Free HIPAA Compliance Checklist

OC Security Audit

25+ Years of Experience

Local Orange County Experts

Certified Cybersecurity Professionals

Support@OCsecurityAudit.com

Support & information

Free HIPAA Security Checklist

Why HIPAA Security Matters

Healthcare organizations, medical practices, billing providers, technology vendors, and business associates that handle Protected Health Information must maintain appropriate safeguards to reduce the risk of unauthorized access, data breaches, ransomware, accidental exposure, and compliance violations. A HIPAA security checklist helps organizations identify gaps and strengthen their security posture across people, processes, technology, and facilities.

Learn more about OCsecurityAudit and our healthcare cybersecurity services, or visit our dedicated HIPAA Compliance Consulting page for additional guidance.

What Is Protected Health Information?

Protected Health Information, commonly called PHI, includes health-related information that can identify an individual. HIPAA requires organizations to protect PHI whether it is stored, transmitted, archived, printed, backed up, or accessed remotely.

Patient names
Dates of birth
Medical record numbers
Insurance information
Billing records
Diagnosis information
Treatment records
Prescription data
Lab results
Contact information tied to patient records

HIPAA Security Checklist

        Core areas to review: administrative controls, technical controls, physical safeguards, user awareness, network infrastructure, PHI security, data in transit, data at rest, backups, data retention, vendor risk, and incident response.
      

Need help reviewing your HIPAA security posture? Contact us for a free HIPAA compliance consultation and speak with an experienced healthcare cybersecurity professional.

1. Administrative Safeguards

Perform regular HIPAA security risk assessments.
Document vulnerabilities, risks, and remediation plans.
Assign a HIPAA Security Officer or responsible security leader.
Maintain written security policies and procedures.
Review and update policies at least annually.
Define acceptable use, remote access, password, retention, and disposal policies.
Maintain Business Associate Agreements with vendors handling PHI.
Establish incident response and breach notification procedures.

2. User Awareness Program

Provide HIPAA security awareness training for all workforce members.
Train employees to recognize phishing, ransomware, and social engineering attacks.
Educate users on proper handling of PHI and ePHI.
Conduct periodic security refresher training.
Run phishing simulations and awareness campaigns.
Train remote workers on secure access and device protection.

3. Workforce Security and Access Management

Use role-based access control for systems containing PHI.
Apply least-privilege access principles.
Approve, review, and revoke access using documented procedures.
Remove user access immediately when employees leave the organization.
Monitor privileged accounts and administrator activity.
Review inactive accounts and disable unnecessary access.

Technical Safeguards

Technical safeguards protect electronic PHI through cybersecurity controls, authentication, encryption, logging, monitoring, and system hardening.

Access Controls

Require unique user accounts.
Enforce strong passwords.
Implement multi-factor authentication.
Use automatic session timeouts.
Monitor failed login attempts.

Audit Controls

Enable audit logging.
Log access to PHI.
Review security logs regularly.
Monitor suspicious activity.
Use centralized logging or SIEM tools where appropriate.

Endpoint Security

Install endpoint protection or EDR.
Patch operating systems and applications.
Encrypt laptops and mobile devices.
Restrict unauthorized removable media.
Use mobile device management for mobile endpoints.

Network Infrastructure Security

Network infrastructure must be secured to prevent unauthorized access to systems that store, process, or transmit PHI.

The team at OCsecurityAudit helps healthcare organizations evaluate firewall security, segmentation, remote access, vulnerability management, and network monitoring to improve HIPAA compliance readiness.

Deploy and maintain enterprise firewalls.
Segment networks to limit access to sensitive systems.
Separate guest Wi-Fi from internal business networks.
Secure wireless networks with strong encryption.
Use VPNs or secure remote access tools.
Disable insecure protocols and unnecessary services.
Conduct internal and external vulnerability scans.
Perform penetration testing where appropriate.
Review firewall rules and exposed internet-facing services.
Monitor network traffic for suspicious behavior.

PHI Data Security

PHI must be protected throughout its entire lifecycle, including creation, storage, transmission, backup, retention, and secure disposal.

Data at Rest

Encrypt databases, file shares, servers, and cloud storage containing PHI.
Restrict database and storage access to authorized users only.
Secure archival systems and long-term storage locations.
Apply file integrity monitoring where needed.
Protect laptops, workstations, and portable storage devices.

Data in Transit

Encrypt PHI transmitted through email, portals, APIs, and file transfers.
Use secure protocols such as TLS, HTTPS, SFTP, or VPN tunnels.
Validate SSL/TLS certificates.
Protect APIs with authentication, authorization, and encryption.
Use secure patient portals instead of unsecured email when possible.

