Complete HIPAA Compliance Checklist 2026

The definitive HIPAA compliance checklist updated for the May 2026 Security Rule. Covers all administrative, physical, and technical safeguards with regulatory citations, enforcement examples, and mandatory new requirements including MFA, encryption, asset inventory, and network segmentation.

Introduction to HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and enforced by the Office for Civil Rights (OCR), establishes national standards for protecting sensitive patient health information. As of 2026, HIPAA applies to all covered entities (healthcare providers, health plans, and clearinghouses) and their business associates.

Why this matters now: The 2024 Change Healthcare ransomware attack affected over 100 million patients and resulted in cascading disruptions across the entire US healthcare system. OCR has responded with aggressive enforcement — small practices faced penalties exceeding $100,000 for basic security failures in 2024-2025. The May 2026 Security Rule update introduces mandatory requirements that eliminate most "addressable" specifications, making items like encryption and multi-factor authentication compulsory.

This checklist reflects the current regulatory landscape including the May 2026 Security Rule amendments.

1. Administrative Safeguards — §164.308

Administrative safeguards account for over half of HIPAA Security Rule requirements. These are the policies, procedures, and management actions that govern how your practice protects ePHI.

1.1 Security Management Process — §164.308(a)(1)

• Conduct a comprehensive Security Risk Assessment (SRA) at least annually
• Document your risk analysis methodology, findings, and remediation plan
• Implement security measures that reduce identified risks to a reasonable and appropriate level
• Apply sanctions against workforce members who violate security policies (document the sanctions policy)
• Regularly review information system activity — audit logs, access reports, and security incident tracking
• Maintain a risk register with risk ratings, owners, and mitigation timelines

Enforcement note: In 2023, OCR fined a solo dental practice $30,000 for failing to conduct a risk analysis. This is the single most-cited deficiency in HIPAA audits.

1.2 Assigned Security Responsibility — §164.308(a)(2)

• Designate a Security Officer responsible for developing and implementing security policies
• Designate a Privacy Officer (may be the same person in small practices)
• Document officers' names, contact information, and scope of authority
• Ensure officers have adequate authority, resources, and access to implement security measures
• Define a succession plan if the officer is unavailable

1.3 Workforce Security — §164.308(a)(3)

• Implement role-based access authorization — grant ePHI access only to staff who need it
• Establish workforce clearance procedures (background checks for roles with ePHI access)
• Create termination procedures that revoke all access within 24 hours of separation
• Disable accounts immediately upon termination — do not wait for IT to "get around to it"
• Collect all devices, keys, badges, and credentials at separation
• Maintain an access authorization log showing who approved what access and when

1.4 Information Access Management — §164.308(a)(4)

• Implement role-based access control (RBAC) — define access levels per job function
• Document which roles have access to which systems and data categories
• Review access rights when job functions change (promotion, transfer, new responsibilities)
• Conduct quarterly access reviews to identify and remove stale permissions
• Implement a formal access request and approval workflow

1.5 Security Awareness and Training — §164.308(a)(5)

• Provide HIPAA security training to all workforce members within 30 days of hire
• Conduct annual refresher training for all staff
• Include phishing awareness training with simulated phishing exercises
• Train staff on password management and multi-factor authentication
• Train staff on recognizing and reporting security incidents
• Train staff on social engineering tactics (pretexting, baiting, tailgating, impersonation)
• Document all training sessions — attendees, dates, content covered, quiz scores
• Maintain training completion records for 6 years

Real-world context: The 2024 Change Healthcare attack began with compromised credentials and no MFA. Staff training on credential security is not optional — it's the frontline defense.

