HIPAA Compliance Checklist for 2026: A Step-by-Step Guide
Posted: March 3, 2026 to Compliance.
HIPAA Compliance Checklist for 2026: A Step-by-Step Guide
HIPAA compliance is not optional for any organization that handles protected health information. Whether you are a healthcare provider, health plan, clearinghouse, or a business associate that supports any of these entities, the Health Insurance Portability and Accountability Act imposes strict requirements on how you protect patient data. Violations carry penalties that range from $100 to $2,067,813 per violation, with criminal penalties including imprisonment for willful neglect.
This checklist provides a structured, step-by-step approach to achieving and maintaining HIPAA compliance in 2026. Use it as a working document to assess your current posture, identify gaps, and prioritize remediation.
Who Needs to Comply with HIPAA?
HIPAA applies to two categories of organizations:
- Covered Entities: Healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses
- Business Associates: Any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes IT service providers, cloud hosting companies, billing services, EHR vendors, shredding companies, and consultants with access to patient data
If you are unsure whether your organization qualifies as a business associate, the safe assumption is that it does if you have any access to systems or data that contain PHI. For a comprehensive overview of HIPAA requirements, visit our HIPAA compliance page.
Administrative Safeguards Checklist
Administrative safeguards are the policies, procedures, and organizational measures that govern PHI protection. They represent the largest category of HIPAA requirements.
Security Management Process
- Conduct a comprehensive risk assessment that identifies all systems and workflows involving PHI
- Document the results of your risk assessment, including identified threats, vulnerabilities, and the likelihood and impact of each
- Implement a risk management plan that addresses identified risks with specific controls and timelines
- Establish a formal sanction policy for workforce members who violate security policies
- Implement procedures for regular review of information system activity (audit logs, access reports, security incident tracking)
Assigned Security Responsibility
- Designate a HIPAA Security Officer responsible for developing and implementing security policies
- Designate a HIPAA Privacy Officer (may be the same person in smaller organizations)
- Document these assignments and ensure the individuals have adequate authority and resources
Workforce Security
- Implement procedures to ensure workforce members have appropriate access to PHI based on their role
- Establish authorization and supervision procedures for workforce members who work with PHI
- Implement termination procedures that revoke access to PHI immediately upon separation
- Conduct background checks on workforce members with access to PHI (addressable but strongly recommended)
Information Access Management
- Implement policies for granting access to PHI, including role-based access controls
- Establish procedures for authorizing, establishing, modifying, and terminating access
- Review access rights periodically and adjust based on job function changes
Security Awareness and Training
- Provide security awareness training to all workforce members upon hiring
- Conduct annual refresher training
- Include training on recognizing phishing, social engineering, and malicious software
- Train workforce on proper password management and workstation security
- Document all training, including attendance records and training materials
Security Incident Procedures
- Develop and implement a formal incident response plan specific to PHI breaches
- Define what constitutes a security incident and establish reporting procedures
- Document procedures for identifying, responding to, mitigating, and reporting incidents
- Conduct regular incident response tabletop exercises
Contingency Planning
- Develop a data backup plan that specifies how PHI is backed up, how often, and where backups are stored
- Create a disaster recovery plan that addresses restoring PHI access after an emergency
- Develop an emergency mode operation plan for critical business processes during a crisis
- Test contingency plans at least annually and document the results
- Evaluate and update plans after every significant change to your environment
Evaluation
- Conduct periodic technical and non-technical evaluations of your security program
- Evaluate after any significant environmental or operational change
- Document evaluation methodology, findings, and remediation actions
Business Associate Agreements
- Identify all business associates who have access to PHI
- Execute Business Associate Agreements (BAAs) with every business associate
- Ensure BAAs include required provisions: permitted uses, safeguards, breach notification, termination clauses
- Review BAAs annually and update as needed
Physical Safeguards Checklist
Physical safeguards protect the physical systems and facilities where PHI is stored or accessed.
Facility Access Controls
- Implement access controls for facilities housing PHI systems (key cards, locks, biometrics)
- Establish procedures for controlling and validating facility access based on role
- Maintain visitor logs for areas where PHI is accessible
- Develop a facility security plan that addresses physical security measures
Workstation Use and Security
- Define policies for proper workstation use, including rules for accessing PHI
- Implement physical safeguards for workstations that access PHI (screen privacy filters, automatic screen locks, positioning away from public view)
- Address remote workstation security, including home office and mobile device requirements
Device and Media Controls
- Implement policies for disposing of hardware and electronic media containing PHI
- Establish procedures for media reuse that ensure PHI is removed before reuse
- Maintain records of hardware and media movement, including serial numbers and responsible parties
- Encrypt all portable media (USB drives, external hard drives, laptops) that contain PHI
Technical Safeguards Checklist
Technical safeguards are the technology-based controls that protect PHI in electronic form. For detailed guidance, see our HIPAA Security Guide.
