HIPAA Compliance Checklist

Step-by-step guide to achieving and maintaining HIPAA compliance

Phase 1: Foundation & Assessment

Weeks 1-4 | Establish HIPAA program and assess current state

Determine if you are a Covered Entity or Business Associate
Identify all systems and locations that store, process, or transmit ePHI
Create inventory of all ePHI (what PHI you have, where it's stored, who has access)
Designate Privacy Official responsible for Privacy Rule compliance
Designate Security Official responsible for Security Rule compliance
Conduct comprehensive risk analysis identifying threats and vulnerabilities
Document risk assessment methodology and results
Prioritize risks based on likelihood and impact
Identify all Business Associates who handle PHI on your behalf
Review existing security and privacy policies

Phase 2: Administrative Safeguards

Weeks 5-8 | Implement policies and management controls

Develop risk management plan to address identified risks
Create sanction policy for workforce members who violate policies
Implement information system activity review procedures
Establish workforce authorization and supervision procedures
Implement workforce clearance procedures for PHI access
Create termination procedures (access removal, device return)
Develop access authorization policies and procedures
Implement security awareness and training program
Create password management and authentication policies
Establish security incident response and reporting procedures
Develop data backup plan with regular testing
Create disaster recovery and emergency mode operation plans
Execute Business Associate Agreements (BAAs) with all vendors
Conduct periodic HIPAA compliance evaluation

Phase 3: Physical & Technical Safeguards

Weeks 9-12 | Secure facilities and implement technical controls

Physical Safeguards

Implement facility access controls (badges, locks, cameras)
Create facility security plan
Establish visitor sign-in and escort procedures
Secure workstations accessing ePHI
Implement screen locks and privacy screens
Create secure disposal procedures for devices and media
Establish media re-use and sanitization procedures
Maintain accountability for hardware and electronic media

Technical Safeguards

Assign unique user IDs for all ePHI access
Implement multi-factor authentication (MFA)
Create emergency access procedures
Enable automatic logoff after inactivity
Encrypt ePHI at rest (databases, backups, devices)
Encrypt ePHI in transit (TLS 1.2+)
Implement comprehensive audit logging
Deploy integrity controls to prevent improper alteration
Implement person/entity authentication
Monitor and review audit logs regularly

Phase 4: Privacy Rule Compliance

Weeks 13-16 | Implement privacy protections and patient rights

Develop Notice of Privacy Practices describing PHI uses and disclosures
Post Notice of Privacy Practices prominently and on website
Provide Notice to all patients and obtain acknowledgment
Implement minimum necessary standard for PHI access
Create authorization forms for non-routine PHI disclosures
Establish patient access request procedures (30-day response)
Create amendment request procedures
Implement accounting of disclosures process
Develop procedures for restriction requests
Establish confidential communications procedures
Create de-identification procedures if applicable
Implement marketing and fundraising restrictions
Train workforce on Privacy Rule requirements
Establish complaints process for privacy violations

Phase 5: Breach Notification & Ongoing Compliance

Weeks 17-20 | Prepare for incidents and maintain compliance

Develop breach notification policy and procedures
Create breach assessment process (4-factor test)
Establish breach log for incidents affecting <500 individuals
Create templates for breach notification letters
Prepare media notification procedures for large breaches
Establish HHS breach reporting process
Conduct annual risk analysis review and update
Review and update policies and procedures annually
Conduct ongoing security awareness training
Perform regular vulnerability assessments
Test backup and recovery procedures quarterly
Review Business Associate Agreements annually
Monitor and respond to security incidents
Document all HIPAA compliance activities

Timeline Summary

Initial Setup

4-6 months

Risk analysis, policy development, safeguard implementation

Ongoing

Continuous

Training, monitoring, incident response, annual reviews

Audit Ready

6-8 months

Full HIPAA compliance with documented evidence

LowerPlane HIPAA Features

  • ✓ Automated PHI inventory tracking
  • ✓ Business Associate Agreement management
  • ✓ Risk assessment templates and tools
  • ✓ Policy templates (15+ HIPAA policies)
  • ✓ Automated evidence collection
  • ✓ Breach notification workflows
  • ✓ Access review automation
  • ✓ Dedicated HIPAA compliance advisor