1.6 Security Incident Procedures — §164.308(a)(6)

• Define what constitutes a security incident (unauthorized access, malware, lost devices, etc.)
• Implement procedures for workforce members to report incidents immediately
• Establish an incident response team with defined roles
• Document all security incidents — date, scope, response actions, outcome
• Conduct post-incident analysis to prevent recurrence
• Report security incidents per breach notification requirements (see Section 6)

1.7 Contingency Plan — §164.308(a)(7)

• Establish and test data backup procedures (daily incremental, weekly full)
• Create a disaster recovery plan with defined Recovery Time Objectives (RTO)
• Develop an emergency mode operation plan for critical business processes
• Test contingency plans at least annually with tabletop exercises
• Document test results and update plans based on findings
• Ensure backup data is encrypted and stored offsite or in a separate availability zone
• Verify backup restoration actually works — test restores quarterly

1.8 Evaluation — §164.308(a)(8)

• Perform periodic technical and non-technical evaluations of security controls
• Evaluate after any environmental or operational change (new EHR, office move, cloud migration)
• Document all evaluation activities, findings, and corrective actions
• Engage independent third-party assessments annually (recommended for practices with >10 staff)

1.9 Business Associate Management — §164.308(b)(1)

• Identify ALL business associates (EHR vendors, cloud storage, billing companies, IT support, shredding services, email providers)
• Execute signed Business Associate Agreements (BAAs) before sharing any ePHI
• Ensure BAAs include required elements: permitted uses, safeguards, breach notification obligations, termination provisions
• Review BAAs annually and update when services change
• Verify business associates have their own security programs (request SOC 2 reports or security attestations)
• Maintain a business associate inventory with contract dates and renewal schedules
• Terminate BAAs and retrieve/destroy ePHI when relationships end

2. Physical Safeguards — §164.310

Physical safeguards protect the physical infrastructure — buildings, equipment, and media — that houses ePHI.

2.1 Facility Access Controls — §164.310(a)(1)

• Implement physical access controls (locks, badge readers, or key codes) on all areas containing ePHI
• Develop visitor procedures — sign-in log, escort requirements, badge identification
• Document and validate facility access based on job role
• Maintain records of all physical security modifications (lock changes, access code updates)
• Implement surveillance or monitoring in server rooms and areas with ePHI systems
• Establish after-hours access procedures and logging

2.2 Workstation Use and Security — §164.310(b) & §164.310(c)

• Define acceptable workstation use policies for all ePHI-accessing devices
• Position monitors away from public view (waiting rooms, windows, hallways)
• Use privacy screens on monitors in shared or semi-public areas
• Implement automatic screen locks after 5 minutes of inactivity (maximum)
• Prohibit unattended logged-in workstations
• Restrict workstation physical access — no patient-accessible computers with ePHI
• Clean desk policy — no ePHI on paper left unattended

2.3 Device and Media Controls — §164.310(d)(1)

• Maintain a complete inventory of all devices containing or accessing ePHI
• Implement policies for secure disposal of hardware (NIST SP 800-88 media sanitization)
• Track all device movements — transfers between locations, staff assignments
• Remove all ePHI before device reuse, transfer, or disposal (verified wipe with certificate)
• Encrypt all portable media (USB drives, external hard drives, backup tapes)
• Implement procedures for lost or stolen device reporting and remote wipe

3. Technical Safeguards — §164.312

Technical safeguards are the technology and related policies that protect ePHI and control access to it. The May 2026 Security Rule update makes most of these mandatory (no longer "addressable").

3.1 Access Control — §164.312(a)(1)

• Assign unique user identifications (usernames/IDs) to every person — no shared accounts
• Implement multi-factor authentication (MFA) on ALL systems containing ePHI — mandatory under May 2026 rule
• Use authenticator apps or hardware keys (FIDO2) — SMS-based MFA is discouraged
• Establish emergency access procedures (break-glass accounts with audit trails)
• Implement automatic session termination after 15 minutes of inactivity (5 minutes recommended)
• Encrypt ePHI at rest using AES-256 or equivalent — mandatory under May 2026 rule
• Implement role-based access with least-privilege principle

May 2026 change: MFA and encryption at rest are no longer "addressable" specifications. They are mandatory for all covered entities regardless of size.

