Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect
Compliance Operations

Top 11 HIPAA Compliance Checklist Items Most Practices Skip

The eleven HIPAA checklist items most independent practices either don't know they need or quietly skip. What each requires, and the OCR enforcement record for each.

Angie PerrinAngie Perrin, RDH·February 22, 2026·7 min read
Share
HIPAA compliance checklist items that independent practices most often skip

Top 11 HIPAA Compliance Checklist Items Most Practices Skip

The HIPAA binder lived on a shelf above the office manager's desk in the first practice I worked at, and the only time anyone touched it was when a new hire was supposed to sign the acknowledgment page on the inside cover. The office manager would unshelve it on her tiptoes, set it on the counter while the new hire signed, slide it back into place, and that was the whole interaction the building had with HIPAA most months. The binder wasn't anyone's fault — the office manager was already running the schedule, the insurance follow-ups, the supply orders, and the back-and-forth with three different specialty referral coordinators, and "open the binder this quarter and walk through the eleven things in it that actually need doing" was never on a list that anyone built for her. Ten years and three practices later, I've earned my HIPAA consultant credential and walked into a dozen more offices, and the binder has the same coat of dust because the calendar problem is the same calendar problem. The eleven items below are what lives inside that binder, what almost never gets crossed off, and what OCR keeps finding when they finally walk in.

1. Annual risk-analysis review

The risk analysis from 2022 isn't current. The "annual review" required under §164.308(a)(1)(ii)(A) is the single most-cited gap in OCR enforcement. The fix is calendared: a specific date each year when the analysis is reviewed, with the review itself documented even when no changes are needed.

2. Named Security Officer with documented duties

45 CFR §164.308(a)(2) requires a designated Security Officer. Many practices designate someone informally but never document the role, responsibilities, or training. Without documentation, OCR treats the role as effectively unfilled.

3. Workforce sanctions actually applied — with records

Two practices in my training cohort talked openly in the break room about a hygienist pulling up a relative's chart "just to see how she's doing," and nobody wrote it up because the moment passed and the schedule was already running ten minutes late. There was no sanctions log, no formal conversation, nothing in the personnel file — the policy in the binder said snooping was a terminable offense, but the lived practice was that it became a story to tell over coffee the following Wednesday, and the office manager moved on to the rest of her morning. 45 CFR §164.530(e) requires sanctions for workforce policy violations, and a practice that has never documented a sanction for any HIPAA issue is the kind of practice OCR walks into and starts asking harder questions, because the agency is going to assume the program is on paper rather than imagine the workforce has perfect compliance history.

4. Contingency plan with tested restore procedures

§164.308(a)(7) requires a contingency plan covering data backup, disaster recovery, and emergency-mode operations, and most practices have a backup running somewhere because the EHR vendor set one up at install. The piece that almost never gets done is the restore test — the office manager isn't refusing to test the backup, she just doesn't have a slot on the calendar to actually try restoring a sample chart to a sandbox environment, and the IT contractor who could help is billing by the hour. Carving out an annual half-day with the IT contractor on a slow Friday to walk through the restore is what closes the gap, and it gives the practice an answer when OCR asks whether the backup has actually been tested.

5. Audit log review on a documented schedule

45 CFR §164.312(b) requires audit controls. OCR expects to see them used — review schedule, identification of anomalies, documented investigation of suspicious events. Logs that exist but are never reviewed don't satisfy the technical safeguard.

6. BAA inventory with execution dates and expirations

A spreadsheet listing every Business Associate, the BAA execution date, expiration (where applicable), and renewal status. Most practices know the rule but lose track operationally. The Raleigh Orthopaedic Clinic case settled at $750,000 with no breach required — the missing BAA was the violation.

7. Documented device-and-media disposal procedures

§164.310(d)(2)(i) requires policies for disposing of media and devices. NIST SP 800-88 provides the technical guidance. Most practices handle this informally — old hard drives get tossed, old paper records get shredded by an outside vendor. The procedure should be documented, the disposal vendor should have a BAA, and disposal records should be retained.

8. Periodic review of policies and procedures

HIPAA's administrative safeguards require ongoing review of policies and procedures, which means the binder from 2019 that pre-dates the current EHR, the tracking-pixel bulletin, and two new vendors the practice has since signed with isn't going to hold up when somebody asks. What does hold up is a document library with version-controlled policies, documented review dates that show somebody actually opened the policy on a real Wednesday afternoon, and evidence of update in response to operational changes — new systems, new regulations, new workforce roles — which is calendar work the office manager can fit into a slow week if she owns it.

9. Patient-access workflow with timestamps

OCR's Right of Access Initiative has settled 45+ cases since 2019. The trigger: patient requests records, practice misses the 30-day window under §164.524. A documented workflow with timestamps, defined fee structure, and named accountability for the 30-day clock is the defense.

10. Breach-response tabletop exercises

The 60-day notification clock under the Breach Notification Rule starts at discovery. Practices without a rehearsed plan waste days mobilizing. An annual tabletop exercise (1–2 hours, key roles, scenario-based) is documentary evidence that the plan is operational, not theoretical.

11. Integration discovery for new vendors

New marketplace apps get connected to the EHR by whichever associate happens to be standing at the workstation that morning, new point-of-care vendors get integrated during a midweek install while the office manager is on the phone with insurance, and a part-time contractor gets remote access because the doctor knew him from a previous job and waved him through the credentialing question. Each of those moments is potentially a new Business Associate relationship and a new BAA requirement, and most practices have no defined process for catching these integrations as they happen — discovery gets left to a retrospective audit, by which time the BAA has been missing for six months. The fix is a one-page intake routine the front desk runs whenever a new vendor touches anything in the building, with the office manager copied so nothing slips by.

Why these eleven matter

Each one of these is a calendar problem before it is a compliance problem. The work to close each one is the kind of small, procedural, two-hours-on-a-Wednesday work that a practice can absolutely do — schedule the review, document the role, log the sanction, run the tabletop, update the inventory — but it only gets done if somebody owns the calendar and the calendar has space on it. These eleven also happen to account for a disproportionate share of OCR findings, which means the few hours invested in closing them returns more audit defensibility per hour than almost any other compliance work the practice could choose.

Where Patient Protect fits

The work the rule actually wants is the office manager opening the BAA folder when the new lab rep walks in the back door on a Thursday morning, the IT contractor sitting down with the front desk lead to walk through a restore on a slow Friday, the doctor giving up forty-five minutes once a year to sit through the tabletop exercise even though there is a hygiene check waiting. Patient Protect is the layer that keeps that calendar in front of the people who are supposed to be doing the work, and it nudges the office manager when something is coming due before it lapses. The platform doesn't replace what the office manager does on a Tuesday afternoon — it makes sure she has the list of what's actually open in front of her when she has the five minutes to look at it. Plans start at $39/month.


Patient Protect tracks every operational checklist item continuously, with named accountability and audit-ready documentation. Plans start at $39/month with a 14-day free trial.

Was this useful? Share it.

Share

Next step

What would an OCR investigator find on your website?

Free 30-second scan — tracking pixels, security gaps, missing policies. See what’s visible before they do.

Stay informed

Get HIPAA Pulse delivered.

Breach alerts, enforcement updates, and compliance intelligence — every two weeks.

© 2026 Patient Protect LLC. All rights reserved. Content may not be reproduced, scraped, or used to train AI models without written permission. Terms · DMCA