Data Retention and Disposal

Maintain written PHI retention policies.
Define how long different categories of PHI must be retained.
Securely archive records that must be preserved.
Shred paper records when disposal is authorized.
Wipe, sanitize, or destroy electronic media before disposal.
Maintain documentation of data destruction activities.

Backup and Disaster Recovery

HIPAA security planning should include reliable backup, recovery, and continuity procedures to ensure PHI remains available during outages, cyberattacks, natural disasters, or system failures.

Visit our HIPAA Compliance Consulting services page to learn how we help healthcare providers strengthen backup security, disaster recovery planning, and PHI protection.

Perform regular backups of systems containing PHI.
Encrypt backup data at rest and in transit.
Restrict access to backup systems.
Store backups in secure, resilient locations.
Test backup restoration procedures regularly.
Monitor backup success and failure alerts.
Maintain immutable or offline backups where possible.
Define recovery time objectives and recovery point objectives.
Document disaster recovery and emergency operations procedures.

Physical Safeguards

Physical safeguards protect facilities, workstations, servers, paper records, and devices that may contain or provide access to PHI.

Restrict access to offices, server rooms, and records storage areas.
Use badge access, locks, visitor logs, or surveillance where appropriate.
Secure workstations and laptops from unauthorized physical access.
Position screens to reduce public viewing of PHI.
Use automatic screen locks.
Maintain hardware and device inventory.
Secure removable media and portable devices.
Protect systems from environmental risks such as fire, water, and power failure.

Incident Response and Breach Management

Maintain a written incident response plan.
Define internal escalation procedures.
Document breach investigation steps.
Prepare breach notification procedures.
Train incident response personnel.
Conduct tabletop exercises.
Preserve logs and evidence during security events.
Review lessons learned after each incident.

Third-Party and Vendor Security

Identify vendors and business associates that handle PHI.
Maintain signed Business Associate Agreements.
Review vendor security controls and compliance posture.
Assess cloud providers, SaaS platforms, billing vendors, and IT service providers.
Limit vendor access to the minimum necessary information.
Monitor third-party access to sensitive systems.
Review subcontractor and downstream vendor risks.

Common HIPAA Security Gaps

Access Gaps

Weak passwords
Missing MFA
Excessive permissions
Inactive user accounts

Technology Gaps

Unencrypted laptops
Missing audit logs
Unsupported systems
Misconfigured cloud storage

Process Gaps

Poor user training
Untested backups
Missing policies
Incomplete vendor reviews

Why Work with OCsecurityAudit?

OCsecurityAudit, under the management of Ali Hassani, helps healthcare organizations become HIPAA compliant through a structured and step-by-step security and compliance process.

With more than 25 years of experience in cybersecurity, system administration, network security, and IT security management, we help hospitals, healthcare providers, clinics, doctor’s offices, and organizations handling PHI strengthen their HIPAA security posture.

        Expert HIPAA Compliance Guidance: We work directly with your organization, internal IT team, MSP, and technology providers to help ensure that your administrative, technical, and physical safeguards align with HIPAA requirements.
      

HIPAA risk assessments and gap analysis
Security assessments and vulnerability assessments
Administrative safeguard reviews
Policy and procedure analysis
Technical and physical control reviews
Network infrastructure and PHI security evaluations
Backup, disaster recovery, and data retention reviews
Guidance for protecting PHI at rest and in transit

Ali Hassani is a CISSP and CISO-certified security expert backed by dozens of industry-standard IT certifications and extensive hands-on operational security experience.

Our goal is to help your organization avoid the common compliance gaps that lead to HIPAA violations while improving your cybersecurity readiness and protecting sensitive patient information.

Ready to improve your HIPAA compliance program? Contact OCsecurityAudit for a free HIPAA compliance consultation and speak with an experienced cybersecurity professional today.

Final Thoughts

HIPAA compliance is an ongoing security process, not a one-time project. Organizations that handle PHI should continuously review their administrative, technical, and physical safeguards to reduce risk, improve cybersecurity readiness, and better protect sensitive patient information.

By using this HIPAA security checklist, healthcare organizations and business associates can strengthen their policies, improve employee awareness, secure networks and devices, protect PHI at rest and in transit, validate backup procedures, and maintain a more resilient compliance program.

HIPAA Security Checklist Risk Score Sheet

Risk Score 1–3: Low

Control is mostly implemented. Minor improvement or documentation may be needed.

Risk Score 4–6: Medium

Control is partially implemented. Gaps may expose PHI or create compliance risk.

Risk Score 7–10: High

Control is missing, weak, undocumented, or creates significant HIPAA security exposure.

Suggested Status Values

Not Started, In Progress, Implemented, Needs Review, Not Applicable.

