The Complete HIPAA Compliance Checklist for 2026

The foundation of your entire compliance program. Without a completed SRA, nothing else matters — and it's the #1 finding in every OCR audit. §164.308(a)(1)

• Complete a formal Security Risk Analysis identifying all ePHI — where it's created, received, maintained, and transmitted Required

  Must cover every system, device, and location that touches ePHI. Not a one-time event — must be repeated.
• Inventory all technology assets that create, receive, maintain, or transmit ePHI New 2026

  The proposed rule would require a written, maintained technology asset inventory — not just a mental list.
• Create a network map showing how ePHI flows through your organization New 2026

  Must document movement of ePHI between systems, users, and external parties.
• Identify and document all threats and vulnerabilities to each system containing ePHI

  Include natural disasters, human threats (malicious and accidental), and environmental threats.
• Assign quantitative risk ratings using likelihood and impact scores New 2026

  The proposed rule would eliminate vague "low/medium/high" — requiring numerical likelihood × impact scoring.
• Document your risk management plan — how you'll reduce each identified risk to a reasonable level

  Must include specific measures, responsible parties, and implementation timelines for each risk.
• Review and update your SRA at least annually and after any significant change Annual

  "Significant change" includes new software, staff changes, office moves, breaches, or regulatory updates.

The largest category — and the one most practices get wrong. These aren't IT tasks. They're organizational policies, procedures, and accountability structures. §164.308

• Designate a HIPAA Security Officer responsible for developing and implementing your security program Required

  Must be a named individual, not just a role. In small practices, this is often the practice owner.
• Designate a HIPAA Privacy Officer responsible for privacy policies and complaint handling Required

  Can be the same person as the Security Officer, but must be formally documented.
• Implement workforce access controls — role-based access to ePHI based on job function

  Document who has access to what, and why. "Everyone can see everything" is a compliance failure.
• Establish workforce termination procedures — revoking access when employees leave or change roles

  Must include return of devices, deactivation of accounts, and changing shared passwords. Same-day.
• Implement a sanction policy for workforce members who violate HIPAA policies Required

  Must be written, communicated to all staff, and applied consistently. Document every enforcement action.
• Review information system activity logs regularly for unauthorized access or anomalies

  Audit logs, login reports, failed access attempts. Most EHRs have this — most practices never look at it.
• Develop an incident response plan for security incidents and suspected breaches Required

  Must include identification, containment, investigation, mitigation, and documentation steps. Who calls whom, in what order.
• Create a contingency plan for data backup, disaster recovery, and emergency operations Required

  Three sub-plans: data backup, disaster recovery, and emergency mode operations. Must be testable.
• Test your contingency plan annually and document the results Annual

  Can you actually restore from backup? Have you tried? If not, you don't have a backup — you have a hope.
• Evaluate security measures periodically to ensure continued effectiveness Annual

  Not the same as the SRA. This is an ongoing operational review of whether your controls actually work.

Locks, screens, servers, and the printer in the hallway. Physical security is easy to overlook until an auditor walks through your office. §164.310

• Restrict physical access to facilities where ePHI is stored or accessible

  Locked server rooms, restricted areas for workstations, visitor sign-in procedures.
• Implement workstation security — position screens away from public view, enable auto-lock

  Every screen showing ePHI must auto-lock after inactivity (2-5 min recommended). Privacy screens where needed.
• Document workstation use policies — what can and can't be done on devices that access ePHI

  Covers personal use, USB drives, software installation, remote access, and shared workstations.
• Establish device and media controls for hardware containing ePHI — receipt, removal, disposal, and re-use

  How do you wipe a laptop before disposing of it? What about the copier's hard drive? Document the process.
• Maintain records of hardware movements — who moved what, when, and why

  Every device containing ePHI that enters or leaves your facility must be tracked.
• Secure paper records containing PHI — locked filing cabinets, shredding procedures, clean-desk policy

  If a patient chart is left on a desk overnight and the cleaning crew sees it, that's a potential breach.
• Implement facility security measures — alarms, cameras, and access logs for areas with ePHI access

  Doesn't require enterprise-grade security. But you need to document what you have and why it's sufficient.

