HIPAA compliance checklist for healthcare practices
16 steps
•
Updated July 2026
HIPAA compliance sets the rules for how your practice handles protected health information: who can open a patient record, how electronic PHI is stored and sent, which vendors are allowed to touch it, and what happens when a record is exposed. Get it wrong and one lost laptop or one vendor without a signed agreement becomes breach notifications to every affected patient, an investigation by the HHS Office for Civil Rights, and penalties that grow the longer the gap went unaddressed.
This checklist covers the work of building a HIPAA compliance program at a healthcare practice, from mapping where PHI lives and completing a Security Risk Analysis through to signing vendor agreements and standing up breach and backup procedures. It's written for the practice manager or compliance lead who owns the program and has to get every piece documented and operating.
The 16-step checklist
0 of 0 done
Frequently asked questions
How long does it take to become HIPAA compliant?
Usually one to three months for a small practice to get the core program in place, and longer if the risk analysis turns up systems to replace. The paperwork moves fast; the slow part is fixing what the Security Risk Analysis finds, like adding encryption or setting up access logging. Compliance isn't a one-time project, so plan to keep reviewing after launch.
Can you outsource HIPAA compliance?
You can hire a consultant or a managed IT provider to do the work, but your practice stays legally responsible for the result. HHS holds the covered entity accountable, so a signed Business Associate Agreement with that vendor is what limits your exposure if they mishandle PHI. Keep ownership of the risk analysis and policies in-house even when someone else drafts them.
Does a HIPAA certification make you compliant?
No. HHS doesn't recognize any official HIPAA certification, so no course, badge, or vendor seal makes you compliant or shields you in an audit. Compliance is shown by your documentation: a current Security Risk Analysis, adopted policies, signed BAAs, and training records. Third-party training and assessments are useful, but they support that evidence rather than replace it.
Which vendors need a Business Associate Agreement?
Any vendor that creates, receives, stores, or transmits PHI on your behalf needs a signed Business Associate Agreement. That covers your EHR, cloud hosting, email and file-sharing providers, billing and transcription services, shredding companies, and IT contractors with access to systems. A vendor that never encounters PHI, like a landscaping service, doesn't. When in doubt, ask whether they could see PHI.
How often do you need to redo the HIPAA risk analysis?
At least once a year, and again after any significant change: a new EHR, an office move, a merger, or a breach. The Security Rule doesn't name a fixed interval, but OCR expects the analysis to be current, and an outdated one is a common finding in investigations. Treat the annual review as the floor and re-run it whenever your systems or risks change.
Is a spreadsheet enough to manage HIPAA compliance?
For a small practice a spreadsheet can track tasks, owners, and renewal dates, as long as someone keeps it current and stores the evidence behind each item. It gets harder to rely on as training, BAAs, and annual reviews come due across a larger team with no clear owner. If your team runs in Slack, Chaser can assign each recurring task, follow up with the owner, and show what is still open.