‍

HIPAA, an acronym for the Health Insurance Portability and Accountability Act, is one of the most important federal regulatory frameworks for healthcare organizations. It’s an elaborate law that imposes many stringent requirements for patient privacy and data security on in-scope organizations. 

‍

Due to HIPAA’s broad scope, the framework was designed to allow flexibility in how safeguards are implemented. Still, complying with HIPAA requires having a strict internal system to address its often complex and ambiguous requirements.

‍

If you want to take concrete steps toward meeting the requirements of this regulation, consider this your ultimate HIPAA compliance checklist. We’ll cover:

‍

• Foundational aspects of HIPAA compliance
• Purpose of a HIPAA compliance checklist
• Eight key steps towards compliance

‍

What is HIPAA compliance?

HIPAA compliance refers to a set of security, privacy, and other associated rules and practices your organization must implement to safeguard the protected health information (PHI) of patients. It involves numerous ongoing procedures, technical safeguards, controls, and audits to fulfill the prescribed mandates.

‍

PHI is any individually identifiable information related to a patient’s condition, treatment, or payment for healthcare services. For data to be considered PHI under HIPAA, it must be created, stored, or transmitted by a covered entity or business associate.

‍

HIPAA compliance is mandatory if your organization handles PHI in any capacity. Non-compliance can result in significant financial penalties or, in severe cases, criminal charges.

‍

The U.S. Department of Health and Human Services provides comprehensive resources on meeting HIPAA requirements. This checklist will mostly focus on the practical aspects of compliance.

‍

Who needs to comply with HIPAA?

HIPAA compliance is mandatory for all covered entities, and, since the 2013 Omnibus Rule, their business associates as well. The regulation differentiates between two types of organizations, as outlined in the table below:

‍

‍

Before disclosing PHI to a business associate, a covered entity must establish a business associate agreement (BAA). This agreement confirms that the business associate complies with HIPAA requirements and outlines the permitted uses and disclosures of PHI.

‍

Why use a HIPAA compliance checklist?

Considering the complexity of HIPAA requirements, a checklist can help you:

‍

• Reduce risk of non-compliance: Following a checklist gives you clarity on what actions to take, minimizing the chance of overlooking a key requirement that could lead to violations and costly fines.
• Ensure better accountability: A checklist gives you a bird’s-eye view of numerous compliance processes across departments. With it, you can effectively delegate tasks based on defined roles and responsibilities, ensuring each stakeholder understands their duties in maintaining HIPAA compliance.
• Save time and improve efficiency: An organized checklist helps avoid the exhausting scouring across numerous resources to understand your obligations. You can also use the checklist as a record of your compliance efforts, streamlining internal and external audits.

‍

“

Organizations should use a checklist approach for HIPAA compliance to help translate regulatory language into actionable steps that reduce risk and enhance accountability.”

Faisal Khan

GRC Solutions Expert, Vanta

|

LinkedIn

‍

{{cta_withimage13="/cta-blocks"}} | HIPAA compliance checklist

‍

Checklist: 8 key steps toward HIPAA compliance

Whether you’re new to compliance or an experienced manager, this checklist covers the key steps needed to achieve and maintain HIPAA compliance:

‍

1. Familiarize yourself with HIPAA’s key rules
2. Designate a HIPAA compliance officer
3. Identify PHI and perform a risk assessment
4. Implement the necessary policies and procedures
5. Develop a breach reporting plan
6. Schedule and conduct HIPAA training
7. Assess and manage third-party risks
8. Monitor and audit your compliance posture

‍

The sections below will explain what each task entails.