This is where the proposed rule hits hardest. What used to be "addressable" would become required — no exceptions, no excuses. §164.312

• Implement unique user identification — every person gets their own login. No shared accounts. Required

  If five people share "frontdesk@clinic.com" you cannot audit who accessed what. This is a common violation.
• Deploy multi-factor authentication (MFA) on all systems accessing ePHI New 2026

  Password + a second factor (app, SMS, hardware key). The proposed rule would make this mandatory — no more "addressable."
• Encrypt all ePHI at rest — on servers, workstations, laptops, and portable devices New 2026

  Full-disk encryption (BitLocker, FileVault) at minimum. Database-level encryption for stored ePHI.
• Encrypt all ePHI in transit — email, file transfers, remote access, cloud sync New 2026

  TLS 1.2+ for all connections. No unencrypted email with PHI. No plain FTP. No exceptions.
• Enable and maintain audit controls — logs of who accessed what ePHI and when Required

  Must capture access, modification, and deletion events. Logs must be retained for 6 years minimum.
• Implement automatic session timeout on all systems accessing ePHI

  If a user walks away from a workstation, the system must lock automatically. Configure in EHR and OS.
• Conduct vulnerability scans every 6 months New 2026

  Automated scans of all systems in scope. Document findings and remediation. Not optional under the proposed rule.
• Perform annual penetration testing of externally-facing systems New 2026

  Requires a qualified third party. Budget $2K-$5K annually. Results must be documented and remediated.
• Implement anti-malware protection on all systems that access ePHI New 2026

  Endpoint protection with automatic updates. Must cover workstations, servers, and mobile devices.
• Disable unnecessary network ports and services and document the configuration New 2026

  Reduce your attack surface. If a service isn't needed, turn it off and document that you did.
• Implement network segmentation to separate ePHI systems from general-use networks New 2026

  Guest Wi-Fi should not be on the same network as your EHR. VLANs, firewalls, or separate networks.

You need written policies for nearly everything. Not templates you downloaded and forgot about — actual policies that reflect how your organization operates. §164.316

• Notice of Privacy Practices (NPP) — posted in your facility and provided to every patient Required
• Access control policy — who can access ePHI, how access is granted, modified, and revoked
• Password and authentication policy — complexity rules, rotation, MFA requirements
• Encryption policy — what must be encrypted, with what standards, and how keys are managed
• Incident response policy — steps for detecting, reporting, and responding to security incidents
• Breach notification policy — procedures for notifying individuals, HHS, and media (if applicable)
• Backup and disaster recovery policy — backup frequency, testing, restoration procedures
• Remote access and mobile device policy — rules for accessing ePHI from personal devices or home
• Social media and communication policy — what can and cannot be shared externally
• Minimum necessary use policy — only the minimum amount of PHI needed for a given purpose
• Media disposal and device sanitization policy — how to securely destroy ePHI on hardware
• Review and update all policies annually and after any significant operational change Annual

  Every policy must have a review date, reviewer name, and version history. Retain all versions for 6 years.

Every person who touches PHI — including contractors, volunteers, and temps — must be trained. And you must prove it. §164.308(a)(5)

• Train all workforce members on HIPAA privacy and security awareness Required

  Must cover: what PHI is, how to handle it, what constitutes a breach, and how to report incidents.
• Train new hires within a reasonable period before they access any ePHI

  Best practice: within 30 days of hire, before any unsupervised ePHI access.
• Conduct annual refresher training for all existing workforce members Annual

  Must include updates on policy changes, new threats (phishing trends), and any incidents from the past year.
• Include role-specific training for staff with elevated access or responsibilities

  The front desk, clinical staff, IT admin, and billing team all face different risks. Training should reflect that.
• Train staff on phishing and social engineering awareness

  Phishing is the #1 cause of healthcare breaches. Staff must know how to spot and report suspicious messages.
• Document completion with signed attestations or certificates for every training event Required

  Must include: who was trained, what was covered, the date, and proof of completion. Retain for 6 years.
• Retrain after any security incident or significant policy change

  Not just annual. If something happens, targeted retraining must follow — and must be documented.

