HIPAA Compliance Checklist: Free 7-Step Template

What You Need to Know About a HIPAA Compliance Checklist

• HIPAA applies to two groups: covered entities (providers, health plans, clearinghouses) and their business associates, including EHR vendors and AI documentation tools.
• A defensible HIPAA program organizes work into recurring tasks, including the Security Rule's required risk analysis of ePHI.
• Every breach requires individual notice within 60 days; 500+ individuals total adds HHS notice; more than 500 residents of one state or jurisdiction adds media notice.

What is a HIPAA compliance checklist?

A HIPAA compliance checklist turns federal rules into actions your practice can complete and document. HIPAA has four main rules: Privacy, Security, Breach Notification, and Enforcement (how OCR investigates and assesses penalties). The 2013 Omnibus Final Rule updated all four and made business associates directly liable. HHS publishes the rules and guidance but not an official HIPAA compliance checklist. Practices build or adopt one to close the gap.

A good HIPAA compliance checklist covers the duties every covered entity and business associate has to meet. It does not replace reading the rules themselves. Those duties include:

• Designating responsibility for compliance
• Running a formal risk analysis of electronic protected health information
• Implementing administrative, physical, and technical safeguards
• Managing business associate agreements
• Training staff
• Preparing for Office for Civil Rights audits and breach notification

Older templates often skip AI documentation tools that handle PHI; modern checklists cover them. The sections below walk through each duty: scope, the seven core steps, risk analysis, safeguards, AI tool evaluation, and audit prep. A HIPAA compliance checklist turns each one into a task you can document and audit.

‍

Who must follow HIPAA and what counts as protected health information?

A HIPAA compliance checklist begins with scope. HIPAA applies to two categories of organizations: covered entities and business associates.

Covered entities include:

• Health plans
• Health care clearinghouses
• Most health care providers that transmit claims or other covered transactions electronically⁶

A solo primary care clinic billing Medicare falls in this scope. So does a multi-provider specialty practice billing commercial payers.

Business associates are outside vendors or contractors that handle PHI for a covered entity⁶. Common examples include:

• EHR vendors
• Billing services
• Cloud storage providers
• AI documentation tools

OCR's audit protocol checks whether covered entities have signed BAAs in place³. Those agreements must also bind subcontractors to protect PHI.

Protected health information (PHI) is any personal data about a patient's health, treatment, or billing. PHI includes:

• Names, dates, and addresses
• Medical record numbers
• Diagnoses and treatment notes
• Billing codes
• Audio recordings from a clinical encounter

Electronic protected health information, or ePHI, is the same data held or transmitted in electronic form. ePHI is the specific focus of the Security Rule.

The Privacy Rule also enforces the Minimum Necessary Standard: workforce members should access only the PHI they need to do their job. Role-based access in your EHR, training on data minimization, and routine access-log reviews all support this standard. Disclosures beyond the minimum necessary are a recurring OCR finding.

What are the core steps of a HIPAA compliance checklist?

This template organizes key HIPAA duties into seven repeatable tasks. Work through them at least once a year. Other frameworks also work, as long as they cover the same ground. HHS and the AMA treat HIPAA as ongoing work¹,². Risk management and staff training are not one-time projects.

The seven core steps are:

• Designate a HIPAA privacy official and security official. These roles can be held by the same person in small practices or split across roles in larger groups. Document the assignments in writing.
• Perform a documented risk analysis of ePHI. The Security Rule requires an accurate and thorough assessment of risks to electronic protected health information⁵. Revisit the analysis at least annually and whenever significant changes occur.
• Write policies and procedures. Cover each Security and Privacy Rule requirement in enough detail that staff can follow them.
• Train every staff member. Train people for their role at onboarding and at regular intervals after. Keep training records¹.
• Sign a BAA with every vendor that handles PHI for you. OCR reviews BAAs and checks that they also bind subcontractors to protect PHI³.
• Build an incident response and breach notification process. The process must meet federal timelines for notifying affected individuals, HHS, and media where required.
• Retain required HIPAA documentation for at least six years from creation or last effective date. Retention applies to policies, risk analyses, training records, BAAs, and breach documentation. State law or organizational policy may require longer retention for medical records.

Every item on the HIPAA compliance checklist needs an owner, a cadence, and a record. Policy binders alone do not satisfy HIPAA.

The HIPAA compliance checklist (yes/no version)

Use this as a quick self-audit. The companion fillable template (DOCX download) tracks owners, due dates, and evidence locations for each item.

Audits and risk analysis

• ☐ Have you completed a HIPAA risk analysis in the last 12 months or since your last major change to systems, staff, or vendors?
• ☐ Is every finding tracked with a named owner and target close date?
• ☐ Have you run an internal audit against the OCR Audit Protocol in the last year?
• ☐ Are your PHI access logs reviewed on a defined cadence?

