HIPAA Compliance Checklist for Covered Entities — 2026 Edition

HIPAA compliance is not a single task — it is an ongoing program covering dozens of specific requirements across three federal rules. This checklist organizes those requirements by rule and by priority, so covered entities can assess their current state and identify gaps.

Items marked Essential are those OCR most frequently cites in enforcement actions. Items marked Important are required by regulation. Items marked Recommended reflect best practice and OCR guidance beyond the regulatory minimum.

Privacy Rule requirements

The HIPAA Privacy Rule governs how covered entities may use and disclose PHI and the rights patients have over their health information.

Policies and procedures

Essential — Written privacy policies and procedures Every covered entity must have written privacy policies and procedures covering all Privacy Rule requirements. Policies must be implemented and available to workforce members. Retain policies and any revisions for six years.

Essential — Notice of Privacy Practices A compliant NPP must be posted in your facility, available on your website if you have one, and provided to new patients at first service. The NPP must describe your uses and disclosures of PHI, patient rights, and your legal duties. Updated model NPPs reflecting Part 2 requirements were published by HHS in 2026.

Important — Minimum necessary standard Implement policies limiting uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose. This applies to routine disclosures and must be built into your workflows — not just stated in a policy document.

Important — Authorizations Obtain valid written authorizations for uses and disclosures of PHI not permitted by the Privacy Rule — including disclosures for marketing, sale of PHI, and most disclosures to family members without patient presence.

Patient rights

Essential — Right of access Patients must be able to access their own PHI within 30 days of a written request (one 30-day extension permitted with written notice). You may charge only a reasonable cost-based fee. This is OCR's most actively enforced patient rights provision.

Important — Right to amend Patients may request amendments to their PHI. You must act on amendment requests within 60 days and have a process for accepting or denying them with documentation.

Important — Accounting of disclosures Patients may request an accounting of certain disclosures of their PHI for the prior six years. You must be able to produce this accounting within 60 days.

Important — Right to restrict Patients may request restrictions on uses and disclosures of their PHI. You must agree to a restriction on disclosure to a health plan for treatment or payment purposes if the patient has paid out of pocket in full.

Important — Confidential communications Patients may request to receive communications of PHI by alternative means or at alternative locations. You must accommodate reasonable requests.

Workforce and accountability

Essential — Privacy officer designated Every covered entity must designate a privacy official responsible for developing and implementing privacy policies and procedures. At small practices this is often the practice manager. Document the designation in writing.

Essential — Workforce training All workforce members who handle PHI must receive privacy training. Training must occur at onboarding and when material policy changes occur. Document all training with attendee names, dates, and topics covered.

Essential — Sanctions policy A sanctions policy for workforce members who violate privacy policies must be in place and applied consistently. Document every sanction applied.

Important — Mitigation Covered entities must mitigate harmful effects of known privacy violations to the extent practicable. Document mitigation actions taken.

Important — No retaliation or waiver Prohibit retaliation against patients who exercise their HIPAA rights or file complaints. Do not require patients to waive their HIPAA rights as a condition of treatment.

Security Rule requirements

The HIPAA Security Rule governs the protection of electronic Protected Health Information.

Administrative safeguards

Essential — Security Risk Analysis Conduct and document a comprehensive, enterprise-wide analysis of risks and vulnerabilities to all ePHI your organization creates, receives, maintains, or transmits. The risk analysis must identify all ePHI locations, assess current threats and vulnerabilities, and evaluate existing security controls.

Essential — Risk Management Plan Implement security measures to reduce identified risks to a reasonable and appropriate level. Document the specific measures implemented, responsible parties, and timelines. OCR now enforces risk management in addition to risk analysis — having a completed analysis that sits unacted upon is treated as a compliance failure.

Essential — Security Officer designated Designate a security official responsible for developing and implementing Security Rule policies and procedures. Document the designation. This role may be combined with the privacy officer at small organizations.

Essential — Workforce security Implement authorization and supervision procedures for workforce members accessing ePHI. Implement termination procedures including immediate revocation of access upon separation.

Essential — Security awareness training Provide regular security awareness training to all workforce members. Training must address protection against malicious software, login monitoring, and password management. Document all training.