Category	Checklist Item	Control Type	What to Review	HIPAA / PHI Risk	Suggested Risk Score	Status	Owner	Evidence / Notes	Remediation Action
Administrative Safeguards
Administrative Safeguards	HIPAA security risk assessment	Administrative	Verify that a formal risk assessment is completed, documented, and reviewed regularly.	Missing risk assessments can leave PHI-related threats unidentified.	9	Needs Review			Perform and document a full HIPAA risk assessment.
Administrative Safeguards	HIPAA policies and procedures	Administrative	Review written policies for access control, acceptable use, remote access, incident response, retention, and disposal.	Outdated or missing policies create compliance and operational gaps.	8	Needs Review			Update and approve written HIPAA security policies.
Administrative Safeguards	Assigned HIPAA Security Officer	Administrative	Confirm a responsible person is assigned to oversee HIPAA security requirements.	Lack of ownership can result in unmanaged risk and poor accountability.	6	Needs Review			Assign and document HIPAA security responsibility.
Administrative Safeguards	Business Associate Agreements	Administrative	Confirm vendors handling PHI have signed and current BAAs.	Vendors without BAAs may expose the organization to compliance liability.	8	Needs Review			Review vendor list and obtain missing BAAs.
User Awareness and Workforce Security
User Awareness	HIPAA security awareness training	Administrative	Verify all workforce members receive HIPAA and cybersecurity awareness training.	Untrained users increase phishing, ransomware, and PHI disclosure risk.	8	Needs Review			Implement recurring HIPAA and cybersecurity training.
User Awareness	Phishing and ransomware awareness	Administrative / Technical	Review phishing simulations, security reminders, and ransomware response education.	Phishing is a common entry point for credential theft and ransomware.	8	Needs Review			Deploy phishing awareness program and periodic simulations.
Workforce Security	User access termination process	Administrative / Technical	Verify terminated employees lose access immediately across systems.	Former employees may retain access to PHI or sensitive systems.	9	Needs Review			Create offboarding checklist and access removal workflow.
Workforce Security	Role-based access control	Administrative / Technical	Confirm access to PHI is based on job role and minimum necessary access.	Excessive permissions increase breach impact and insider risk.	8	Needs Review			Review permissions and remove unnecessary access.
Technical Safeguards
Technical Safeguards	Unique user accounts	Technical	Confirm shared accounts are not used for systems containing PHI.	Shared accounts reduce accountability and weaken audit trails.	6	Needs Review			Create unique user IDs for all users.
Technical Safeguards	Multi-factor authentication	Technical	Review MFA coverage for email, EHR, VPN, cloud systems, admin portals, and remote access.	Missing MFA increases account takeover and PHI exposure risk.	10	Needs Review			Enable MFA for all sensitive and remote access systems.
Technical Safeguards	Audit logging and monitoring	Technical	Verify logs capture PHI access, authentication events, administrator activity, and suspicious behavior.	Without logs, incidents may go undetected and investigations may fail.	9	Needs Review			Enable centralized logging and routine log review.
Technical Safeguards	Endpoint protection	Technical	Review antivirus, EDR, patching, disk encryption, and mobile device controls.	Unprotected endpoints may lead to malware, ransomware, or PHI theft.	8	Needs Review			Deploy endpoint security and verify device compliance.
Network Infrastructure Security
Network Security	Firewall configuration review	Technical	Review firewall rules, exposed services, remote access, and unnecessary inbound/outbound traffic.	Misconfigured firewalls can expose PHI systems to attackers.	9	Needs Review			Review, document, and harden firewall rules.
Network Security	Network segmentation	Technical	Confirm sensitive systems, guest Wi-Fi, servers, endpoints, and PHI systems are properly segmented.	Flat networks increase ransomware spread and unauthorized PHI access.	8	Needs Review			Segment networks and restrict lateral movement.
Network Security	Vulnerability scanning	Technical	Verify internal and external vulnerability scans are performed and tracked.	Unpatched vulnerabilities may be exploited to access PHI systems.	8	Needs Review			Run recurring scans and remediate critical findings.
Network Security	Secure remote access	Technical	Review VPN, remote desktop, cloud access, MFA, and remote user device security.	Weak remote access can allow unauthorized entry into PHI environments.	9	Needs Review			Secure remote access with MFA, VPN, and access restrictions.
PHI Data Security
PHI Security	Data at rest encryption	Technical	Review encryption for databases, servers, laptops, cloud storage, file shares, and backups.	Unencrypted stored PHI may be exposed after theft or compromise.	9	Needs Review			Enable encryption for systems storing PHI.
PHI Security	Data in transit encryption	Technical	Verify PHI is encrypted through email, portals, APIs, VPN, HTTPS, SFTP, and file transfers.	Unencrypted transmission may expose PHI to interception.	9	Needs Review			Use TLS, encrypted email, secure portals, SFTP, or VPN.