‍

Step 1: Familiarize yourself with HIPAA’s key rules

HIPAA has more than five compliance components categorized as “rules” that describe administrative action to be taken in different circumstances. The following three rules are especially important:

‍

1. Privacy Rule: Establishes national standards for securing PHI, outlines the conditions for its permissible uses and disclosures, and gives patients greater rights regarding its access, amendment, and use
2. Security Rule: Obligates covered entities to implement and maintain technical, physical, and administrative controls to safeguard the integrity, availability, and confidentiality of electronic PHI (ePHI)
3. Breach Notification Rule: Defines what constitutes a breach, outlines the required risk assessment process, and sets the criteria and timelines for notifying the affected parties

‍

The regulation has additional rules, such as the Enforcement Rule and Omnibus Rule, but the above three are critical because most compliance requirements stem from them. Ideally, you should inform yourself through official HIPAA resources or consult with compliance experts to understand your obligations fully.

‍

Step 2: Designate a HIPAA compliance officer

While HIPAA compliance requires the efforts of employees across various departments, such as IT and admin, you must appoint a Security Officer and a Privacy Officer to oversee the process. Their primary role is to ensure the organization’s compliance policies and procedures are developed, implemented, and enforced as mandated, but they have unique duties:

‍

‍

Both officers are also often in charge of:

‍

• Guiding and performing risk assessments and internal compliance audits
• Reporting breaches and executing disaster recovery plans

‍

In larger organizations, these roles are often assigned to two different individuals, while in smaller organizations, one person may take on both responsibilities.

‍

Step 3: Identify PHI and perform a risk assessment

An essential part of your HIPAA compliance journey is identifying what information qualifies as PHI and non-PHI. It’s crucial to make this distinction to ensure you have the necessary safeguards in place that protect sensitive data and get you closer to HIPAA compliance.

‍

Still, many organizations may find it hard to differentiate between PHI and non-PHI. To minimize confusion, HIPAA specifies 18 identifiers associated with personally identifiable health information. We have listed several key ones below:

‍

• Names
• Addresses (any geographical subdivisions more precise than a state)
• Social Security numbers
• Contact information
• Medical record numbers
• Biometric data (e.g., fingerprints and retinal scans)

‍

As far as compliance is concerned, you must understand how PHI can be used and disclosed as per HIPAA requirements. Both covered entities and business associates may use and disclose PHI only for treatment, payment, and healthcare operations (i.e., TPO activities). You should consult your legal team to map the full scope of the applicable dos and don’ts.

‍

Additionally, if a certain use or disclosure of PHI is not permitted under the Privacy Rule, you can request individual authorization from the patient or their authorized representative via a designated form.

‍

Once you’ve identified the PHI your organization handles, conduct a risk assessment to uncover potential vulnerabilities that could lead to unauthorized access or disclosure. This process enables you to implement appropriate safeguards to mitigate those risks.

‍

Step 4: Implement the necessary policies and procedures

HIPAA’s rules prescribe numerous procedures and policies you must put into place to safeguard PHI and ensure compliance. The following table outlines some notable ones:

‍

‍

This is only a brief summary of the HIPAA policies and procedures. Consult with your HIPAA security officer to identify the ones that apply to your organization. You should also document the underlying processes and task owners to ensure smooth implementation.

‍

Pay special attention to data handling, risk-based protections, and role-based access. Organizations often overlook these controls, which is a common cause of HIPAA breaches.

‍

Implementing and maintaining the required HIPAA controls up to date requires significant resources and time investments from your compliance teams. You can save both by leveraging an automated compliance solution to help you track data efficiently.

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

Step 5: Develop a breach reporting plan

Under HIPAA’s Breach Notification Rule, any breach affecting 500 or more individuals must be reported to the Secretary of Health and Human Services within 60 days. If the number of affected individuals is lower, the report must be made within 60 days of the end of the calendar year.

‍

The covered entity must also notify all affected individuals within 60 days of the breach, and notify local media if more than 500 residents of a single state or jurisdiction are impacted.

‍

If you are a business associate, you must notify the covered entity within 60 days.

‍

While the reporting process is straightforward, you still need a well-defined internal plan for breach reporting. Define who will report the breach (e.g., the security officer) and when they should do it (e.g., as soon as the breach is discovered and assessed).

