a disaster can still occur. We recommend the following plans:

• Data backup. Exact copies must be maintained and tested regularly.
• Disaster recovery. Create a plan to restore lost data after a major incident.
• Response. Written plans for detection, response and reporting of security breaches must be in place.

Physical Safeguards Checklist

These measures control access to the physical environment where ePHI is located.

Facility Access Controls

Check to make sure that:

• Documented policies and procedures are in place to control and validate access based on the person’s role and function
• Procedures are implemented to allow facility access in emergencies to restore lost data or systems
• Records are kept of all repairs and modifications to physical security components

Device Security and Disposal Procedures

Verify that:

• Workstations and mobile devices with access to ePHI are secured from unauthorized access
• Policies and procedures are in place to handle the final disposal of electronic media that contains ePHI
• Records are maintained of all hardware that stores or moves ePHI

Technical Safeguards Checklist

These measures secure and protect ePHI.

Encryption, MFA and Secure Sessions

Ensure that:

• All sensitive data is encrypted at rest or in transit
• Unique User IDs are assigned to all personnel for easy tracking
• Multi-factor authentication is required for system access
• Automatic logoff is enabled to terminate sessions after periods of inactivity

Audit Logs and tivity Monitoring

Your HIPAA technology requirements checklist must include:

• Audit controls. Are hardware, procedural mechanisms and software in place to record and examine activity in systems that contain ePHI?
• Review policies. Are audit logs and access reports reviewed regularly for suspicious activity?

Data Integrity Controls

Check to make sure:

• Policies and procedures are in place to protect ePHI against improper alteration or destruction.
• Electronic systems verify identities or entities before they access ePHI.

Business Associate Requirements

A HIPAA audit checklist covers Business Associate classifications and agreements.

Business Associate Agreements (BAAs)

Every HIPAA assessment checklist should verify that:

• Every vendor or entity that creates, maintains, receives or transmits PHI on your behalf is identified as a Business Associate.
• A BAA is signed with every BA before they access PHI.
• The agreement stipulates that the BA will implement HIPAA Security Rule safeguards and notify you of breaches without reasonable delay.

Vendor Risk Assessment Checklist

Make sure your checklist for HIPAA compliance includes:

• Verification of the vendor’s security posture and compliance.
• Assurance that all subcontractors with access to your PHI are subject to the same HIPAA restrictions via a Business Associate Agreement.

Policies, Documentation, and Recordkeeping

Your HIPAA compliance requirements checklist should include:

• Written policies. All must be documented, accessible to staff and specific to the organization’s environment.
• Notice of Privacy Practices. These must be maintained, posted visibly and distributed to patients.
• A retention policy. All records related to compliance must be maintained for at least six years.

How Cyber Husky Can Support HIPAA Compliance

Cyber Husky provides the expertise and tools healthcare organizations need to maintain continuous compliance.

We go beyond a basic HIPAA audit checklist to offer:

• Annual Security Risk Analysis to provide a clear map of vulnerabilities.
• Managed technical safeguards. Our HIPAA IT compliance checklist is extensive. We deploy and manage essential technical controls such as multi-factor authentication and encryption.
• Business Associate Agreement management. We ensure agreements meet the latest regulatory standards.

Our services are tailored to your needs and goals to keep you compliant year-round.

Summary: Your HIPAA Checklist at a Glance

Safeguard Type	Core Requirement	Verification Check
Administrative	Risk Management	Annual SRA completed and mitigation plan active
Administrative	Workforce Management	Mandatory annual training and a formal sanction policy are in place
Administrative	Contingency Planning	Disaster Recovery and Breach Response Plans tested and documented
Physical	Access Control	Physical access to ePHI areas is logged and restricted
Physical	Disposal	Electronic media disposal handled securely (degaussed, shredded)
Technical	Access Control	MFA and Unique User IDs implemented for all ePHI access
Technical	Encryption	All ePHI is secured at rest and in transit
Business Associate	BAA	Signed BAA in place with every vendor/entity handling PHI