People

• ☐ Have you designated a Privacy Officer and Security Officer in writing?
• ☐ Has every workforce member completed HIPAA training appropriate for their role?
• ☐ Are training records retained for at least six years?
• ☐ Do workforce members have role-based access to PHI (Minimum Necessary)?
• ☐ Do you have an anonymous channel for workforce members to report suspected HIPAA violations?

Policies and procedures

• ☐ Are written Privacy, Security, and Breach Notification policies in place?
• ☐ Are the policies reviewed periodically and after major changes?
• ☐ Do you have a written incident response and breach notification playbook?
• ☐ Do you have documented PHI disposal procedures for paper, devices, and electronic media?
• ☐ Do you have a tested disaster recovery and contingency plan (backup, emergency mode, recovery testing)?

Vendors and business associates

• ☐ Do you maintain a master list of business associates?
• ☐ Is a signed BAA on file for every vendor that touches PHI?
• ☐ Do BAAs bind downstream subcontractors?
• ☐ Have you verified vendor compliance beyond the BAA (SOC 2, HITRUST, questionnaire)?
• ☐ Have you evaluated every AI tool that touches PHI against the five criteria in the section below?

Documentation and retention

• ☐ Are required HIPAA records retained for at least six years from creation or last effective date?
• ☐ Is the documentation indexed and quickly retrievable for OCR?
• ☐ Is your incident log up to date (all suspected events, including non-notifiable)?

Any "no" answer is a gap to remediate.

How does practice size change who owns each step?

The seven core steps apply to every covered entity, but ownership and execution differ by practice size. Solo and small practices typically consolidate roles; medium and large groups distribute them across functions.

Where practice size changes AI tool review. The five review criteria apply to every practice, but review depth scales with size. Solo and small practices usually accept vendor SOC 2 reports at face value and rely on standard BAA terms. Medium and large groups run their own security review, negotiate BAA language, and ask for proof of tenant isolation or dedicated hosting.

How do I conduct a HIPAA risk analysis for my practice?

A HIPAA compliance checklist treats the risk analysis as its most time-sensitive item. A HIPAA risk analysis is a written review of where your ePHI lives, what could go wrong, and what you're doing about it⁵. It must cover three things: confidentiality, integrity, and availability. Treat the analysis as an ongoing process. Revisit it at least once a year and after any major change to systems, staff, or vendors.

A defensible risk analysis has four outputs:

• An ePHI inventory. List every system, device, and vendor that stores or transmits PHI, including EHRs, cloud storage, email, mobile devices, and AI documentation tools.
• A threat and vulnerability list. Identify realistic threats (ransomware, lost laptops, phishing, unauthorized access by former staff) and the weaknesses in current controls that each could exploit.
• A likelihood and impact rating for each risk. HHS does not mandate a specific scoring method, but ratings must be reproducible and tied to evidence.
• A fix-it plan with owners and deadlines. Every high or medium risk gets assigned to a named person with a target completion date.

Small practices can knock out a first pass in one or two focused sessions, then expand it over time. A good starting point is the free Security Risk Assessment Tool from HHS and ONC. Larger groups usually need a team covering clinical, IT, and admin. Either way, the output is a written report kept on file and reviewed on a set schedule. A mature HIPAA compliance checklist feeds the risk analysis findings into your fix-it list.

What administrative, physical, and technical safeguards does the Security Rule require?

The Security Rule groups required protections into three categories: administrative, physical, and technical safeguards¹. Each one protects ePHI against a different kind of risk. A HIPAA compliance checklist that skips any of the three leaves ePHI exposed.

Administrative safeguards cover how people and processes manage PHI. Required standards include:

• Risk analysis and risk management
• Workforce clearance and training
• Information access management
• Contingency planning
• Periodic program review

Physical safeguards cover the buildings, equipment, and devices that touch PHI. Standards include:

• Facility access controls (locks, keycards, visitor logs)
• Workstation use and security rules
• Device and media controls covering disposal, reuse, and accountability of laptops, phones, and removable storage

Technical safeguards cover the electronic controls that limit and monitor access. Standards include:

• Unique user identification
• Automatic logoff
• Encryption of ePHI in transit and at rest
• Audit controls that log system activity
• Integrity controls that detect unauthorized alteration

All Security Rule standards are mandatory. Within each standard, individual implementation specifications are classified as "required" or "addressable"¹. Required ones must be implemented as written. For addressable ones, decide whether the specified control fits your practice. If it doesn't, document an alternative that works and explain why.

Every safeguard on the HIPAA compliance checklist needs evidence. Proof can be a written policy, a configuration setting, or a log entry a compliance officer can pull on demand.