3.2 Audit Controls — §164.312(b)

• Implement logging on all systems that create, receive, maintain, or transmit ePHI
• Log user access (who accessed what, when, from where)
• Log authentication events (successful and failed login attempts)
• Log system changes (configuration modifications, privilege escalations)
• Review audit logs regularly (weekly minimum, daily recommended)
• Retain audit logs for a minimum of 6 years
• Implement automated alerting for suspicious activity (multiple failed logins, off-hours access, bulk data exports)
• Protect log integrity — logs should be write-once or stored in a separate system

3.3 Integrity Controls — §164.312(c)(1)

• Implement mechanisms to verify ePHI has not been improperly altered or destroyed
• Use checksums, digital signatures, or hash verification for data integrity
• Implement change detection on critical system files and databases
• Maintain database transaction logs for audit and recovery

3.4 Person or Entity Authentication — §164.312(d)

• Verify the identity of all persons or entities seeking access to ePHI
• Implement multi-factor authentication (something you know + something you have + something you are)
• Authenticate API connections and system-to-system integrations
• Implement certificate-based authentication for server communications

3.5 Transmission Security — §164.312(e)(1)

• Encrypt ALL ePHI in transit — TLS 1.2+ for web traffic, encrypted email for PHI — mandatory under May 2026 rule
• Implement VPN for remote access to practice systems
• Disable unencrypted protocols (HTTP, FTP, Telnet, unencrypted SMTP)
• Verify encryption configurations regularly (certificate expiration, cipher strength)
• Prohibit transmission of ePHI over unencrypted email — use encrypted messaging or patient portals

3.6 Network Security — May 2026 Requirements

• Maintain a complete technology asset inventory (all hardware, software, and network devices)
• Create and maintain a network map showing all ePHI data flows
• Implement network segmentation — isolate systems containing ePHI from general network traffic
• Deploy firewalls with documented rule sets between network segments
• Conduct vulnerability scanning at least every 90 days (automated scanning recommended)
• Implement patch management — critical patches within 15 days, all others within 30 days
• Deploy endpoint detection and response (EDR) on all systems accessing ePHI
• Implement email authentication (SPF, DKIM, DMARC) to prevent phishing and spoofing
• Disable unnecessary services and ports on all systems
• Implement intrusion detection/prevention systems (IDS/IPS)

May 2026 requirements: Technology asset inventory, network map, vulnerability scanning every 90 days, and network segmentation are all new mandatory requirements. These were not previously specified and represent the most significant expansion of technical controls since HIPAA's inception.

3.7 Mobile Device and Remote Access Security

• Implement mobile device management (MDM) for all devices accessing ePHI
• Require device encryption on all mobile devices (phones, tablets, laptops)
• Enforce PIN/biometric lock with maximum 5-minute auto-lock
• Enable remote wipe capability for lost or stolen devices
• Prohibit jailbroken/rooted devices from accessing ePHI systems
• Require VPN for all remote access to practice networks
• Implement BYOD policies defining acceptable use and security requirements
• Disable USB ports or implement USB device control policies

4. Privacy Rule — §164.500-534

The Privacy Rule governs how PHI is used, disclosed, and protected regardless of format (electronic, paper, or verbal).

4.1 Notice of Privacy Practices — §164.520

• Develop a comprehensive Notice of Privacy Practices (NPP)
• Include all required elements: uses and disclosures, patient rights, practice duties, complaint process
• Distribute NPP to all patients at first service delivery
• Obtain written acknowledgment of receipt (or document good-faith effort)
• Post NPP prominently in your facility
• Make NPP available on your website
• Update NPP when privacy practices change and redistribute

4.2 Patient Rights

Right to Access — §164.524

• Provide patients access to their PHI within 30 days of request (one 30-day extension permitted)
• Allow patients to request records in their preferred format (electronic, paper, transmitted to third party)
• Charge only cost-based fees (labor for copying, supplies, postage)
• Document and track all access requests and responses

Right to Amend — §164.526

• Respond to amendment requests within 60 days
• Accept amendments that are accurate and relevant
• Provide written denial with reason when denying (and inform patient of right to submit statement of disagreement)
• Append accepted amendments to the record

