Headed to RSA in San Francisco? May 6-9 | Join us!

HIPAA Readiness Checklist – Prepare for Your HIPAA Assessment

Healthcare organizations handling electronic protected health information (ePHI) must stay vigilant and protect their data from cyber-attacks. Complying with HIPAA standards is essential for these businesses to show they have the correct controls in place to safeguard sensitive information.

Getting started with your HIPAA compliance journey can be confusing, but we have created a HIPAA readiness checklist to set your business up for success as you pursue your upcoming HIPAA assessment.

Download the HIPAA checklist PDF!

The importance of HIPAA compliance

HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring organizations to uphold stringent privacy safeguards for individually identifiable health information, ensuring security of patient data.

Organizations managing ePHI are expected to undergo a HIPAA compliance assessment to validate the business has controls in place to safeguard data.

By complying with HIPAA standards, companies not only meet legal obligations, but also avoid severe financial penalties due to non-compliance. Most importantly, HIPAA compliance instills peace of mind and showcases the business’s commitment to cybersecurity to their valued clients and other stakeholders.

Understanding the HIPAA readiness checklist

Once your team is prepared and has knowledge of HIPAA compliance and the assessment process, you can kick off your compliance journey with our HIPAA readiness checklist.

By adhering to these comprehensive steps, your organization not only showcases its commitment to compliance, but also fosters a culture of security that lasts far beyond the audit.

Security rule – administrative safeguard

Security management process

Establish and audit key policies and procedures to prevent, detect, contain, and correct security violations, such as:

  • HIPAA Policies and Procedures
  • Information Security Policies and procedures (should include key assignments for security responsibilities)
  • Access and Authorization Policies and Procedures (if not included in Information Security Policies)
  • Workforce Clearance Policies and Procedures
  • Physical Security Policies and Procedures
  • Incident Management and Incident Response Policies and Procedures
  • Network Diagrams
  • Risk Management Process Policies and Procedures
  • Completed Risk Assessment
  • Vulnerability Assessment
  • Sanctions

Assign security responsibility

Identify the security official who is responsible for the development and implementation of the policies and procedures required under HIPAA. This individual will be responsible for the development, implementation, and enforcement of HIPAA Security Rule policies and procedures. The HIPAA Privacy Officer can also hold these responsibilities.

Workforce security and information and access management

Define policies and procedures to ensure that all members of the workforce have appropriate access to ePHI, as provided under the Information Access Management standard and to prevent those who do not have appropriate access from obtaining access to ePHI. Management should also formally define policies and procedures surrounding workforce management with access to PHI/ePHI to include:

  • Authorization and/or Supervision procedures
  • Access Modifications
  • Hiring and Workforce Clearance Procedure (including background checks)
  • Termination Procedures
  • Isolating Health Care Clearinghouse functions

Security awareness and training

Establish a security awareness and training program for all members of the workforce, including management. Management should then implement a Security Awareness and Training program that is completed at least annually and includes:

  • Frequent Security Reminders
  • Protection Malicious Software
  • Log-in Monitoring and Password Management

Security incident procedures

Management should create policies and procedures to address security incidents as well as Incident Management policies and procedures that include the following:

  • Incident identification & classification
  • Incident response
  • Incident tracking
  • Root cause and system impact analysis
  • Escalation
  • Changes implemented for remediating incidents
  • Critical security incident response
  • Incident reporting

Contingency plan

Management should establish and implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI. Management should also establish Business Continuity and Disaster Recovery (BCDR) policies and procedures that include:

  • BCDR Plan
  • BCDR Testing, on at least an annual basis
  • Backup configurations (incremental and full backups)
  • Offsite backup rotation and/or replication
  • Backup restoration


Management should perform a periodic technical and nontechnical evaluation based initially upon the standards implemented under the HIPAA Security Rule. Evaluations of controls should be documented to mitigate identified risks, vulnerabilities, deviations, and control gaps identified as part of the various evaluations (e.g. risk assessments, vulnerability scans). Note that having a HIPAA security rule risk assessment is a stringent requirement within the HIPAA law. Organizations could have legal or compliance ramifications if they have not performed a risk assessment of their ePHI data.