PHI Security	PHI access review	Administrative / Technical	Review who can access PHI and whether access aligns with job responsibilities.	Improper access increases privacy and breach risk.	8	Needs Review			Perform periodic access reviews and remove excessive permissions.
PHI Security	Data retention policy	Administrative	Verify retention periods are defined for medical, billing, backup, archive, and operational records.	Improper retention may create legal, compliance, and data exposure risks.	6	Needs Review			Document retention requirements and implement retention controls.
PHI Security	Secure data disposal	Administrative / Physical / Technical	Review shredding, media sanitization, device wiping, and destruction records.	Improper disposal can expose PHI after equipment or document disposal.	8	Needs Review			Implement secure disposal and maintain destruction logs.
Backup and Disaster Recovery
Backup and Recovery	Regular PHI backup process	Administrative / Technical	Verify critical PHI systems are backed up on a defined schedule.	Missing backups may prevent recovery after ransomware or system failure.	10	Needs Review			Implement documented backup schedules for PHI systems.
Backup and Recovery	Backup encryption	Technical	Confirm backup data is encrypted at rest and during transfer.	Unencrypted backups may expose large volumes of PHI.	9	Needs Review			Encrypt all backup storage and backup transmission.
Backup and Recovery	Backup restoration testing	Administrative / Technical	Review evidence that backups are tested and recoverable.	Untested backups may fail during an emergency.	9	Needs Review			Schedule and document regular restore tests.
Backup and Recovery	Disaster recovery plan	Administrative	Confirm recovery objectives, emergency operations, responsibilities, and procedures are documented.	Poor disaster recovery planning can affect PHI availability and business continuity.	8	Needs Review			Create and test a documented disaster recovery plan.
Physical Safeguards
Physical Safeguards	Facility access controls	Physical	Review locks, badge access, visitor procedures, cameras, and restricted areas.	Unauthorized physical access can expose systems, devices, and paper PHI.	6	Needs Review			Strengthen facility access and visitor control procedures.
Physical Safeguards	Workstation security	Physical / Technical	Verify screen locks, monitor positioning, physical access restrictions, and workstation use controls.	Unsecured workstations may expose PHI to unauthorized viewing or access.	6	Needs Review			Implement workstation security standards and automatic screen locks.
Physical Safeguards	Device and media inventory	Physical / Administrative	Review asset inventory for laptops, servers, drives, mobile devices, and removable media.	Untracked devices may contain PHI and be lost, stolen, or improperly disposed.	7	Needs Review			Maintain updated asset inventory and device ownership records.
Incident Response and Breach Management
Incident Response	Incident response plan	Administrative	Verify the organization has a documented incident response plan and escalation process.	Delayed or disorganized response can worsen breach impact and notification risk.	8	Needs Review			Create or update incident response procedures.
Incident Response	Breach notification process	Administrative	Review breach investigation, documentation, notification, and legal escalation procedures.	Poor breach handling may create regulatory, legal, and reputational damage.	8	Needs Review			Define breach notification workflow and responsible parties.
Incident Response	Tabletop exercises	Administrative	Confirm incident response exercises are performed and documented.	Untested response plans may fail during real security incidents.	6	Needs Review			Conduct ransomware and PHI breach tabletop exercises.
Third-Party and Vendor Security
Vendor Security	Vendor risk assessment	Administrative	Review security posture of MSPs, cloud providers, billing vendors, EHR vendors, and SaaS providers.	Weak vendor security can create indirect PHI exposure.	8	Needs Review			Assess vendor security and document findings.
Vendor Security	Third-party access review	Administrative / Technical	Review vendor remote access, admin permissions, support accounts, and logging.	Uncontrolled vendor access can lead to unauthorized PHI access.	9	Needs Review			Limit, monitor, and document all third-party access.
OCsecurityAudit Professional Assessment Support
Professional Support	HIPAA compliance consultation	Administrative / Technical / Physical	Engage experienced security professionals to review HIPAA readiness and identify security gaps.	Organizations may overlook technical or administrative gaps without an independent review.	7	Optional	OCsecurityAudit	Ali Hassani, CISSP and CISO-certified expert with 25+ years of experience.	Contact OCsecurityAudit for a free HIPAA compliance consultation.

Need help completing this HIPAA risk score sheet? Visit OCsecurityAudit, review our HIPAA Compliance Consulting services, or contact us for a free HIPAA compliance consultation.

Share this post:

949-777-5567

Mon - Sat 9am - 6pm