If you're running a small business that handles patient health information, HIPAA compliance isn't optional—it's a legal requirement. But between HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule, figuring out what you actually need to do can feel overwhelming.
This checklist breaks down HIPAA compliance into actionable steps. Whether you're a medical billing company, telehealth platform, healthcare SaaS provider, or any other business associate handling protected health information (PHI), use this as your roadmap.
Important note: This checklist covers the most common HIPAA requirements for business associates. Depending on your specific operations, you may need additional controls. When in doubt, consult with a HIPAA compliance attorney or specialist.
Who This Checklist Is For
You need to follow this checklist if you're a business associate—meaning you:
- Provide services to healthcare providers, health plans, or other covered entities
- Handle, store, transmit, or process protected health information (PHI) on their behalf
- Have signed (or need to sign) a Business Associate Agreement (BAA)
Common business associates include:
- Medical billing and coding companies
- EHR/EMR software vendors
- Cloud storage providers for healthcare data
- Telehealth platforms
- Medical transcription services
- Healthcare consulting firms with access to PHI
- IT service providers managing systems that contain PHI
If you're a covered entity (healthcare provider, health plan, or clearinghouse), you'll need additional requirements beyond this checklist.
Part 1: Administrative Safeguards
Administrative safeguards are your policies, procedures, and internal processes for protecting PHI.
☐ Designate a HIPAA Privacy and Security Officer
What: Assign someone (can be the same person for both roles) responsible for developing, implementing, and monitoring HIPAA compliance.
How: For small businesses, this is often the CEO, CTO, or compliance manager. Document the designation in writing.
Why: HIPAA requires a designated person to be accountable. Without clear ownership, compliance efforts drift.
☐ Conduct a HIPAA Risk Assessment
What: Identify where PHI exists in your organization, evaluate security risks, and document vulnerabilities.
How:
- 1. Map all locations where PHI is stored, transmitted, or processed
- 2. Identify potential threats (cyberattacks, employee errors, natural disasters)
- 3. Assess likelihood and impact of each threat
- 4. Document findings and prioritize remediation
Why: You can't protect what you don't know exists. Risk assessments are foundational to HIPAA compliance.
Frequency: At least annually, or whenever you make significant changes to systems or processes.
☐ Develop HIPAA Policies and Procedures
What: Written documentation covering how your organization handles PHI and responds to security incidents.
Required policies include:
- Privacy Policy (how PHI is used and disclosed)
- Security Policy (administrative, physical, and technical safeguards)
- Breach Notification Policy (what happens if PHI is compromised)
- Incident Response Plan (how to detect, respond to, and recover from security incidents)
- Sanctions Policy (consequences for HIPAA violations by employees)
- Workforce Training Policy
How: You can create these yourself, hire a consultant, or use compliance software templates (just make sure to customize them for your specific business).
Why: Policies prove you have a systematic approach to HIPAA compliance, not just ad-hoc reactions.
☐ Implement Workforce Training
What: Train all employees who have access to PHI on HIPAA requirements, your policies, and their specific responsibilities.
How:
- Conduct training within a reasonable time after hire (30-60 days)
- Cover the Privacy Rule, Security Rule, and company-specific policies
- Document who was trained and when
- Provide refresher training annually
Why: Most HIPAA breaches are caused by employee mistakes, not sophisticated hackers. Training reduces human error.
☐ Sign Business Associate Agreements (BAAs) with Vendors
What: Any vendor or subcontractor who handles PHI on your behalf must sign a BAA.
Common vendors requiring BAAs:
- Cloud hosting providers (AWS, Google Cloud, Azure)
- Email services (if PHI is sent via email)
- Backup and disaster recovery services
- Payment processors (if handling healthcare transactions)
- Analytics platforms (if they process PHI)
How: Most major vendors have standard BAA templates. Request them during vendor setup. Don't assume HIPAA-compliant infrastructure means you don't need a BAA—you always do.
