Patient ProtectPatient Protect

HIPAA Compliance

HIPAA Compliance Checklist 2026: Everything Independent Practices Need to Cover

A complete HIPAA compliance checklist for independent healthcare practices — every requirement from the Security Rule, Privacy Rule, and Breach Notification Rule, organized by category with regulatory citations.

Patient Protect Editorial Team·April 15, 2026
Comprehensive checklist of HIPAA compliance requirements for independent healthcare practices in 2026

HIPAA Compliance Checklist 2026: Everything Independent Practices Need to Cover

A HIPAA compliance checklist is a starting point, not a destination. The goal is not to check the boxes — it is to implement the safeguards the boxes represent. That distinction matters when an OCR investigation begins.

This checklist covers the core requirements of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule, organized by category. Each item includes the specific regulatory citation and what "done" actually means in practice.

How to Use This Checklist

Items marked Architectural are satisfied by platform infrastructure — if you are using an enforcement-based compliance platform like Patient Protect, these are handled automatically. Items marked Documented require deliberate action and recordkeeping.

Administrative Safeguards (§164.308)

Security Management Process

  • [ ] Security Risk Analysis — §164.308(a)(1)(ii)(A) — Architectural/Documented An accurate and thorough assessment of potential risks to ePHI confidentiality, integrity, and availability. Must be current — not just historical.

  • [ ] Risk Management plan — §164.308(a)(1)(ii)(B) — Documented Specific measures to reduce identified risks to a reasonable level. Must be implemented, not just written.

  • [ ] Sanction Policy — §164.308(a)(1)(ii)(C) — Documented Clear consequences for workforce members who violate HIPAA policies. Must be communicated and acknowledged.

  • [ ] Information System Activity Review — §164.308(a)(1)(ii)(D) — Architectural Regular review of audit logs, access reports, and security incident tracking. Automated by platform audit logging.

Assigned Security Responsibility

  • [ ] Security Officer designated — §164.308(a)(2) — Documented A specific named individual responsible for security policies and procedures.

  • [ ] Privacy Officer designated — §164.530(a)(1) — Documented A specific named individual responsible for privacy policies and procedures.

Workforce Security

  • [ ] Authorization and supervision procedures — §164.308(a)(3)(ii)(A) — Architectural Role-based access ensures workforce members access only the PHI necessary for their job.

  • [ ] Termination procedures — §164.308(a)(3)(ii)(C) — Architectural Immediate revocation of access upon workforce termination. Must happen the day access ends, not weeks later.

Security Awareness and Training

  • [ ] Security reminders — §164.308(a)(5)(ii)(A) — Architectural/Documented Ongoing security guidance for all workforce members.

  • [ ] Login monitoring — §164.308(a)(5)(ii)(C) — Architectural Tracking and reviewing login attempts, including failed login monitoring.

  • [ ] Password management — §164.308(a)(5)(ii)(D) — Architectural Procedures for creating, changing, and safeguarding passwords, enforced by platform.

Security Incident Procedures

  • [ ] Incident response and reporting — §164.308(a)(6) — Architectural/Documented Procedures for identifying, responding to, reporting, and mitigating security incidents.

Contingency Plan

  • [ ] Data backup plan — §164.308(a)(7)(ii)(A) — Documented Procedures for creating and maintaining retrievable exact copies of ePHI.

  • [ ] Disaster recovery plan — §164.308(a)(7)(ii)(B) — Documented Procedures to restore lost ePHI data after an emergency.

Business Associate Contracts

  • [ ] BAAs executed with all Business Associates — §164.308(b)(1) — Documented Written contracts with every vendor who creates, receives, maintains, or transmits PHI. Not just your EHR — billing, cloud storage, IT support, transcription, all of them.

Technical Safeguards (§164.312)

Access Control

  • [ ] Unique user identification — §164.312(a)(2)(i) — Architectural Every user has a unique identifier. Shared logins are a HIPAA violation.

  • [ ] Automatic logoff — §164.312(a)(2)(iii) — Architectural Sessions terminate after a period of inactivity.

  • [ ] Encryption and decryption — §164.312(a)(2)(iv) — Architectural ePHI in session storage and at rest is encrypted. AES-256-GCM is the current standard.

Audit Controls

  • [ ] Hardware, software, and procedural audit mechanisms — §164.312(b) — Architectural Audit logs recording access to and actions taken on ePHI systems.

Person or Entity Authentication

  • [ ] Multi-factor authentication — §164.312(d) — Architectural Verification of identity for access to ePHI. MFA is the 2025–2026 standard.

Transmission Security

  • [ ] Encryption in transit — §164.312(e)(2)(ii) — Architectural ePHI transmitted over networks is encrypted. TLS 1.3 is the current standard.

Physical Safeguards (§164.310)

Workstation Use and Security

  • [ ] Workstation use policies — §164.310(b) — Documented + Acknowledged Each workforce member confirms their workstation is positioned to prevent unauthorized viewing of PHI.

  • [ ] Workstation security — §164.310(c) — Documented + Acknowledged Each workforce member confirms they lock their workstation when stepping away.

Device and Media Controls

  • [ ] Disposal procedures — §164.310(d)(2)(i) — Documented + Acknowledged Procedures for final disposal of ePHI and the hardware on which it is stored.

Privacy Rule Requirements (§164.500–164.534)

  • [ ] Notice of Privacy Practices posted and distributed — §164.520 — Documented Patients must receive and acknowledge your NPP.

  • [ ] Minimum necessary standard applied — §164.502(b) — Architectural Access and disclosure limited to minimum PHI necessary for the purpose.

  • [ ] Patient rights procedures in place — §164.524–164.528 — Documented Procedures for handling patient requests to access, amend, and restrict use of their PHI.

  • [ ] Complaint process established — §164.530(d) — Documented A process for patients to file privacy complaints.

Breach Notification Rule (§164.400–414)

  • [ ] Breach response procedures defined — §164.308(a)(6) — Documented A documented process for identifying, assessing, and responding to breaches.

  • [ ] Notification timelines understood — §164.404–408 — Documented Individual notification within 60 days. HHS notification within 60 days. Immediate media notification for breaches affecting 500+ in a state.

The Gap Between Checklist and Compliance

Completing this checklist confirms you know what the requirements are. It does not confirm your practice is meeting them.

The requirements marked Architectural cannot be satisfied by a document or an acknowledgment — they require a running system that enforces the control. If your compliance platform does not implement these controls by default, the compliance burden falls entirely on your practice's operational discipline.

Patient Protect satisfies approximately 25 of the requirements on this list automatically through platform architecture — before any user action. The remaining items are guided through the compliance advice system, creating timestamped, auditor-ready records.

Take the free HIPAA self-assessment →

Map your ePHI data flow →

This checklist reflects requirements under 45 CFR Parts 160 and 164 as of April 2026, including the 2025 HIPAA Security Rule updates. It is provided for informational purposes and does not constitute legal advice. Consult a qualified compliance professional for guidance specific to your organization.