Right to Accounting of Disclosures — §164.528

• Track all disclosures of PHI (except for treatment, payment, healthcare operations)
• Maintain disclosure records for 6 years
• Provide accounting within 60 days of request
• Include: date, recipient name, description of PHI, purpose

Right to Request Restrictions — §164.522

• Accept restriction requests when patient pays out of pocket in full (mandatory)
• Consider other restriction requests (discretionary)
• Document all restriction requests and outcomes
• Notify staff of active restrictions to prevent accidental disclosure

Right to Confidential Communications — §164.522(b)

• Honor patient requests for alternative communication methods (different address, phone, email)
• Do not require patients to explain why they want alternative communications
• Document communication preferences in the patient record

4.3 Minimum Necessary Standard — §164.502(b)

• Implement policies to limit PHI use, disclosure, and requests to the minimum necessary
• Define access levels by job role — front desk vs. billing vs. clinical staff
• Apply minimum necessary to all internal uses (not just external disclosures)
• Exceptions: does NOT apply to disclosures to the individual, treatment purposes, HHS investigations, or legally required disclosures

4.4 Uses and Disclosures

• Permit PHI use for Treatment, Payment, and Healthcare Operations (TPO) without authorization
• Require valid written authorization for: marketing, sale of PHI, psychotherapy notes, research
• Verify identity and authority before any disclosure
• Implement procedures for law enforcement, public health, and judicial/administrative requests
• Train staff on what disclosures are permitted vs. prohibited

4.5 Organizational Requirements — §164.314

• Execute BAAs with all business associates before sharing PHI
• If a hybrid entity, designate healthcare components and document boundaries
• If part of an organized healthcare arrangement (OHCA), define joint notice obligations
• Group health plan requirements: ensure plan documents restrict use of PHI

4.6 Additional Privacy Protections (2024-2026 Updates)

• Implement reproductive healthcare privacy protections (effective 2024) — prohibits use of PHI for investigations into lawful reproductive healthcare
• Comply with attestation requirements for reproductive healthcare disclosures
• Prohibit sale of PHI without valid authorization
• Comply with Genetic Information Nondiscrimination Act (GINA) — PHI includes genetic information

5. Security Rule — May 2026 Mandatory Additions

The May 2026 Security Rule update eliminates the distinction between "required" and "addressable" specifications for most controls. The following are new mandatory requirements effective May 2026:

5.1 Technology Asset Inventory

• Maintain a complete, current inventory of all technology assets that create, receive, maintain, or transmit ePHI
• Include: hardware (servers, workstations, mobile devices, network equipment), software (EHR, billing, email), and cloud services
• Update the inventory when assets are added, removed, or changed
• Assign an owner to each asset responsible for its security
• Review the inventory at least annually for accuracy

5.2 Network Map and Data Flow Documentation

• Create a network diagram showing all systems, connections, and data flows involving ePHI
• Document how ePHI moves between systems (internal and to/from business associates)
• Identify all entry and exit points for ePHI in your environment
• Update the network map whenever infrastructure changes
• Use the network map to validate your security controls cover all ePHI paths

5.3 Vulnerability Management

• Conduct vulnerability scanning at least every 90 days on all ePHI systems
• Remediate critical vulnerabilities within 15 days of discovery
• Remediate high vulnerabilities within 30 days
• Document all vulnerability scan results and remediation actions
• Conduct penetration testing annually (recommended for practices with >25 staff or internet-facing systems)

5.4 Patch Management

• Implement a formal patch management process
• Apply critical security patches within 15 days of release
• Apply all other patches within 30 days
• Test patches before deployment where feasible
• Document patching activities and any exceptions with risk acceptance

5.5 Network Segmentation

• Segment networks containing ePHI from general-purpose networks (guest Wi-Fi, IoT devices)
• Implement firewall rules between segments with documented justification
• Restrict lateral movement between network segments
• Monitor cross-segment traffic for anomalies

