| 1 |
Assign a HIPAA Security Officer |
Identify the person responsible for overseeing HIPAA security requirements, safeguards, and risk management. |
CEO / Owner, Security Officer, IT Manager |
Formally assign responsibility and document the role. |
Name the responsible person and update internal documentation. |
Needs Review |
Annually or when roles change |
Appointment letter, job description, org chart |
| 2 |
Assign a Privacy Officer or Compliance Lead |
Designate someone to manage HIPAA privacy policies, patient information practices, documentation, and workforce compliance. |
CEO / Owner, Privacy Officer, Compliance Officer |
Ensure privacy responsibilities are clearly owned. |
Confirm who owns privacy and compliance duties. |
Needs Review |
Annually |
Role assignment, compliance records |
| 3 |
Approve HIPAA Privacy and Security Policies |
Review and approve written policies that explain how PHI and ePHI are protected across the organization. |
CEO / Owner, Compliance Officer, IT Manager |
Approve policies and require organization-wide enforcement. |
Schedule policy review and leadership approval. |
In Progress |
Annually or after major changes |
Signed policy approval, policy manual |
| 4 |
Complete a HIPAA Security Risk Assessment |
Identify risks to electronic protected health information, including systems, users, vendors, and workflows. |
Security Officer, IT Manager, Compliance Officer, External Consultant |
Require the assessment and review the results. |
Schedule or update the risk assessment. |
High Priority |
At least annually |
Risk assessment report |
| 5 |
Review Risk Assessment Findings with Leadership |
Make sure executives understand the organization’s highest HIPAA, cybersecurity, and business risks. |
CEO / Owner, Executive Team, Security Officer, Compliance Officer |
Review risk at the business level and set priorities. |
Hold a leadership risk review meeting. |
In Progress |
Quarterly or annually |
Meeting minutes, risk summary |
| 6 |
Approve a Remediation Plan |
Create a written plan to fix risks found during the assessment, including owners, deadlines, and priorities. |
CEO / Owner, IT Manager, Compliance Officer |
Approve priorities, timelines, and accountability. |
Create a remediation tracker with due dates. |
High Priority |
Monthly until resolved |
Remediation plan, task tracker |
| 7 |
Fund Required Cybersecurity Improvements |
Allocate budget for tools, services, training, monitoring, backups, access controls, and other safeguards. |
CEO / Owner, CFO, IT Manager, Security Officer |
Provide budget needed to reduce risk. |
Review risk items that require funding. |
Needs Review |
Budget cycle / quarterly |
Approved budget, invoices, project plans |
| 8 |
Maintain Signed Business Associate Agreements |
Confirm that required vendors handling PHI or ePHI have signed Business Associate Agreements. |
Compliance Officer, Vendor Manager, Legal Counsel, CEO / Owner |
Require vendor accountability before PHI is shared. |
Build or update the vendor BAA list. |
In Progress |
Quarterly or when vendors change |
Signed BAAs, vendor inventory |
| 9 |
Train Employees on HIPAA and Security Responsibilities |
Make sure workforce members understand HIPAA rules, phishing risks, incident reporting, passwords, and PHI handling. |
Compliance Officer, HR, IT Manager, Department Managers |
Require training and enforce completion. |
Assign training and track completion. |
In Progress |
New hire and annually |
Training logs, certificates |
| 10 |
Implement Access Controls and Authentication Standards |
Ensure users only access the PHI or ePHI needed for their role and that accounts are properly protected. |
IT Manager, Security Officer, Department Managers |
Require access accountability and approve standards. |
Review user access and authentication controls. |
High Priority |
Quarterly |
Access review reports, MFA records |
| 11 |
Require Secure Backup and Disaster Recovery Processes |
Confirm that critical systems and data are backed up, recoverable, and protected from ransomware or system failure. |
IT Manager, Security Officer, Managed IT Provider |
Ensure business continuity and recovery planning are funded and tested. |
Review backup status and recovery testing results. |
Needs Review |
Quarterly or semiannually |
Backup reports, recovery test results |
| 12 |
Document Incident Response Procedures |
Create a written plan for responding to suspected breaches, security incidents, ransomware, lost devices, or unauthorized access. |
CEO / Owner, Security Officer, IT Manager, Compliance Officer, Legal Counsel |
Approve the response structure and decision-making process. |
Review or create the incident response plan. |
High Priority |
Annually |
Incident response plan |
| 13 |
Test the Incident Response Plan |
Practice the incident response process so leadership and staff know what to do during a real event. |
CEO / Owner, IT Manager, Compliance Officer, Department Leads |
Participate in or review tabletop exercise results. |
Schedule a tabletop exercise. |
Needs Review |
Annually |
Test results, after-action report |
| 14 |
Review Compliance Status Periodically |
Establish regular leadership reviews of HIPAA risk, open remediation items, training, vendor issues, and incidents. |
CEO / Owner, Compliance Officer, Security Officer, IT Manager |
Keep HIPAA visible as an ongoing business priority. |
Add HIPAA compliance to leadership meeting agenda. |
In Progress |
Quarterly |
Meeting notes, compliance dashboard |
| 15 |
Keep Documentation Organized and Available |
Maintain records showing policies, training, risk assessments, BAAs, incident reports, access reviews, and remediation efforts. |
Compliance Officer, Security Officer, HR, IT Manager |
Require documentation that proves compliance activity. |
Create a centralized HIPAA documentation folder or system. |
Complete |
Quarterly |
Document repository, audit folder |