Before you start: this checklist assumes you're a "business associate" under HIPAA — i.e. you process electronic Protected Health Information (ePHI) on behalf of a Covered Entity (a hospital, insurer, or healthcare provider). If you're not sure whether HIPAA even applies to you, see our main HIPAA guide first.
1. Administrative safeguards (§164.308)
Risk analysis & management
- Run a HIPAA-scoped risk analysis. Identify every system, person, and process that touches ePHI. Document threats, vulnerabilities, likelihood, impact. Refresh annually.
- Maintain a risk register. Each identified risk needs an owner, mitigation plan, residual rating, and next review date.
- Sanction policy. Document the consequences when workforce members violate ePHI policies. Make it visible — buried in the employee handbook doesn't count.
- Activity review. Implement audit logging on systems handling ePHI. Review the logs on a documented cadence (we recommend weekly).
Workforce security
- Background-check process. Document the background-check requirements for anyone with ePHI access. Engineering, support, customer success — anyone.
- Access authorization workflow. Document who can grant ePHI access, what approval gate exists, and where the record is stored.
- Termination procedures. Within 24 hours of an employee's last day, revoke all credentials, recover devices, change any shared secrets they knew. Write this down.
Information access management
- Minimum-necessary access. Engineers don't need production read by default. Document role-based access policies tied to job function.
- Quarterly access reviews. Every quarter, the access list for ePHI systems gets reviewed and signed off. Auditors want to see the signatures.
- Emergency access procedure. Document the break-glass procedure for accessing ePHI during a P0 incident. Log it when invoked.
Training & awareness
- HIPAA training at onboarding. Every workforce member completes HIPAA training before getting ePHI access.
- Annual refresh. Same training repeats annually. Log who completed it and when.
- Phishing tests. At least quarterly. Failures trigger remediation training.
- Password / MFA enforcement. Documented policy, enforced via your identity provider.
Incident response
- Documented IR plan. Roles, escalation paths, severity definitions, contact list. Review at least annually.
- Tabletop exercises. Run a tabletop at least annually with at least one ePHI breach scenario.
- Incident log. Every security incident — even minor ones — gets logged with what happened, who responded, what changed.
Contingency planning
- Data backup plan. Documented backup cadence, retention, and restoration test schedule.
- Disaster recovery plan. Defined RTO and RPO for each ePHI system. Tested at least annually.
- Emergency mode operations. How you keep ePHI safe when your primary infrastructure is down.
- Application/data criticality analysis. Which systems are critical for delivering care or processing ePHI. Drives the prioritization above.
Evaluation
- Periodic technical + non-technical evaluation. At minimum annually, evaluate whether your HIPAA controls still meet the standards. Document gaps + remediation.
2. Physical safeguards (§164.310)
Facility access controls
- Facility security plan. Even if you're cloud-only, document where your team works and how ePHI exposure on laptops / monitors is controlled.
- Access control & validation. If you have an office, badge access + visitor logs. If remote-only, document the remote-work expectations.
Workstation & device security
- Full-disk encryption on every workstation. Verified via MDM. Mac: FileVault. Windows: BitLocker.
- Auto-lock policy. 5 minutes max idle before screen locks.
- MDM enrollment. Every device touching ePHI is enrolled in MDM with remote-wipe capability.
- Device disposal procedure. Documented secure-wipe / certificate-of-destruction process before disposing or reassigning devices.
3. Technical safeguards (§164.312)
Access control
- Unique user IDs. No shared accounts. Ever. Every action traceable to a person.
- Automatic logoff. Sessions on ePHI systems expire after ≤ 30 min idle.
- Encryption at rest. AES-256 for ePHI in databases, object storage, backups. Document the KMS / key rotation policy.
Audit controls
- Application-level audit logs. Every read/write/delete on ePHI logged with user, timestamp, action, and record ID.
- Tamper-evident chain. Audit logs should be hash-chained or written to append-only storage so tampering is detectable. LukaGRC ships this by default.
- Log retention. Minimum 6 years per HIPAA. Document where they live and how they're protected.
Integrity controls
- Detect unauthorized ePHI alteration. Database-level audit triggers, file-integrity monitoring, or application-level diffs. Document the mechanism.
Person/entity authentication
- MFA enforced on every ePHI-touching system. No exceptions for admins.
- Strong password policy. Minimum length (we recommend 14+), no quarterly rotation theater, blocked breached-password list.
Transmission security
- TLS 1.2+ for ePHI in transit. Document the supported ciphers and certificate management.
- No ePHI in URLs, query parameters, or unencrypted email. Yes, still a real issue.
4. Business Associate Agreements (BAAs)
With your customers
- Sign a BAA with every Covered Entity customer. Before they send you a single byte of ePHI.
- Track BAA expirations. They renew; expired BAAs invalidate the legal basis for processing ePHI.
With your subprocessors
- Sign a BAA with every subprocessor that touches ePHI. AWS, GCP, Azure all offer BAAs — sign theirs. So do Datadog, Sentry, Stripe (for healthcare), SendGrid, etc.
- Maintain a subprocessor list. Publish it. Update it before adding new ones. Notify customers per your DPA / BAA terms.
5. Breach notification
Detection & assessment
- Documented breach-determination process. Not every incident is a "breach" under HIPAA. The four-factor risk assessment (nature/extent, who got the ePHI, was it actually viewed, mitigation) drives the decision.
- Decision log. Even for incidents you determine aren't reportable, log the analysis. HHS will ask if you're audited.
Notification timelines
- 60 days max to notify affected individuals after discovery (HIPAA Breach Notification Rule).
- Notify HHS within 60 days for breaches affecting ≥ 500 individuals. Annually for < 500.
- Notify media for breaches affecting ≥ 500 individuals in a state/jurisdiction.
- Notify Covered Entity customers per your BAA — usually within hours, not days. Read your BAA.
6. Documentation & ongoing maintenance
What HHS expects to see
- Written policies for every safeguard above. Not just "we have a process" — the actual document.
- 6-year retention on all HIPAA-related documentation (policies, risk analyses, audit logs, training records, incident reports). From the later of: when it was last in effect, or when it was created.
- Annual review and update of every policy. Even if nothing changed, the policy needs a documented review with a signature.
Tool support: LukaGRC ships HIPAA controls mapped to all 47 items above, auto-tracks BAA renewals, provides tamper-evident audit logs, and generates the policy set so you don't start from a blank page. Start a 7-day trial.