5.6 Mandatory Encryption

• Encrypt all ePHI at rest (AES-256 or equivalent) — no exceptions
• Encrypt all ePHI in transit (TLS 1.2+ minimum) — no exceptions
• Implement encryption key management procedures
• No longer "addressable" — encryption is mandatory regardless of practice size

5.7 Mandatory Multi-Factor Authentication

• Implement MFA on all systems that access ePHI — no exceptions
• Implement MFA on all remote access connections
• Use phishing-resistant MFA where possible (FIDO2/WebAuthn hardware keys)
• No longer "addressable" — MFA is mandatory regardless of practice size

5.8 Annual Compliance Verification

• Conduct annual compliance verification by a qualified individual
• Document the verification process, findings, and corrective actions
• The verification must confirm that security measures are implemented and functioning
• Retain verification records for 6 years

5.9 Incident Response Enhancements

• Notify HHS within 72 hours for breaches meeting severity thresholds (proposed change from 60-day individual notification)
• Implement procedures for rapid containment (isolate affected systems within 1 hour)
• Maintain an incident response plan that is tested annually
• Document lessons learned and update controls after each incident

6. Breach Notification Rule — §164.400-414

A breach is any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy, unless a risk assessment demonstrates a low probability of compromise.

6.1 Breach Identification and Assessment

• Train all staff to recognize and report potential breaches immediately
• Conduct a 4-factor risk assessment for every potential breach:
  1. Nature and extent of PHI involved
  2. Who the unauthorized person was
  3. Whether PHI was actually acquired or viewed
  4. Extent of mitigation
• Document the risk assessment and determination (breach vs. not a breach)
• Presume a breach occurred unless the risk assessment demonstrates low probability of compromise

6.2 Individual Notification — §164.404

• Notify affected individuals within 60 days of breach discovery
• Include in notification: what happened, types of PHI involved, steps individuals should take, what you are doing, contact information
• Provide notification in writing (first-class mail or email if individual consented)
• For breaches affecting 10+ individuals with insufficient contact info, post substitute notice on website for 90 days or provide notice through major media

6.3 HHS Notification — §164.408

• For breaches affecting 500+ individuals: notify HHS within 60 days
• For breaches affecting fewer than 500: log and submit to HHS annually (within 60 days of calendar year end)
• Submit via the HHS Breach Reporting Portal (ocrportal.hhs.gov)

6.4 Media Notification — §164.406

• For breaches affecting 500+ residents of a single state/jurisdiction: notify prominent local media within 60 days

6.5 State Attorney General Notification

• Many states require separate breach notification to the state attorney general
• Check your state's specific requirements (timelines, thresholds, and content requirements vary)
• Some states have stricter timelines than HIPAA (e.g., California: 15 days, New York: notification "without unreasonable delay")

6.6 Breach Documentation

• Maintain a breach log documenting all breaches and potential breaches
• Retain breach documentation for 6 years
• Include: date discovered, date occurred, number affected, types of PHI, root cause, remediation actions, notifications sent

7. Documentation Requirements — §164.316

• Maintain ALL security policies and procedures in writing (electronic is acceptable)
• Retain all HIPAA documentation for 6 years from date of creation or last effective date
• Make policies available to all workforce members responsible for implementing them
• Review and update policies at least annually and whenever operations change
• Document all actions, activities, and assessments required by the Security Rule
• Maintain training records, access logs, incident reports, risk assessments, and BAAs
• Implement version control on all policies — track who changed what and when

8. Compliance Verification Checklist

Use this section to verify your overall compliance posture:

Annually Required

• Security Risk Assessment completed and documented
• All staff completed HIPAA training (within last 12 months)
• Business associate inventory reviewed and all BAAs current
• Contingency/disaster recovery plan tested
• Policies reviewed and updated as needed
• Technology asset inventory updated
• Network map updated
• Compliance verification performed by qualified individual (May 2026 requirement)

Quarterly Required

• Vulnerability scans completed (every 90 days minimum)
• Access rights reviewed for appropriateness
• Audit logs reviewed for anomalies
• Backup restoration tested

Ongoing

• Security incidents investigated and documented
• New workforce members trained within 30 days
• Terminated workforce access revoked within 24 hours
• Patches applied within required timeframes (15/30 days)
• Breach assessments conducted for any potential incident

Penalty Structure (2024 Adjusted Amounts)

Understanding penalties helps prioritize compliance investments:

Criminal penalties: Up to $250,000 fine and 10 years imprisonment for intentional misuse of PHI.

