HIPAA Compliance Checklist

HIPAA compliance isn’t about checking boxes—it’s about building a solid foundation that protects sensitive health data. From determining your applicability to maintaining safeguards long-term, these eight steps walk you through exactly what’s needed to stay compliant, reduce risk, and stay audit-ready.

» New to data security and privacy? Contact our experts for a customized and rigorous compliance audit

Step 1: Determine Your HIPAA Applicability

Understanding where you fit in the HIPAA landscape is your foundation. This step helps you identify your specific obligations and avoid unnecessary compliance burdens.

What You Need to Determine

• Covered entity: You directly provide healthcare services, process healthcare payments, or conduct healthcare operations
• Business associate: You provide services to covered entities that involve handling PHI
• Hybrid entity: Your organization has both covered and non-covered functions
• Workforce exceptions: Certain employees may have different HIPAA obligations based on their role

» Learn how to get started with compliance

GRSee Insight

Our compliance experts help organizations navigate complex applicability scenarios, especially for hybrid entities and emerging health tech business models.

Contact Us

Step 2: Establish Your Compliance Leadership

Strong leadership drives successful compliance. These roles ensure someone is always accountable for your HIPAA program.

Essential Appointments

• Privacy officer: Responsible for developing and implementing privacy policies
• Security officer: Oversees technical and administrative security measures

Step 3: Identify and Catalog Your PHI

Take stock of the PHI you store and transmit—this step helps uncover risks early and avoid surprises later. Understanding your data landscape is crucial for effective protection.

Your PHI Inventory Should Include:

• What qualifies as Protected Health Information (PHI) in your systems
• All locations where PHI is stored (databases, backups, employee devices)
• How PHI flows through your organization (collection, processing, sharing, disposal)
• Third parties who have access to your PHI

» Here are the top cybersecurity risks and problems in healthcare

Step 4: Implement Privacy Rule Compliance

The Privacy Rule puts patients in control of their health information. Ensuring these rights builds trust and avoids violations.

Key Privacy Rule Requirements

• Patient access rights: Procedures for patients to request and receive their PHI
• Amendment rights: Process for patients to request corrections to their PHI
• Minimum necessary standard: Use and disclose only the minimum PHI required
• Notice of privacy practices: Written notice of how you use and protect PHI

» Learn more: A comprehensive guide to protecting patient data

Step 5: Establish Security Rule Safeguards

The Security Rule protects electronic PHI (ePHI) through a comprehensive security framework. Think of this as building concentric circles of protection around your most sensitive data.

Administrative Safeguards

• Security management process and assigned security responsibilities
• Workforce training and access management procedures
• Incident response procedures

Physical Safeguards

• Facility access controls and workstation security
• Device and media controls for hardware containing ePHI

Technical Safeguards

• Access control systems (unique user identification, automatic logoff)
• Audit controls and integrity protections
• Transmission security (encryption for data in transit)

» Learn about the difference between asymmetric and symmetric encryption, and which is best for your company’s security needs

Step 6: Conduct Regular Risk Assessments

Risk assessments help you stay ahead of threats and demonstrate due diligence. This ongoing process ensures your protections evolve with your business and the threat landscape.

Your Risk Assessment Process

• Inventory all ePHI: Document every system, application, and process that handles ePHI
• Identify threats: Assess human (insider threats, social engineering), natural (floods, fires), and environmental (system failures, cyberattacks) risks
• Evaluate current safeguards: Test how well your existing protections work against identified threats
• Assign risk levels: Rate the likelihood and impact to prioritize remediation efforts
• Document everything: Maintain detailed records of findings, decisions, and implemented controls

» Here's what you should know before hiring a risk assessment provider

Step 7: Prepare Your Breach Response Plan

When a breach happens, your response speed and thoroughness determine the impact on your organization and patients. Preparation now prevents panic later.

Breach Response Framework

• Initial assessment: Was ePHI encrypted and rendered unusable? If yes, no breach notification may be required
• Scope analysis: What health information and identifiers were exposed?
• Access investigation: Who acquired, accessed, or viewed PHI impermissibly?
• Risk evaluation: What's the likelihood of further misuse or disclosure?
• Mitigation measures: What steps will minimize the breach's impact?

Notification Requirements (If Breach Notification Is Required)

• HHS (Department of Health and Human Services): Within 60 days
• Affected individuals: Within 60 days
• Media: If breach affects 500+ individuals in same state/jurisdiction
• State attorneys general: If required by state law (varies by state)

» Concerned about healthcare cybersecurity risks? Discover the vulnerabilities threatening patient care

Step 8: Maintain Ongoing Compliance

HIPAA compliance isn't a one-time achievement—it's an ongoing commitment. Staying current protects you from new risks and regulatory changes.

Your Ongoing Compliance Program

• Regular policy updates: Review and update policies as regulations change
• Continuous training: Ensure all workforce members understand their HIPAA obligations
• Periodic assessments: Conduct annual risk assessments and compliance reviews
• Vendor management: Monitor business associate agreements and third-party compliance

» Here's everything you need to know about how GRSee can help you with continuous compliance

Build a Program That Stays Compliant

Achieving HIPAA compliance isn’t just about reaching a milestone—it’s about maintaining a living, evolving program that grows with your organization. From clearly defining your role under HIPAA to building robust privacy and security safeguards, each step contributes to long-term resilience and trust.

But staying compliant over time also means adapting to new threats, technologies, and regulatory changes. Risk assessments need to be refreshed regularly, breach response plans must be tested and ready, and your policies and training shouldn’t gather dust.

» Contact us to ensure your organization meets compliance with robust security strategies