HIPAA IT compliance checklist

min read
Written by
Insuranceopedia Staff
On this page Open

No matter your industry, it’s crucial to grasp the Health Insurance Portability and Accountability Act (HIPAA) to meet your unique needs. To ensure HIPAA IT compliance, it’s essential to follow specific steps and include necessary components. Luckily, we’ve created a simple HIPAA IT compliance checklist template you can begin using immediately for thorough compliance.

What does the HIPAA compliance entail?

Ensuring the protection of patient information is paramount for any business, irrespective of its field. Implementing safeguards and strategies to secure data, conduct reports, and analyze risks are vital components of this endeavor.

In line with this, there are five key components of Health Insurance Portability and Accountability Act (HIPAA) compliance: privacy, security, enforcement, breach notification, and omnibus rules. Adhering to these guidelines and requirements is essential, particularly for IT businesses, to guarantee adequate protection.

Accessing a HIPAA IT compliance checklist is integral to this process. It mitigates concerns, clarifies any ambiguities, and safeguards your business effectively.

What rules apply to your business?

One of the pivotal aspects of this process is ensuring that your company is recognized as a covered entity. A covered entity is tasked with implementing various safeguards, excluding electronic data. However, certain privacy rule requirements may still apply depending on specific circumstances and challenges.

If your business is deemed a covered entity, compliance with HIPAA requirements becomes a legal obligation. Covered entities encompass a range of entities such as hospitals, clinics, doctors, dentists, pharmacies, psychologists, healthcare providers, insurance companies, chiropractors, among others. Additionally, there are business associates that offer services to covered entities, including CPA firms, billing companies, data storage enterprises, attorneys, and others.

The HIPAA IT compliance checklist


  • Have you performed a security risk assessment?
  • Did you conduct a privacy risk assessment?
  • Were you able to audit the business associates to ensure they are also HIPAA compliant?
  • Document all the deficiencies to ensure there are no problems
  • Track the deficiencies that you found during the audit?
  • Have you performed an administrative assessment?

Procedures and Policies

  • Is there a contingency plan that you can use to respond to any emergency?
  • Did you include a process that allows employees to report HIPAA violations and problems?
  • Are the business associates in agreement with all the requirements?
  • Also, did you identify all the business associates?
  • Are there procedures and policies in place to notify parties whenever a breach happens?
  • Have you created policies that document and track PHI violations
  • Have you created policies that help with the disposal of PHI in a secure manner?
  • Is the PHI encrypted when sharing or not?
  • Have you made a risk management policy in place?
  • Are the privacy and information security policies documented or not?

Doctor writing on notepad


  • Did you ensure that your employees know the privacy, physical and data security policies?
  • Are all the HIPAA training systems documented?
  • Are the employees trained in regards to HIPAA requirements?
  • Is a staff member assigned to perform HIPAA compliance training and checks?
  • Is the PHI access limited to certain employees or not?
  • Did you limit the facility access based on each employee and their requirements?


  • Is a remediation plan made for any security risk assessment deficiencies?
  • Did you create a plan for any privacy assessment deficiencies?
  • Is there in place a remediation plan for any administrative assessment deficiencies?


  • Did you make any HIPAA compliance reports?
  • Is there a system to identify any violations and track the progress of their investigation?
  • Did your company document the procedure and policy review?
  • Is your company reporting breach violations that have under 500 people to the HHS?
  • Are you able to provide the HSS with the necessary breach violation info within the designated timeline?

Steps you need to focus on for HIPAA compliance

The HIPAA compliance checklist shown above can help with human services and it can also provide better optimization for HIPAA regulations. Plus, making sure you are compliant with the HIPAA requirements can prevent many downsides as time goes by. Here are the steps that you must go through when it comes to the HIPAA compliance.

Assign an officer for HIPAA compliance

The primary focus of the HIPAA IT compliance checklist is to appoint a HIPAA compliance officer. This officer assumes various responsibilities, including enforcing policies, ensuring adherence to regulations, and developing a disaster recovery plan. Additionally, they oversee breach reporting, contribute to the formulation of privacy and security procedures, conduct regular risk assessments, and investigate security incidents as they occur.

Create the necessary security management standards and policies

The organization must establish procedures and policies enabling employees to manage Protected Health Information (PHI) effectively within their roles. Implementing measures such as establishing a data backup system, devising a retention policy, conducting regular data backups, implementing access management policies, and emphasizing privacy practices are all crucial steps in this regard.

Manage the business associates that have PHI access

Business associates are also responsible for the data they handle, and just like the covered entity, they need to ensure all data is protected accordingly. In order to stick with the HIPAA standards, the covered entity will need to ensure that the PHI info is protected by any business associate, and that document is called a business associate agreement.

Establishing the safeguards to ensure compliance

As per the HIPAA security rules, there are typically three types of safeguards: technical, physical, and administrative.

Technical safeguards are designed to prevent unauthorized access and may include measures such as implementing two-factor authentication (2FA), data encryption, and utilizing anti-malware software.