Why: You're legally responsible for how your vendors handle PHI. A BAA shifts some liability and ensures they're contractually bound to HIPAA.
☐ Establish Access Controls and Permissions
What: Implement role-based access so employees only see the PHI necessary for their job function.
How:
- Create user access levels (e.g., admin, clinician, billing, support)
- Document who has access to what data and why
- Review access permissions quarterly
- Immediately revoke access when employees leave or change roles
Why: The principle of "minimum necessary" limits exposure if an account is compromised or an employee acts maliciously.
Part 2: Physical Safeguards
Physical safeguards protect the systems, buildings, and equipment where PHI is stored or accessed.
☐ Secure Physical Locations
What: Prevent unauthorized physical access to areas where PHI is stored or accessible.
How:
- Lock server rooms, file cabinets, and offices containing PHI
- Use badge access, keypads, or visitor logs for sensitive areas
- Escort visitors who don't have clearance
- Position computer screens away from public view
Why: If someone can walk into your office and access PHI, your digital security doesn't matter.
☐ Implement Workstation Security
What: Protect computers, laptops, and devices used to access PHI.
How:
- Require password-protected screensavers (auto-lock after 5-10 minutes)
- Use privacy screens on monitors in shared spaces
- Prohibit accessing PHI on personal devices unless approved and secured
- Physically secure laptops with cable locks when in public areas
Why: Unattended workstations are a common source of unauthorized PHI access.
☐ Manage Device and Media Disposal
What: Properly destroy or sanitize devices and media containing PHI before disposal or reuse.
How:
- Wipe hard drives using DOD-standard software before disposal
- Physically destroy drives that can't be wiped (shredding or degaussing)
- Shred paper records containing PHI (cross-cut shredder minimum)
- Document disposal with certificates of destruction
Why: PHI can be recovered from improperly disposed devices, leading to breaches.
Part 3: Technical Safeguards
Technical safeguards are the technology and systems that protect electronic PHI (ePHI).
☐ Enable Encryption
What: Encrypt PHI both in transit (when moving between systems) and at rest (when stored).
How:
- In transit: Use TLS 1.2+ for all web traffic and APIs; use encrypted email or secure file transfer for PHI
- At rest: Enable full-disk encryption on servers and laptops; use database encryption for PHI fields
Why: Encryption is "addressable" under HIPAA, meaning you can implement alternative safeguards—but encryption is the industry standard. If you don't encrypt and have a breach, you face higher penalties and mandatory breach notification.
☐ Implement Multi-Factor Authentication (MFA)
What: Require a second form of authentication (beyond passwords) to access systems containing PHI.
How:
- Enable MFA on all systems handling PHI (email, EHR, databases, cloud platforms)
- Use authenticator apps (Google Authenticator, Authy) or hardware tokens
- Don't rely on SMS-based MFA for highly sensitive systems (it's better than nothing but vulnerable)
Why: Stolen passwords are the #1 cause of breaches. MFA stops 99% of automated attacks.
☐ Enable Audit Logging
What: Track and log all access to PHI—who accessed what data, when, and from where.
How:
- Enable logging on databases, applications, and servers
- Log successful and failed access attempts
- Retain logs for at least 6 years (HIPAA requirement)
- Review logs regularly for suspicious activity
Why: Audit logs let you detect breaches, investigate incidents, and prove compliance during audits.
☐ Install and Maintain Security Software
What: Protect systems from malware, viruses, and cyber threats.
How:
- Install antivirus/anti-malware on all devices accessing PHI
- Keep software, operating systems, and security patches up to date
- Use firewalls to protect networks
- Conduct vulnerability scans quarterly
Why: Unpatched software and malware are common entry points for attackers.
☐ Implement Automatic Logoff
What: Automatically log users out of systems after a period of inactivity.
How:
- Set session timeouts (typically 10-15 minutes of inactivity)
- Configure automatic logoff in applications, EHRs, and portals
- Require re-authentication after timeout
Why: Reduces risk of unauthorized access from unattended sessions.