These controls should be documented in an Internal Controls Matrix (ICM) that includes the following attributes for each control:

  • Control owner
  • Control frequency
  • Control type (i.e., preventative, detective or corrective)
  • Control execution (i.e., automatic vs. manual)

Security rule – physical safeguard

Facility access controls

Management should implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Management should establish Physical Access policies and procedures that include:

  • Facility access
  • Visitor access and badge inventory
  • Surveillance retention periods
  • Emergency procedures
  • Facility Maintenance
  • Access to areas containing PHI

Workstation security and use

The organization should determine whether they are a covered entity. Management should implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. Management should also define policies and procedures regarding the safeguarding and use of workstations (workstations on wheels) to include:

  • Physical Access to workstations limited to authorize personnel
  • Prohibiting non-business activity on workstations

Device and media controls

Management should implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into, out of, and within the facility. Management should also formally define policies and procedures regarding hardware and removable media that include:

  • Hardware and media accountability
  • Acceptable Use
  • Maintenance records for the movement of hardware and media
  • Data disposal and destruction
  • Asset Inventory
  • Removable Media
  • Bring your own device (BYOD)

Security rule – technical safeguards

Access controls

Management should implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that are required. Management should also formally define and follow key information security controls that include:

  • Access provisioning and removal
  • Role-based access privileges
  • Standardized authentication procedures for all systems
  • Standardized, minimum password requirements for all user and system accounts
  • External access procedures
  • Emergency access procedures

Audit controls

Management should implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Management should also formally document policies and procedures regarding information systems activity review and internal audit functions and include:

  • Documented review process
  • Audit logging
  • Physical access logs
  • Policy and Procedure Review
  • Periodic internal controls reviews

Integrity controls and transmission security

Management should outline and implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. Management should also implement standardized encryption mechanisms that provide encryption at rest and encryption in transit.

File Integrity Monitoring (FIM) should also be utilized to ensure only authorized changes are deployed into production environments.

Person or entity authentication

Management should develop policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed, as well as formally document policies and procedures around information security that include:

  • Authentication into Networks, Databases, Applications and VPN in the production environments
  • Administrative access
  • Password Configurations
  • Audit Logs

Security rule – organizational requirements

Business associate contracts and documentation

Management should maintain business associate agreements (BAA) with businesses that create, receive maintain, or transmit ePHI. Management should also maintain documentation of HIPAA policies and procedures as required for 6 years and maintain business associate agreements in compliance with the HIPAA Security Rule.

  • Business Associates who utilize subcontractors in the processing, transmission, or storage of ePHI must maintain a BAA.
  • Business associates are required to adhere to security, incident response, and breach notification procedures outlined by the covered entity entered into an agreement with.
  • Documentation should be maintained for a minimum of 6 years per HIPAA Security Rule guidelines.

Breach notification

If the organization creates, receives, maintains, or transmits PHI/ ePHI, management should document Breach Notification policies and procedures. Breach Notification policies and procedures address the following:

  • Breach Risk Assessment
    • Was ePHI encrypted?
    • What data was exposed?
    • Who accessed the PHI/ePHI?
    • What is the likelihood of further use of exposed data?
    • What controls are in place to mitigate impact?
  • Breach Notification Letters or Emails

Privacy rule and individual rights

If your organization is a covered entity or if your organization creates, processes, transmits, or stores PHI, if applicable, management should designate a HIPAA Privacy Officer who is responsible for the development, implementation, and enforcement of HIPAA compliant policies and procedures.

Management should formally document HIPAA Privacy policies and procedures, Privacy Notices and/or a Statement of Privacy Practices that address the following:

  • Obtaining authorizations
  • Address individual rights to consent or opt-out.
  • Methods of collection
  • Use, disclosure, retention for a minimum of six years, and disposal of PHI
  • Disclosure of PHI to third parties and the purpose of use
  • Security for privacy
  • Monitoring and enforcement of sanctions for inappropriate use and disclosure of PHI

Partner with A-LIGN for your HIPAA compliance journey

Achieving and maintaining HIPAA compliance is paramount for organizations handling ePHI. Not only is it essential to assure stakeholders their sensitive data is safe in your hands, but it is also critical to stay compliant to avoid cyber-attacks and financial penalties.

By working with an experienced 3PAO like A-LIGN, your business can expect a world-class audit experience unparalleled in quality and efficiency. Stay ahead of the curve and get audit ready by taking advantage of our comprehensive HIPAA readiness checklist. Download our readiness checklist now!