How do I evaluate AI scribes and other AI tools for HIPAA compliance?

A modern HIPAA compliance checklist has a dedicated AI tool section. Before trusting an AI scribe or other HIPAA-relevant AI tool with PHI, ask for proof of the security controls underneath. Marketing claims or a compliance badge on a vendor website are not enough. Clinicians warn that many AI products claim HIPAA compliance without showing the controls to back it up. A solid review covers five areas.

• Business associate agreement. If an AI vendor will handle your PHI, sign a BAA first. The BAA must bind the vendor and its subcontractors to protect PHI³.
• Encryption in transit and at rest. Ask which protocols the vendor uses in transit (such as TLS or HTTPS) and what encrypts data at rest (such as AES-256 or equivalent). Ask how keys are managed.
• Data retention and deletion. Ask where audio and transcripts are stored, how long, and how they're deleted. A HIPAA compliant AI tool states a default retention period and supports your six-year record retention through export, hand-off, or a similar mechanism.
• Training data policy. Confirm in writing whether audio, transcripts, and notes are used for model training, product improvement, or any purpose beyond generating the clinical note. Many organizations require written limits.
• Third-party audit. Ask for a SOC 2 Type II report, HITRUST certification, or equivalent. Most compliance officers won't trust a vendor's word alone.

If a vendor can't answer these five questions with paperwork, many groups won't approve the tool for live use with PHI. For a closer look at which scribes pass each test, see the HIPAA-compliant AI scribes guide. The best AI medical scribes roundup ranks options by practice size and specialty.

How do I prepare for OCR audits and handle breach notification?

A HIPAA compliance checklist is often among the first documents auditors request. Use the HIPAA Audit Protocol like a working checklist year-round, not a document you pull off the shelf when an audit letter arrives. The protocol (published by HHS) covers the Privacy, Security, and Breach Notification items OCR may review³.

Audited practices must produce:

• Written policies
• Risk analyses
• Training records
• Business associate agreements
• Proof that past issues were fixed

These records serve as proof of ongoing compliance. The HHS Audit Program uses this protocol as the basis for both desk audits and on-site reviews².

Practical preparation comes down to four habits:

• Keep all your compliance records in one searchable place. Auditors ask for specific items. Handing them over quickly shortens the audit and cuts follow-ups.
• Run an internal audit against the OCR protocol once a year. Use it as a gap-check tool.
• Turn on and regularly review audit logs. Audit controls are required under the Security Rule. OCR has cited practices for ignoring their own logs.
• Keep an incident log. Log every suspected event, even the ones that don't trigger formal notice.

Breach notification has its own clock. Any breach of unsecured PHI requires notifying affected individuals within 60 days of discovery⁴. If the breach affects 500 or more individuals total, you must also notify HHS within the same 60 days. If it affects more than 500 residents of a single state or jurisdiction, you must also notify prominent media in that area.

For breaches under 500 individuals, you still owe affected individuals notice within 60 days. HHS reporting for these can be batched annually, due 60 days after the end of the calendar year (in practice, by March 1). Business associates have their own 60-day window to notify you of a breach. Watch out: their discovery date can start your clock for individual notice, so don't assume a fresh 60 days when their notice arrives. The HIPAA compliance checklist should include a short playbook so the first 24 hours after a suspected breach follow a known sequence.

What does HIPAA enforcement actually look like?

OCR enforcement is not theoretical. The HHS Resolution Agreements page publishes every settlement and its corrective action plan⁷, and the pattern across actions is consistent: missing or out-of-date risk analyses, late breach notifications, weak access controls, and unsigned or unenforced BAAs.

A few examples show the scale of risk:

• Anthem, Inc. — $16 million (2018). The largest HIPAA settlement on record, following a cyberattack that exposed PHI for 79 million people⁸.
• Advocate Health Care — $5.55 million (2016). Three breaches involving stolen office computers, a stolen laptop, and a business associate incident, affecting roughly 4 million patients in total.
• BST & Co. CPAs, LLP — $175,000 (2025). Ransomware attack affecting 170,000 individuals. OCR's 15th ransomware enforcement action and 10th action under its Risk Analysis Initiative — a focused enforcement priority signaling that risk analysis failures continue to draw penalties⁷.
• Cadia Healthcare Facilities — $182,000 (2025). Privacy Rule and Breach Notification Rule violations for unauthorized patient "success story" posts on the practice website (150 patients), with a two-year corrective action plan⁷.

How do I maintain HIPAA compliance over time?