Physical safeguards involve measures such as issuing ID badges, installing surveillance cameras, and restricting access to facilities.

Administrative safeguards encompass actions like protecting PHI during emergency situations, addressing security incidents that pose a threat to PHI, and providing necessary training to the team on PHI protection protocols.

Performing risk assessments

In order to comply with the HIPAA regulations, you need to perform a risk assessment and see what issues can arise. The risk assessment is crucial because it will help identify vulnerabilities and weaknesses. Such an assessment is important since it gives you the means to tackle every process, manage the situation and solve the problem that would lead to issues down the line. The steps include:

  • Identify where you share and store the PHI data
  • Find weaknesses or potential threats
  • Track how efficient your security measures are.
  • Assign risk levels to each potential threat
  • You can prioritize risks based on how often they might happen.
  • Lasty, you must review any risks and update your security measures to circumvent any problems that might arise.

Doctor with patient in hospital room

Training your employees in regards to HIPAA compliance

Another important aspect to keep in mind is that your team needs to know about the HIPAA compliance, so adequate training is required. Once they complete a HIPAA compliance training system, that will help ensure you don’t need to worry about any major mistakes. Plus, this is a very good time to let the employees know about any penalties that come from HIPAA violations.

Investigating violations

HIPAA violations may occur unexpectedly due to various circumstances. In such cases, it’s crucial to conduct a thorough investigation to understand the underlying cause and determine the appropriate course of action for managing it effectively.

The HHS Office for Civil Rights offers valuable resources and guidance on addressing potential HIPAA violations comprehensively. Their posts provide insights into managing these incidents in a manner that is both effective and comprehensive.

Monitor and update the compliance policies

It’s important to recognize that HIPAA compliance is an ongoing process. While your organization may currently be compliant, this status isn’t static. As your organization expands, new responsibilities arise, necessitating ongoing efforts to enhance HIPAA compliance.

As you grow, implementing new, effective methods of safeguarding patient data becomes imperative to prevent major violations over time. Ensuring that your business associates also adhere to HIPAA regulations and providing regular training to your employees are significant factors in maintaining compliance.

Furthermore, restricting access to patient data to only essential personnel can mitigate the risk of data breaches and related issues. Prioritizing access limitation is a crucial aspect that warrants careful consideration and implementation.

What is seen as PHI, according to HIPAA?

Many individuals are curious about what constitutes Protected Health Information (PHI) under HIPAA, which can sometimes be challenging to define precisely. However, according to HIPAA guidelines, PHI encompasses a broad range of materials, including bills, x-rays, lab results, and written records.

Any conversation that involves health information pertaining to a specific patient may also be considered PHI. This category extends to electronic health records and generally encompasses any information that can be used to identify a patient and their current health status.

What is defined as the Minimum Necessary Standard?

The Minimum Necessary Standard is in the Privacy Rule and it’s meant to force covered entities to limit PHI access only to those that absolutely need access to it. There are different methods that you can use in order to adhere to the standard. That means setting up role based permissions, but also conduct a periodic audit to offer/remove permissions and ensure only the necessary people can access that data.

Is the HIPAA employee training mandatory?

Yes, if you have someone within your business that handles patient data, be it an employee or any business associate, then they need HIPAA training. That’s not for debate, it’s a mandatory requirement for anyone that gets their hands on patient info at any time during their processes.

Are there any data retention requirements from HIPAA?

Based on the HIPAA privacy rule, there is no specific retention requirement, at least not from a federal standpoint. However, the thing to keep in mind is that every state can have their own guidelines and specifics in this situation. In general, any documentation related to procedures and policies needs to be kept for around 6 years starting with the creation data or when it started to take effect.

Within this documentation we can find breach/incident documentation, privacy policies, information security, business associate agreements, any contingency and disaster recovery plans or risk assessments. These need to be kept for at least 6 years, maybe more in some states.

Tips to consider for HIPAA compliance implementation:

  • It’s very important to prioritize HIPAA training, because it can lower the risks of any employees mishandling or leaking data.
  • Any PHI backup should be kept off-site, in a secure location and with limited access.
  • Improve your current security and limit access only to people that actively need PHI, don’t leave access open to everyone.
  • Review the access logs so you can see who accesses the patient info and why they do that.
  • Make sure that any communication takes place electronically, and logs are kept for transparency.
  • Perform a test walkthrough to ensure that the procedures are followed as instructed, and if there are any potential risks.


Making sure that you have a HIPAA IT compliance checklist and stick with the guidelines is very important. Not only do you have to train your employees, but also your business associates and ensure all human services won’t end up making any mistakes.

Health insurance portability is extremely important, and the best way to safeguard patient info is to boost security, but also limit access as needed. We recommend checking our HIPAA IT compliance checklist and guidelines/steps, as that will help make the entire process easier, while also ensuring you maintain the HIPAA compliance!

Go back to top