Top 11 HIPAA Compliance Checklist Items Most Practices Skip

Comprehensive HIPAA checklists run to several hundred items. Most practices handle the visible ones — BAAs with the EHR, workforce training, encrypted email — and skip the procedural ones that are harder to see but more often cited in enforcement.

Below are eleven items most independent practices skip, each backed by OCR enforcement precedent.

1. Annual risk-analysis review

The risk analysis from 2022 isn't current. The "annual review" required under §164.308(a)(1)(ii)(A) is the single most-cited gap in OCR enforcement. The fix is calendared: a specific date each year when the analysis is reviewed, with the review itself documented even when no changes are needed.

2. Named Security Officer with documented duties

45 CFR §164.308(a)(2) requires a designated Security Officer. Many practices designate someone informally but never document the role, responsibilities, or training. Without documentation, OCR treats the role as effectively unfilled.

3. Workforce sanctions actually applied — with records

45 CFR §164.530(e) requires sanctions for workforce policy violations. A practice that has never sanctioned anyone for any HIPAA violation either has unprecedented compliance history, or the policy is on paper only. Auditors assume the latter.

4. Contingency plan with tested restore procedures

§164.308(a)(7) requires a contingency plan covering data backup, disaster recovery, and emergency-mode operations. Most practices have backups. Many never test restore procedures. A backup that can't be restored isn't a backup, and "test it annually" is the documentary standard.

5. Audit log review on a documented schedule

45 CFR §164.312(b) requires audit controls. OCR expects to see them used — review schedule, identification of anomalies, documented investigation of suspicious events. Logs that exist but are never reviewed don't satisfy the technical safeguard.

6. BAA inventory with execution dates and expirations

A spreadsheet listing every Business Associate, the BAA execution date, expiration (where applicable), and renewal status. Most practices know the rule but lose track operationally. The Raleigh Orthopaedic Clinic case settled at $750,000 with no breach required — the missing BAA was the violation.

7. Documented device-and-media disposal procedures

§164.310(d)(2)(i) requires policies for disposing of media and devices. NIST SP 800-88 provides the technical guidance. Most practices handle this informally — old hard drives get tossed, old paper records get shredded by an outside vendor. The procedure should be documented, the disposal vendor should have a BAA, and disposal records should be retained.

8. Periodic review of policies and procedures

HIPAA's administrative safeguards require ongoing review of policies and procedures. A binder from 2019 fails. The expected standard: version-controlled policies with documented review dates, evidence of update in response to operational changes (new systems, new regulations, new workforce roles).

9. Patient-access workflow with timestamps

OCR's Right of Access Initiative has settled 45+ cases since 2019. The trigger: patient requests records, practice misses the 30-day window under §164.524. A documented workflow with timestamps, defined fee structure, and named accountability for the 30-day clock is the defense.

10. Breach-response tabletop exercises

The 60-day notification clock under the Breach Notification Rule starts at discovery. Practices without a rehearsed plan waste days mobilizing. An annual tabletop exercise (1–2 hours, key roles, scenario-based) is documentary evidence that the plan is operational, not theoretical.

11. Integration discovery for new vendors

New marketplace apps connect to the EHR. New point-of-care vendors get integrated. A part-time contractor gets remote access. Each one is potentially a new Business Associate — and a new BAA requirement. Most practices have no defined process for catching these integrations as they happen, leaving discovery to retrospective audit.

Why these eleven matter

Each one is a documentation gap, not an infrastructure gap. The work to close each one is procedural — schedule a review, document the role, log the sanction, run the tabletop, update the inventory. The cost is operational discipline, not capital expenditure.

These eleven also account for a disproportionate share of OCR findings — meaning the time invested in closing them returns more audit-defensibility per hour than almost any other compliance work.

Where Patient Protect fits

Patient Protect tracks the operational program continuously — risk analyses, BAAs, audit logs, training, sanctions, encryption, incident response — and surfaces gaps before they become enforcement findings. Documentation-focused compliance platforms generate the checklist itself and the policy library. Patient Protect adds the active layer — verification that the checklist items are actually being executed across the practice's day-to-day operations. The two complement each other. Most practices need both.

---

Patient Protect tracks every operational checklist item continuously, with named accountability and audit-ready documentation. Plans start at $39/month with a 14-day free trial.