HIPAA is an ongoing program, not a one-time project. A working HIPAA compliance checklist includes ongoing maintenance habits:

• Track every risk analysis finding through to remediation. Maintain a backlog with named owners, target dates, and a status field. Close findings only when evidence supports it.
• Audit your business associates, not just the BAA file. Confirm vendors actually meet their BAA commitments through periodic questionnaires, SOC 2 reviews, or security attestations. OCR enforces vendor verification, not just signed agreements.
• Document PHI disposal procedures. Define how paper PHI is shredded, how laptops and removable media are wiped or destroyed, and how cloud or vendor data is purged at end of contract. Keep destruction logs.
• Run an anonymous violation-reporting channel. Workforce members need a safe way to report suspected HIPAA violations without fear of retaliation. Document the channel, the intake process, and the investigation workflow.
• Test your contingency plan annually. A documented disaster recovery plan, data backup process, and emergency mode operations procedure all require testing. Document the test results and any revisions.
• Refresh training and policies on the same cadence. Re-issue role-based training when regulations or workflows change. Review policies on a defined schedule and document the review.

These continuous habits are what OCR looks for during audits and what separate a documented program from a paper one.

How Commure Scribe approaches HIPAA compliance

Commure Scribe is an ambient AI documentation tool used by 20,000+ clinicians across 25M+ patient encounters annually. Its HIPAA posture maps directly to the five HIPAA compliance checklist criteria in the section above.

Business associate agreement. Commure Scribe signs a BAA with every customer before the product touches PHI. The BAA binds subcontractors to the same PHI protections.

Encryption and access control. All patient data is encrypted in transit using HTTPS with TLS. Data at rest is encrypted with strong encryption. Audio recordings are stored encrypted. Access is controlled through JWTs, OAuth2, and HMAC-signed URLs.

Data retention and deletion. As of April 2026, Commure Scribe keeps audio active for a set period, then archives it long-term. The archive window is designed to meet HIPAA's six-year minimum. Customers that want a shorter active period can choose to archive after 14 days. Archived audio is locked to HIPAA-trained staff and only pulled on customer request for legal or compliance reasons. Users can delete transcripts and notes on their own, under their contract.

Training data policy. Commure Scribe's terms state that customer audio is not used to train general AI models. Audio is only used to provide and support the service. Third-party data sharing is limited to the subprocessors listed in your contract.

Third-party audit. Commure Scribe holds SOC 2 and other independent security reports, with data stored onshore. Customers can request current reports when evaluating the product.

Frequently asked questions

What are the HIPAA rules every checklist covers?

HIPAA has four main rules. The Privacy Rule limits who can see or share protected health information. The Security Rule requires safeguards for electronic PHI. The Breach Notification Rule sets when and how covered entities must report leaks. The Enforcement Rule defines how OCR investigates complaints and assesses civil monetary penalties. The 2013 Omnibus Final Rule updated all four and made business associates directly liable. Most checklists focus on Privacy, Security, and Breach Notification for day-to-day work.

Who needs a HIPAA compliance checklist?

Every covered entity and business associate can benefit from a structured HIPAA compliance checklist to stay organized. HIPAA doesn't require any specific format. Covered entities include health plans, clearinghouses, and most providers that transmit claims electronically. Business associates include EHR vendors, billing services, cloud storage providers, and AI documentation tools. Any outside party that handles PHI for a covered entity qualifies.

How often should a practice conduct a HIPAA risk analysis?

HHS requires covered entities and business associates to keep an accurate, thorough risk analysis of ePHI. Most practices refresh it at least once a year and after any major change to systems, staff, or vendors. HHS treats risk analysis as an ongoing process, not a one-time task. That cadence belongs at the top of every HIPAA compliance checklist review. A good starting point for a first pass is the free Security Risk Assessment Tool from HHS and ONC.

What makes an AI scribe HIPAA compliant?

When reviewing an AI scribe for HIPAA, many groups look for five items:

• A signed BAA when required
• Strong encryption in transit and at rest
• A clear retention and deletion policy
• Written limits on data use, including model training
• Independent third-party security reports such as SOC 2 Type II

How long must HIPAA documentation be retained?

HIPAA requires covered entities to retain required documentation for at least six years. The clock runs from the date of creation or the date it was last in effect, whichever is later. State law or organizational policy may require longer retention for medical records. Retention applies to:

• Policies and procedures
• Risk analyses
• Training records
• Business associate agreements
• Audit logs
• Breach response records

What happens during an OCR HIPAA audit?

OCR runs desk audits and on-site reviews using the HIPAA Audit Protocol. The protocol covers the main Privacy, Security, and Breach Notification items OCR may check. Practices have a short window to produce written policies, risk analyses, training records, BAAs, and proof they've fixed past issues. A well-maintained HIPAA compliance checklist shortens that window.

Disclaimer

This article and the companion checklist are for information and education only. They are not legal advice, and finishing a checklist does not guarantee HIPAA compliance. Talk to qualified legal and compliance counsel for your situation.

‍

‍

‍