Access Control
- Assign unique user IDs to every person who accesses systems containing ePHI
- Implement emergency access procedures for obtaining ePHI during emergencies
- Configure automatic logoff after a period of inactivity on systems containing ePHI
- Implement encryption and decryption mechanisms for ePHI at rest (addressable but strongly recommended and effectively required in 2026)
Audit Controls
- Implement hardware, software, and procedural mechanisms to record and examine access to ePHI
- Configure audit logging on all systems that store, process, or transmit ePHI
- Review audit logs regularly (daily for critical systems, weekly at minimum for others)
- Retain audit logs for a minimum of six years (per HIPAA retention requirements)
Integrity Controls
- Implement mechanisms to authenticate ePHI and confirm it has not been improperly altered or destroyed
- Use checksums, digital signatures, or similar methods to verify data integrity
Person or Entity Authentication
- Implement procedures to verify the identity of persons or entities seeking access to ePHI
- Deploy multi-factor authentication (MFA) for all remote access to ePHI systems
- Implement MFA for all privileged accounts (strongly recommended for all accounts in 2026)
Transmission Security
- Implement security measures to guard against unauthorized access to ePHI during electronic transmission
- Encrypt all ePHI transmitted over public networks (TLS 1.2 or higher for web traffic, encrypted email for PHI communications)
- Implement integrity controls for transmitted ePHI to ensure data is not modified in transit
Breach Notification Requirements
Even with strong safeguards, breaches can occur. HIPAA requires specific notification procedures:
- Notify affected individuals within 60 days of discovering a breach involving unsecured PHI
- Notify HHS within 60 days for breaches affecting 500 or more individuals
- For breaches affecting fewer than 500 individuals, notify HHS within 60 days of the end of the calendar year in which the breach was discovered
- Notify prominent media outlets within 60 days for breaches affecting 500 or more residents of a state or jurisdiction
- Maintain a breach log documenting all breaches, including those affecting fewer than 500 individuals
Our guide to NIST 800-66 and HIPAA provides additional framework for aligning your HIPAA program with NIST guidelines.
Common HIPAA Violations and How to Avoid Them
The Office for Civil Rights (OCR) enforcement actions reveal consistent patterns in HIPAA violations:
- Failure to conduct risk assessments: The single most common finding in OCR investigations. Conduct and document your risk assessment annually
- Lack of encryption: Unencrypted laptops, mobile devices, and portable media remain a top cause of reportable breaches. Encrypt everything
- Insufficient access controls: Employees accessing records they do not need for their job function. Implement and enforce role-based access
- Missing BAAs: Using cloud services, IT vendors, or other third parties without executed Business Associate Agreements
- Inadequate training: Workforce members who do not understand their responsibilities under HIPAA
- Improper disposal: PHI found in dumpsters, on donated equipment, or on recycled hard drives
HIPAA Penalty Tiers in 2026
The penalty structure reflects the severity and willfulness of violations:
- Tier 1 (Did Not Know): $137 to $68,928 per violation
- Tier 2 (Reasonable Cause): $1,379 to $68,928 per violation
- Tier 3 (Willful Neglect, Corrected): $13,785 to $68,928 per violation
- Tier 4 (Willful Neglect, Not Corrected): $68,928 to $2,067,813 per violation
Criminal penalties include fines up to $250,000 and imprisonment up to 10 years for violations committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
Frequently Asked Questions
How often should a HIPAA risk assessment be conducted?
HIPAA requires periodic risk assessments but does not specify an exact frequency. The industry standard and OCR expectation is at least annually, and additionally after any significant change to your environment, such as new systems, new business processes, or organizational changes. Document every assessment thoroughly.
Does HIPAA require encryption?
Technically, encryption is an "addressable" requirement under HIPAA, meaning you must implement it or document why an equivalent alternative is appropriate. In practice, OCR enforcement and industry standards have made encryption of ePHI at rest and in transit effectively mandatory. There is no reasonable alternative in 2026. Encrypt everything.
What is the difference between HIPAA Privacy and Security Rules?
The Privacy Rule governs the use and disclosure of PHI in all forms (paper, oral, electronic). It establishes patient rights, minimum necessary standards, and permitted disclosures. The Security Rule specifically addresses electronic PHI (ePHI) and establishes administrative, physical, and technical safeguards. Both rules must be addressed in a comprehensive compliance program.
Do small practices need to comply with HIPAA?
Yes. HIPAA applies to all covered entities regardless of size. However, the Security Rule is designed to be scalable. A small practice is not expected to implement the same technical infrastructure as a large health system, but it must address every requirement with measures appropriate to its size, complexity, and risk profile.
Need help building or strengthening your HIPAA compliance program? Petronella Technology Group specializes in HIPAA compliance for healthcare organizations and their business associates. We offer comprehensive risk assessments, remediation support, and ongoing compliance management. Call (919) 348-4912 or visit our HIPAA compliance page for a free consultation.
