medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule

HIPAA compliance checklist

Check off items as you complete them. Your progress is saved in your browser on this device.

Show items for

Priority

0 of 16 items complete (0%)

Patient Rights

  • essential

    Notice of Privacy Practices posted in waiting area and given to new patients

    Why this matters

    Patients have a legal right to know how you use their health information. This notice tells them.

    What goes in this notice?

Workforce

  • essential

    All staff completed HIPAA training within the last year

    Why this matters

    Every person who handles patient information must be trained. This includes front desk, billing, and clinical staff.

    What training is required?

Compliance

  • essential

    A Privacy Officer has been designated at your practice

    Why this matters

    Every covered entity must have someone responsible for HIPAA compliance. This can be the practice manager at a small practice.

    Do we need a privacy officer?
  • important

    A HIPAA risk assessment has been completed in the last 12 months

    Why this matters

    A risk assessment is required by law. It identifies where patient data could be exposed at your practice.

    Take our free risk assessment
  • important

    Written HIPAA policies and procedures are in place and accessible to staff

    Why this matters

    You need documented policies covering privacy, security, and breach response. These do not need to be complex.

    What policies do we need?
  • important

    A process exists for responding to security incidents and potential breaches

    Why this matters

    When something goes wrong you need a plan. HIPAA requires documented incident response procedures.

    What to do if something goes wrong

Security

  • essential

    Computers are password protected and lock automatically after a few minutes

    Why this matters

    An unlocked computer with patient records visible is a HIPAA violation. Automatic screen locks are required.

    Security basics
  • essential

    Patient data is encrypted when stored and when sent over the internet

    Why this matters

    Encryption protects data if systems are hacked or devices are stolen. It also provides legal protection under HIPAA.

    Encryption basics
  • essential

    Each person has their own unique login — no shared passwords

    Why this matters

    Shared logins make it impossible to track who accessed what. Individual logins are required by HIPAA.

    Access control basics
  • important

    Mobile phones and tablets used for patient care are encrypted and PIN-protected

    Why this matters

    Lost or stolen phones are one of the most common causes of HIPAA breaches. Encryption protects patient data if a device is lost.

    Mobile device security

Vendors

  • essential

    Signed Business Associate Agreements with all software vendors handling patient data

    Why this matters

    If a vendor stores or handles patient records on your behalf, you legally must have a signed contract with them called a BAA.

    What is a BAA?
  • important

    Any subcontractors who handle patient data also have signed BAAs

    Why this matters

    Your HIPAA obligations extend to your subcontractors. If you share patient data with another vendor, they need a BAA with you.

    Subcontractor obligations

Operations

  • important

    Fax cover sheets include a confidentiality notice and numbers are verified before sending

    Why this matters

    Wrong-number faxes containing patient information are one of the most common HIPAA violations at small practices.

    Fax best practices
  • recommended

    Voicemail messages left for patients contain minimal information

    Why this matters

    Leaving detailed medical information on a voicemail could expose it to others. Keep messages brief — name and callback number only.

    Voicemail guidelines