‍

Add elaborate due diligence procedures within your HIPAA compliance program for timely detection of breaches, as well as an appropriate response plan. Your response plan should include clear documentation processes, since HIPAA requires proof that breach notifications were issued or evidence that no breach occurred.

‍

Step 6: Schedule and conduct HIPAA training

HIPAA compliance training is mandatory for governed organizations. The idea behind comprehensive training is to:

‍

• Reduce the risk of policy violations and non-compliance
• Strengthen cybersecurity measures and practices at all levels of the organization
• Boost privacy and security awareness and build a culture of compliance

‍

It’s best to conduct HIPAA training at least annually and after any policy updates and regulatory changes so that all your personnel stay updated on the necessary policies and procedures. You should also conduct additional, targeted training after breaches to address specific weaknesses and prevent recurrence.

‍

Step 7: Assess and manage third-party risks

While HIPAA doesn’t use the term third party, it does recognize subcontractors—entities that serve as business associates to other business associates. For example, a cloud hosting provider or app developer working under a business associate would be considered a subcontractor.

‍

Since such entities might receive and process PHI as part of their services, you need to develop a third-party risk management (TPRM) program to help with HIPAA compliance. The aim is to ensure all your vendors and other third parties implement security and privacy measures to protect the PHI they access.

‍

The key TPRM-related HIPAA practices you should follow include:

‍

• Third-party risk assessments and mitigation: You need to conduct thorough risk assessments to understand your third-party risk landscape and develop the necessary mitigation strategies.
• Evaluation of a vendor’s security posture: Each vendor has a unique risk profile that you should account for. Conduct due diligence while onboarding new vendors and pay special attention to their technical and procedural security controls.
• Security incident reporting: If an incident occurs on a third party’s end, they must report it to you as soon as possible via an established communication channel.
• Business associate agreements: You must have written agreements with business associates that demonstrate their ability to safeguard your organization’s PHI.

‍

{{cta_withimage13="/cta-blocks"}} | HIPAA compliance checklist

‍

Step 8: Monitor and audit your compliance posture

You need to regularly monitor your implemented policies and procedures to ensure ongoing compliance. HIPAA requires internal audits at least annually, but you can conduct them more frequently to keep your compliance posture steady.

‍

The audit should include a systematic review of all the technical and administrative HIPAA requirements. Some sample review areas include:

‍

• Inspecting security measures
• Assessing business associate agreements
• Reviewing HIPAA training
• Documenting key findings and highlighting non-compliant or vulnerable areas
• Recommending corrective actions

‍

You must store all documentation collected during audits. HIPAA requires organizations to maintain compliance records for up to six years to support future investigations and reviews.

‍

You can set up an internal audit team or partner with end-to-end compliance platforms to streamline the process.

‍

Ensure comprehensive HIPAA compliance with Vanta

Vanta is a compliance management solution that helps you build trust and demonstrate a strong security posture through HIPAA compliance. The platform streamlines compliance with clear guidance and resources such as audit-ready controls, real-time monitoring, and automated testing.

‍

Vanta’s HIPAA suite offers dedicated tools and resources that can fast-track compliance, such as:

‍

• Technical organization-specific guidance for meeting the necessary requirements
• Automated evidence collection and monitoring with the help of 375+ integrations
• Policy builder with ready-to-use document templates
• Instant security reports and security training management
• Automation for up to 85% of required workflows, depending on your tech stack

‍

If you’re pursuing or have already achieved compliance with other industry-leading standards such as SOC 2, NIST, or HITRUST, Vanta’s cross-mapping can align your existing controls to  HIPAA requirements, speeding up compliance and eliminating duplicative work.

‍

Visit the HIPAA Compliance Automation page and request a demo to get a personalized walkthrough for you and your team.

‍

{{cta_simple18="/cta-blocks"}} | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

‍