HIPAA Compliance Checklist 2026

Posted: March 28, 2026 to Compliance.

HIPAA Compliance in 2026: What Has Changed

The Health Insurance Portability and Accountability Act continues to evolve. In 2026, enforcement actions are at record levels, and the HHS Office for Civil Rights is scrutinizing organizations more closely than ever. The proposed Security Rule updates add new requirements around multi-factor authentication, network segmentation, encryption, and vulnerability management.

This checklist provides a comprehensive, actionable guide for healthcare organizations, business associates, and any entity handling protected health information (PHI). Whether you are starting from scratch or maintaining existing compliance, this framework covers every requirement.

Understanding HIPAA Requirements

The Four HIPAA Rules

Rule	Focus	Applies To
Privacy Rule	How PHI can be used and disclosed	Covered entities and business associates
Security Rule	Technical, physical, and administrative safeguards for ePHI	Covered entities and business associates
Breach Notification Rule	Requirements for reporting breaches	Covered entities and business associates
Enforcement Rule	Investigation procedures and penalties	HHS OCR enforcement

Administrative Safeguards Checklist

Security Management Process

• Conduct a comprehensive risk assessment at least annually
• Document a risk management plan addressing all identified risks
• Implement sanctions policy for workforce members who violate policies
• Perform regular information system activity reviews (audit log reviews)

Assigned Security Responsibility

• Designate a Security Officer responsible for HIPAA security compliance
• Designate a Privacy Officer responsible for HIPAA privacy compliance
• Document roles and responsibilities for all security functions

Workforce Security

• Implement authorization and supervision procedures for PHI access
• Ensure workforce clearance procedures (background checks for PHI access)
• Establish termination procedures that revoke PHI access immediately

Information Access Management

• Implement role-based access controls for all ePHI systems
• Document access authorization policies and procedures
• Review and modify access rights when roles change

Security Awareness and Training

• Conduct security awareness training for all workforce members annually
• Provide training on password management and phishing recognition
• Train staff on login monitoring and incident reporting procedures
• Document all training with attendance records and content

Security Incident Procedures

• Document an incident response plan covering detection through resolution
• Define roles and responsibilities for incident response
• Test the incident response plan through tabletop exercises annually
• Maintain an incident log documenting all security events

Contingency Plan

• Develop a data backup plan with defined frequency and testing
• Create a disaster recovery plan for ePHI systems
• Document an emergency mode operation plan
• Test and revise contingency plans at least annually

Physical Safeguards Checklist

Facility Access Controls

• Implement access controls for facilities housing ePHI (key cards, locks, etc.)
• Develop contingency operations for facility access during emergencies
• Maintain a facility security plan documenting all physical safeguards
• Document visitor access procedures and maintain visitor logs

Workstation Security

• Define workstation use policies (permitted functions, physical access)
• Implement physical safeguards for workstations (screen locks, positioning)
• Secure workstations in public or shared areas

Device and Media Controls

• Establish procedures for disposal of ePHI media (secure wiping, destruction)
• Document media reuse procedures ensuring all ePHI is removed
• Maintain accountability logs for hardware and electronic media movement
• Create and maintain data backup procedures before equipment is moved

Technical Safeguards Checklist

Access Control

• Assign unique user identifiers to all system users
• Implement emergency access procedures for critical ePHI systems
• Configure automatic logoff after periods of inactivity
• Implement encryption for ePHI at rest and in transit
• Deploy multi-factor authentication for all ePHI system access (2026 proposed requirement)

Audit Controls

• Implement audit logging on all systems that create, receive, maintain, or transmit ePHI
• Log user access, modifications, and deletions of ePHI
• Retain audit logs per your retention policy (minimum 6 years for HIPAA documentation)
• Review audit logs regularly for unauthorized access or anomalies

Integrity Controls

• Implement mechanisms to authenticate ePHI (ensure data is not altered or destroyed)
• Use checksums or digital signatures for ePHI integrity verification

Transmission Security

• Encrypt all ePHI transmitted over networks (TLS 1.2 minimum, TLS 1.3 preferred)
• Implement integrity controls for ePHI in transit
• Secure email communications containing PHI (encryption or secure portal)

Risk Assessment: The Foundation of HIPAA Compliance

The risk assessment is the most important HIPAA requirement. It drives every other compliance decision and is the first thing OCR examines during an investigation.

Risk Assessment Steps

1. Identify ePHI: Document where ePHI is created, received, maintained, and transmitted
2. Identify threats: Natural, human, and environmental threats to ePHI
3. Identify vulnerabilities: Weaknesses in systems, processes, and physical safeguards
4. Assess current controls: Evaluate effectiveness of existing security measures
5. Determine likelihood: Probability each threat could exploit each vulnerability
6. Determine impact: Potential damage from each threat-vulnerability combination
7. Calculate risk level: Combine likelihood and impact for each scenario
8. Document findings: Create a comprehensive risk assessment report
9. Develop risk management plan: Address all identified risks with specific actions

The HHS risk assessment guidance provides detailed methodology for conducting your assessment.

Business Associate Management

Business Associate Agreement (BAA) Requirements

• Execute BAAs with all vendors who access, process, or store PHI
• Review BAAs annually and update as services change
• Maintain a master list of all business associates with BAA status
• Verify business associate compliance through questionnaires or audits
• Define breach notification obligations in each BAA

Breach Notification Requirements

Notification Timeline

Breach Size	Individual Notice	HHS Notice	Media Notice
500+ individuals	Within 60 days	Within 60 days	Required (prominent media)
Under 500 individuals	Within 60 days	Annual log (within 60 days of year end)	Not required

Documentation Requirements

HIPAA requires documentation retention for 6 years. Maintain current versions of:

• Risk assessment and risk management plan
• All security policies and procedures
• Training records (attendance, content, dates)
• Business associate agreements
• Incident response logs
• Audit log reviews
• Contingency plan and test results
• System configuration standards

Our HIPAA compliance services help healthcare organizations implement all required safeguards, conduct risk assessments, and prepare for OCR investigations.

Frequently Asked Questions

How often do I need to conduct a HIPAA risk assessment?

HIPAA requires risk assessment when there are significant changes to your environment, but best practice and OCR expectation is at least annually. You should also reassess after major system changes, incidents, or organizational changes.

What are the penalties for HIPAA violations?

Penalties range from $100 to $50,000 per violation, with annual maximums of $25,000 to $2,067,813 per category. Willful neglect violations that are not corrected can result in the highest penalties. Criminal penalties can include imprisonment. Recent enforcement actions have resulted in settlements exceeding $4 million.

Do I need to encrypt all PHI?

HIPAA lists encryption as an addressable implementation specification, meaning you must either implement it or document why an equivalent alternative is appropriate. In practice, encryption is expected for ePHI at rest and in transit. The proposed 2026 Security Rule updates make encryption a required specification.

Is cloud hosting HIPAA compliant?

Cloud hosting can be HIPAA compliant if the cloud provider signs a BAA and implements required security controls. Major providers (AWS, Azure, Google Cloud) offer HIPAA-eligible services. However, you remain responsible for your configurations, access controls, and data handling within the cloud environment.

What counts as a HIPAA breach?

A breach is any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. There is a presumption that any impermissible use or disclosure is a breach unless you can demonstrate a low probability that PHI was compromised based on a four-factor risk assessment.

Do small practices need the same HIPAA compliance as large hospitals?

Yes. HIPAA applies equally to all covered entities regardless of size. The scale of implementation may differ (a solo practice needs simpler systems than a hospital), but all requirements must be addressed. Small practices are actually more frequently targeted by attackers because they typically have weaker security.