Part 4: Breach Notification & Incident Response
☐ Create a Breach Notification Plan
What: Document your process for detecting, reporting, and responding to PHI breaches.
HIPAA breach notification timelines:
- Notify affected individuals: Within 60 days of discovering the breach
- Notify HHS (Department of Health & Human Services): Within 60 days (for breaches affecting 500+ people) or annually (for smaller breaches)
- Notify media: Required for breaches affecting 500+ people in a state or jurisdiction
- Notify covered entities: Business associates must notify their covered entity clients "without unreasonable delay" and no later than 60 days
How:
- Define what constitutes a breach vs. a minor incident
- Assign roles for breach investigation and notification
- Prepare notification templates
- Document all breaches (even if notification isn't required)
Why: Late or missing breach notifications result in significant fines. Speed and documentation matter.
☐ Establish an Incident Response Team
What: Designate who responds when a security incident occurs.
How:
- Assign team members (security officer, IT, legal, communications)
- Create an incident response playbook
- Test your plan with tabletop exercises annually
Why: In a crisis, you don't have time to figure out roles. Preparation reduces damage.
Part 5: Ongoing Compliance
☐ Conduct Annual HIPAA Training
What: Retrain all workforce members on HIPAA requirements and your policies.
Why: Requirements change, employees forget, and regular training reinforces good habits.
☐ Review and Update Policies Annually
What: At least once a year, review your HIPAA policies and procedures for accuracy and relevance.
How: Schedule an annual compliance review; update policies if regulations change or your business operations shift.
☐ Perform Regular Risk Assessments
What: Repeat your risk assessment at least annually or after major changes (new software, new vendors, new services).
Why: New risks emerge constantly. Static compliance becomes outdated compliance.
☐ Maintain Documentation for 6 Years
What: Keep all HIPAA-related documentation for at least 6 years from creation or last effective date.
Required documentation includes:
- Policies and procedures
- Risk assessments
- Training records
- BAAs
- Breach investigation reports
- Audit logs
Why: HIPAA requires 6-year retention. During audits or investigations, you must prove historical compliance.
Common HIPAA Compliance Mistakes to Avoid
Even well-intentioned businesses make these errors:
- 1. Assuming you don't need HIPAA because you're "just" a vendor. If you handle PHI on behalf of a covered entity, you're a business associate and must comply.
- 2. Using non-HIPAA-compliant tools. Don't send PHI via regular Gmail, Slack, or Dropbox without BAAs and proper security configurations.
- 3. Ignoring mobile devices. Laptops and phones accessing PHI must be encrypted, password-protected, and remotely wipeable.
- 4. Not training new hires. Every new employee with PHI access needs HIPAA training—don't wait for the annual refresher.
- 5. Skipping vendor BAAs. Even if a vendor claims to be "HIPAA compliant," you still need a signed BAA.
- 6. Forgetting about former employees. Revoke access immediately when someone leaves. Delayed deprovisioning is a common breach source.
What Happens If You're Not Compliant?
HIPAA violations carry serious consequences:
- Civil penalties: Tiered from $100 to $50,000+ per violation, adjusted annually for inflation. Top-tier annual caps now exceed $2 million per year
- Criminal penalties: Fines up to $250,000 and imprisonment up to 10 years for knowingly misusing PHI
- Reputational damage: Breaches become public, damaging customer trust
- Loss of business: Covered entities won't work with non-compliant vendors
But the biggest risk isn't the fine—it's losing your ability to operate. Many healthcare customers will immediately terminate contracts if you're found non-compliant.
Your Next Step
Print this checklist and go through each item. Mark what you already have in place, and create a plan to address the gaps.
HIPAA compliance isn't a one-time project—it's an ongoing commitment. But with a solid foundation and regular maintenance, you'll protect patient privacy, avoid penalties, and win the trust of healthcare customers.
Need help implementing this checklist? VylintShield provides HIPAA compliance guidance and policy templates for small businesses. Learn more →
← Back to all posts