HIPAA · Checklist

The HIPAA compliance checklist that doesn't lie to you.

A HIPAA compliance checklist for SaaS companies needs to cover six areas: administrative safeguards (§164.308), physical safeguards (§164.310), technical safeguards (§164.312), Business Associate Agreements, breach notification, and ongoing documentation maintenance. Below: 47 concrete items written for engineers who'll actually implement them.

Before you start: this checklist assumes you're a "business associate" under HIPAA — i.e. you process electronic Protected Health Information (ePHI) on behalf of a Covered Entity (a hospital, insurer, or healthcare provider). If you're not sure whether HIPAA even applies to you, see our main HIPAA guide first.

1. Administrative safeguards (§164.308)

Risk analysis & management

  • Run a HIPAA-scoped risk analysis. Identify every system, person, and process that touches ePHI. Document threats, vulnerabilities, likelihood, impact. Refresh annually.
  • Maintain a risk register. Each identified risk needs an owner, mitigation plan, residual rating, and next review date.
  • Sanction policy. Document the consequences when workforce members violate ePHI policies. Make it visible — buried in the employee handbook doesn't count.
  • Activity review. Implement audit logging on systems handling ePHI. Review the logs on a documented cadence (we recommend weekly).

Workforce security

  • Background-check process. Document the background-check requirements for anyone with ePHI access. Engineering, support, customer success — anyone.
  • Access authorization workflow. Document who can grant ePHI access, what approval gate exists, and where the record is stored.
  • Termination procedures. Within 24 hours of an employee's last day, revoke all credentials, recover devices, change any shared secrets they knew. Write this down.

Information access management

  • Minimum-necessary access. Engineers don't need production read by default. Document role-based access policies tied to job function.
  • Quarterly access reviews. Every quarter, the access list for ePHI systems gets reviewed and signed off. Auditors want to see the signatures.
  • Emergency access procedure. Document the break-glass procedure for accessing ePHI during a P0 incident. Log it when invoked.

Training & awareness

  • HIPAA training at onboarding. Every workforce member completes HIPAA training before getting ePHI access.
  • Annual refresh. Same training repeats annually. Log who completed it and when.
  • Phishing tests. At least quarterly. Failures trigger remediation training.
  • Password / MFA enforcement. Documented policy, enforced via your identity provider.

Incident response

  • Documented IR plan. Roles, escalation paths, severity definitions, contact list. Review at least annually.
  • Tabletop exercises. Run a tabletop at least annually with at least one ePHI breach scenario.
  • Incident log. Every security incident — even minor ones — gets logged with what happened, who responded, what changed.

Contingency planning

  • Data backup plan. Documented backup cadence, retention, and restoration test schedule.
  • Disaster recovery plan. Defined RTO and RPO for each ePHI system. Tested at least annually.
  • Emergency mode operations. How you keep ePHI safe when your primary infrastructure is down.
  • Application/data criticality analysis. Which systems are critical for delivering care or processing ePHI. Drives the prioritization above.

Evaluation

  • Periodic technical + non-technical evaluation. At minimum annually, evaluate whether your HIPAA controls still meet the standards. Document gaps + remediation.

2. Physical safeguards (§164.310)

Facility access controls

  • Facility security plan. Even if you're cloud-only, document where your team works and how ePHI exposure on laptops / monitors is controlled.
  • Access control & validation. If you have an office, badge access + visitor logs. If remote-only, document the remote-work expectations.

Workstation & device security

  • Full-disk encryption on every workstation. Verified via MDM. Mac: FileVault. Windows: BitLocker.
  • Auto-lock policy. 5 minutes max idle before screen locks.
  • MDM enrollment. Every device touching ePHI is enrolled in MDM with remote-wipe capability.
  • Device disposal procedure. Documented secure-wipe / certificate-of-destruction process before disposing or reassigning devices.

3. Technical safeguards (§164.312)

Access control

  • Unique user IDs. No shared accounts. Ever. Every action traceable to a person.
  • Automatic logoff. Sessions on ePHI systems expire after ≤ 30 min idle.
  • Encryption at rest. AES-256 for ePHI in databases, object storage, backups. Document the KMS / key rotation policy.

Audit controls

  • Application-level audit logs. Every read/write/delete on ePHI logged with user, timestamp, action, and record ID.
  • Tamper-evident chain. Audit logs should be hash-chained or written to append-only storage so tampering is detectable. LukaGRC ships this by default.
  • Log retention. Minimum 6 years per HIPAA. Document where they live and how they're protected.

Integrity controls

  • Detect unauthorized ePHI alteration. Database-level audit triggers, file-integrity monitoring, or application-level diffs. Document the mechanism.

Person/entity authentication

  • MFA enforced on every ePHI-touching system. No exceptions for admins.
  • Strong password policy. Minimum length (we recommend 14+), no quarterly rotation theater, blocked breached-password list.

Transmission security

  • TLS 1.2+ for ePHI in transit. Document the supported ciphers and certificate management.
  • No ePHI in URLs, query parameters, or unencrypted email. Yes, still a real issue.

4. Business Associate Agreements (BAAs)

With your customers

  • Sign a BAA with every Covered Entity customer. Before they send you a single byte of ePHI.
  • Track BAA expirations. They renew; expired BAAs invalidate the legal basis for processing ePHI.

With your subprocessors

  • Sign a BAA with every subprocessor that touches ePHI. AWS, GCP, Azure all offer BAAs — sign theirs. So do Datadog, Sentry, Stripe (for healthcare), SendGrid, etc.
  • Maintain a subprocessor list. Publish it. Update it before adding new ones. Notify customers per your DPA / BAA terms.

5. Breach notification

Detection & assessment

  • Documented breach-determination process. Not every incident is a "breach" under HIPAA. The four-factor risk assessment (nature/extent, who got the ePHI, was it actually viewed, mitigation) drives the decision.
  • Decision log. Even for incidents you determine aren't reportable, log the analysis. HHS will ask if you're audited.

Notification timelines

  • 60 days max to notify affected individuals after discovery (HIPAA Breach Notification Rule).
  • Notify HHS within 60 days for breaches affecting ≥ 500 individuals. Annually for < 500.
  • Notify media for breaches affecting ≥ 500 individuals in a state/jurisdiction.
  • Notify Covered Entity customers per your BAA — usually within hours, not days. Read your BAA.

6. Documentation & ongoing maintenance

What HHS expects to see

  • Written policies for every safeguard above. Not just "we have a process" — the actual document.
  • 6-year retention on all HIPAA-related documentation (policies, risk analyses, audit logs, training records, incident reports). From the later of: when it was last in effect, or when it was created.
  • Annual review and update of every policy. Even if nothing changed, the policy needs a documented review with a signature.
Tool support: LukaGRC ships HIPAA controls mapped to all 47 items above, auto-tracks BAA renewals, provides tamper-evident audit logs, and generates the policy set so you don't start from a blank page. Start a 7-day trial.

Get every item on this list done.

LukaGRC maps all 47 items above to controls, evidence, and policies — so you have a working HIPAA program instead of a doc folder. 7-day trial, no card.

Start your free trial →