Free HIPAA compliance checklist

HIPAA Security Checklist for Protecting PHI and ePHI

Use this practical checklist to review administrative safeguards, technical safeguards, physical safeguards, evidence, vendors, backups, access control, and recurring HIPAA security readiness for healthcare and dental practices.

Turn the Checklist Into a HIPAA Safeguards Roadmap

A HIPAA checklist is useful only when it becomes assigned work, evidence, remediation, and recurring review. Use this sequence to move from PHI discovery to defensible security controls.

1

Map PHI and ePHI

Identify where patient information lives across EHR systems, dental software, email, shared folders, backups, scanners, billing platforms, and vendor portals.

2

Assign Safeguard Owners

Name accountable owners for administrative, technical, and physical safeguards so access, training, evidence, and remediation have clear responsibility.

3

Validate Core Controls

Review MFA, role-based access, audit logs, encryption, endpoint protection, backups, secure disposal, workstation controls, and facility access.

4

Collect Evidence

Organize policies, risk analysis notes, training records, BAAs, screenshots, access reviews, incident procedures, and remediation decisions.

5

Fix High Risks

Prioritize exposed remote access, shared accounts, missing MFA, unmanaged devices, weak backup recovery, and unclear breach response steps.

6

Review Quarterly

Repeat the checklist after staff changes, software changes, vendor changes, security incidents, audit requests, and major Microsoft 365 or endpoint updates.

This checklist is for initial guidance only and does not replace a professional cybersecurity audit, HIPAA compliance assessment, penetration test, or legal/compliance review.

Core HIPAA Security Areas to Review

The checklist should connect HIPAA Security Rule concepts to the systems and workflows that actually touch PHI in the practice.

Administrative Safeguards

Confirm risk analysis, security management, assigned responsibilities, workforce training, access authorization, sanctions, vendor oversight, incident response, and contingency planning.

Technical Safeguards

Review unique user IDs, MFA where available, access control, audit logs, encryption decisions, secure transmission, endpoint protection, and remote access controls.

Physical Safeguards

Check facility access, workstation placement, screen privacy, device inventory, equipment disposal, backup media protection, and server/network equipment access.

Vendor and BAA Readiness

Validate Business Associate Agreements, vendor access paths, support accounts, backup vendors, cloud services, billing partners, shredding providers, and incident notice expectations.

Evidence to Collect Before an Audit or Incident

HIPAA readiness improves when the practice can show what was reviewed, who owns each safeguard, what risks were found, and what was fixed.

Policy and Training Evidence

  • Security policies and procedures
  • Workforce training records
  • Sanction and incident procedures
  • Security responsibility assignments

Technical Evidence

  • User and administrator account review
  • MFA and access-control screenshots
  • Backup and restore-test records
  • Audit log and alert review notes

Risk and Remediation Evidence

  • HIPAA risk analysis notes
  • Remediation tracker
  • Vendor and BAA list
  • Leadership decisions and review dates
Ali Hassani, CISO and cybersecurity consultant for HIPAA security readiness

HIPAA Security Guidance Led by Ali Hassani, CISO

Ali Hassani brings 25+ years of IT, cybersecurity, compliance, infrastructure, Microsoft 365, Azure, network security, and audit-readiness experience to help healthcare and dental organizations turn HIPAA checklist findings into practical security improvements.

Continue the HIPAA Readiness Review

After using the checklist, continue with a more complete HIPAA security review, safeguards matrix, or guided readiness conversation.

Common HIPAA Checklist Questions

Is a HIPAA checklist enough by itself?

No. A checklist is a useful starting point, but HIPAA readiness also requires risk analysis, evidence, assigned ownership, remediation, training, vendor review, and recurring validation.

What should a small healthcare practice check first?

Start with PHI/ePHI locations, user access, MFA, backups, audit logs, endpoint protection, vendor access, Business Associate Agreements, and incident response procedures.

Can OC Security Audit certify a company as HIPAA compliant?

No private consultant can remove a covered entity's legal responsibility. OC Security Audit can help assess readiness, document risks, improve safeguards, and prepare evidence for a stronger compliance posture.