Essential — Incident response procedures Implement policies and procedures for identifying, responding to, mitigating, and documenting security incidents. Define what constitutes an incident and who is responsible for response. Test your procedures.

Important — Contingency plan Implement a contingency plan for responding to emergencies that damage systems containing ePHI. Must include a data backup plan, disaster recovery plan, and emergency mode operation plan.

Important — Business associate contracts Execute written BAAs with all business associates before sharing any PHI. BAAs must include Security Rule safeguard requirements. Maintain a current BAA log.

Important — Evaluation Perform periodic technical and non-technical evaluations of your security controls to assess whether they meet Security Rule requirements. Document evaluations and findings.

Physical safeguards

Important — Facility access controls Implement policies limiting physical access to systems containing ePHI to authorized personnel. Maintain maintenance records and access logs for facilities.

Essential — Workstation use and security Implement policies specifying proper use of workstations that access ePHI and physical safeguards for those workstations. Computers must be positioned to prevent unauthorized viewing. Screens must lock automatically after a period of inactivity.

Essential — Device and media controls Implement policies for disposal of hardware and electronic media containing ePHI. Devices must be wiped or physically destroyed before disposal. Simply deleting files is not sufficient. Maintain a media movement log.

Technical safeguards

Essential — Access controls Implement technical policies granting ePHI access only to authorized persons. Each workforce member must have a unique user ID. Automatic logoff must be implemented. Emergency access procedures must exist.

Essential — Audit controls Implement hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Audit logs must be retained and reviewed regularly.

Essential — Encryption Encrypt ePHI at rest and in transit. While currently an addressable specification, OCR strongly expects encryption and the proposed Security Rule update would make it required. Any organization that has not implemented encryption must document the reasons and describe equivalent alternative measures.

Important — Integrity controls Implement controls to ensure ePHI is not improperly altered or destroyed.

Important — Transmission security Implement technical security measures guarding against unauthorized access to ePHI transmitted over electronic networks.

Policies and documentation

Essential — Written policies and procedures Implement reasonable and appropriate written policies and procedures for all Security Rule standards. Retain all policies and revisions for six years.

Essential — Documentation Maintain written records of actions, activities, and assessments required by the Security Rule. If it is not documented, OCR treats it as if it did not happen.

Breach Notification Rule requirements

Essential — Breach identification process Implement a process for identifying potential breaches promptly. Every workforce member must know to report suspected incidents immediately. Document the date and time of discovery for every potential incident.

Essential — Four-factor risk assessment Conduct and document a four-factor risk assessment for every potential breach to determine whether notification is required.

Essential — Individual notification within 60 days Notify affected individuals in writing within 60 days of discovery for all notifiable breaches. Maintain proof of delivery.

Essential — HHS notification Report breaches of 500 or more individuals to HHS immediately. Log and annually report smaller breaches.

Important — Media notification Notify prominent media for breaches of 500 or more residents of a state or jurisdiction.

Essential — Business associate notification If you are a business associate, notify the covered entity within 60 days of discovery (or within the timeframe required by your BAA, which may be shorter).

Business associate management

Essential — BAA inventory Maintain a current inventory of all business associates — vendors, contractors, and service providers that handle PHI on your behalf. Every BA relationship must have a signed, current BAA.

Essential — BAA execution Execute BAAs before sharing any PHI with a business associate. BAAs must meet the content requirements of 45 CFR §164.504(e)(2) and must post-date the 2013 Omnibus Rule.

Important — BA oversight Implement a process for monitoring business associates' compliance with their BAA obligations. Request attestations of compliance and review for significant BA relationships.

Important — Subcontractor BAAs Ensure your business associates have executed BAAs with their own subcontractors that handle PHI. This obligation flows downstream through the entire chain of service providers.

Your compliance program evidence binder

OCR expects to see documented evidence of compliance — not just assurances that you are compliant. Organize the following into an evidence binder that can be produced quickly if OCR opens an investigation:

• Current risk analysis document with completion date
• Risk management plan with implemented actions documented
• Privacy officer and security officer designation letters
• Current BAA log with execution dates
• Workforce training records with names, dates, and topics
• Incident response procedures and any incident logs
• Current Notice of Privacy Practices
• Sanctions policy and any sanctions applied
• Most recent evaluation or audit results
• Contingency plan and test results