State enforcement: State attorneys general can also bring actions with penalties up to $25,000 per violation category per year.

Recent enforcement examples:

• Banner Health (2023): $1.25M — risk analysis failure after breach affecting 2.81M
• LA County Health Services (2024): $1.3M — unauthorized access by workforce member
• Heritage Valley Health System (2024): $950K — ransomware response failures
• Multiple solo/small practices (2023-2025): $30K-$250K — failure to conduct risk analysis

Next Steps

1. Conduct your annual Security Risk Assessment — This is the #1 requirement and #1 cited deficiency. Use a structured methodology (NIST SP 800-30 recommended).
2. Address the May 2026 mandatory requirements — Asset inventory, network map, MFA everywhere, encryption everywhere, 90-day vulnerability scanning, network segmentation.
3. Implement HIPAA training for all workforce members with documented completion.
4. Review all business associate relationships and ensure current, signed BAAs are in place.
5. Test your incident response — conduct a tabletop exercise simulating a ransomware event.
6. Automate compliance monitoring — use tools like HIPAA Agent to continuously scan for vulnerabilities, track compliance drift, and maintain audit-ready evidence.

This checklist is current as of May 2026 and reflects the updated HIPAA Security Rule requirements. HIPAA compliance is an ongoing process — review this checklist at least annually and after any significant operational change.

Regulatory references: 45 CFR Parts 160, 162, and 164. Security Rule: Subpart C (§164.302-§164.318). Privacy Rule: Subpart E (§164.500-§164.534). Breach Notification: Subpart D (§164.400-§164.414).

How HIPAA Agent Helps with Your HIPAA Compliance Checklist

Working through a comprehensive HIPAA compliance checklist can feel overwhelming, especially for small and mid-size practices without a dedicated compliance team. HIPAA Agent transforms this process from a manual, months-long effort into an automated, continuously monitored program. Instead of guessing where your gaps are, start with a free HIPAA Agent Compliance Score™ at hipaaagent.ai/check — our 83-tool external scan identifies compliance vulnerabilities across your entire digital footprint in minutes, giving you a clear starting point and prioritized action plan.

From there, HIPAA Agent's Concierge plan ($299/mo billed annually) covers every item on this checklist. Your annual Security Risk Assessment is completed through a guided 27-question email interview, with scan data auto-filling approximately 60% of responses. All 24 HIPAA-required policies are generated and customized to your practice type, specialty, and state. Workforce training, Business Associate Agreement management, incident response planning, and audit-ready evidence packages are all included — so you can stop worrying about what you might be missing and focus on patient care.

Key Features

• Free HIPAA Agent Compliance Score™ — 83-tool external scan reveals your current compliance posture instantly at /check
• Automated gap identification — every checklist category (Administrative, Physical, Technical, Organizational, Breach Notification) is assessed automatically
• Complete SRA — annual Security Risk Assessment via guided interview with AI-assisted auto-fill
• 24 HIPAA policies — generated, customized, version-controlled, and annually reviewed
• Workforce training — role-based HIPAA training with documented completion tracking
• BAA management — templates, tracking, and renewal reminders for all business associate relationships
• Incident response — pre-built response plans, investigation workflows, and notification templates
• Evidence packages — audit-ready documentation proving compliance across all HIPAA requirements
• Compliance tracking — real-time progress tracking across every requirement on this checklist
• Continuous monitoring — ongoing scanning detects compliance drift before it becomes a violation

Ready to check off every item on this list? Get your free HIPAA Agent Compliance Score™ at hipaaagent.ai/check and see exactly where your practice stands today.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Related Guides