Every vendor that touches PHI needs a BAA. Most small practices have 15-30+ business associates and don't even realize it. §164.308(b) / §164.314

• Inventory all business associates — every vendor, contractor, or service provider that accesses or handles PHI Required

  EHR, billing company, IT provider, cloud storage, answering service, shredding company, email provider, lab...
• Execute Business Associate Agreements (BAAs) with every business associate Required

  No BAA = sharing PHI without authorization = automatic HIPAA violation. No exceptions for small vendors.
• Verify that BAAs contain all required provisions — permitted uses, safeguard obligations, breach notification requirements

  A generic "we'll protect your data" clause is not a BAA. It must meet the specific requirements of §164.314.
• Obtain written verification of BA compliance at least annually New 2026

  The proposed rule would require you to verify — not just trust — that your BAs are meeting their HIPAA obligations.
• Review and renew BAAs when agreements change or at least every 2-3 years Annual

  BAAs signed in 2015 may not meet current requirements. Review dates, terms, and regulatory alignment.
• Monitor for BA breaches or compliance issues and document any reported incidents

  If your BA has a breach, you may have reporting obligations too. Know the process before it happens.
• Terminate BAAs with non-compliant vendors and document the rationale

  If a BA refuses to comply or can't demonstrate adequate safeguards, you must terminate or mitigate.

A breach isn't just a hack. It's any unauthorized access, use, or disclosure of PHI. And you have 60 days to notify — the clock starts when you discover it. §164.400-414

• Establish breach identification procedures — how staff detect and report potential breaches Required

  Staff must know what a breach looks like and who to notify internally. A misfaxed record is a breach. A lost laptop is a breach.
• Document a breach risk assessment process — the 4-factor test for determining if notification is required

  Nature of PHI, who accessed it, whether it was actually acquired/viewed, and extent of mitigation.
• Prepare individual notification templates ready to send within 60 days of discovery Required

  Must include: what happened, types of information involved, steps to protect themselves, what you're doing, and contact info.
• Know the HHS reporting procedures — breaches affecting 500+ individuals require immediate reporting

  Under 500: report annually via HHS portal. 500+: report within 60 days AND notify prominent local media.
• Notify HHS within 24 hours of activating your contingency plan New 2026

  Proposed 2026 requirement. If you activate disaster recovery or emergency operations, HHS would need to be notified immediately.
• Maintain a breach log documenting all incidents, investigations, and outcomes Required

  Even incidents that don't require notification must be documented. Retain for 6 years minimum.

Patients have specific rights under HIPAA that you must honor — including rights many practices don't know exist. §164.520-528

• Provide access to medical records within 30 days of a patient request Required

  Patients can request records in the format of their choice (electronic, paper). One 30-day extension permitted with notice.
• Allow patients to request amendments to their medical records

  You can deny the request — but must document the denial reason and let the patient submit a statement of disagreement.
• Provide an accounting of disclosures upon patient request

  Must track who you shared PHI with (beyond treatment/payment/operations) for the prior 6 years.
• Honor requests for restrictions on certain uses/disclosures of PHI

  You're not required to agree to most restrictions — except when a patient pays out-of-pocket in full and asks you not to bill insurance.
• Accommodate confidential communication requests — patients can ask to be contacted via specific methods

  "Don't leave voicemails at my home number" or "only contact me by email" must be accommodated if reasonable.
• Obtain valid authorizations before using PHI for marketing, fundraising, or sale of PHI Required

  Treatment, payment, and healthcare operations don't need authorization. Almost everything else does.
• Have a complaint process and designate a contact person for HIPAA complaints

  Patients must be able to file complaints with you AND with HHS. You cannot retaliate against a patient who complains.

If you didn't document it, it didn't happen. OCR auditors won't take your word for it — they need written proof of everything above. §164.316(b)

• Retain all HIPAA documentation for 6 years from creation or last effective date Required

  Policies, training records, BAAs, risk assessments, incident reports, authorization forms — all of it. 6 years minimum.
• Maintain a compliance activity log showing what you did, when, and who was responsible

  A timestamped audit trail of all compliance activities. Your proof that you're not just compliant on paper.
• Keep version history of all policies — showing changes, dates, and approvers

  An auditor may ask for the version of your encryption policy that was in effect two years ago. Can you produce it?
• Make documentation available to workforce members who need it to perform their duties

  Policies sitting in a binder nobody can find don't count. Staff must know where policies are and how to access them.
• Be able to produce a complete audit package within 10 business days of an OCR request

  SRA report, all policies, training records, BAAs, incident logs, remediation plans — organized and current.
• Confirm documentation meets 2026 written verification requirements New 2026

  The proposed rule would require written verification of compliance program elements — verbal assurances would no longer be sufficient.