HIPAA Audit Checklist 

A checklist of areas of concern when auditing your healthcare organization for HIPAA compliance

Accountable Staff

In recent years, the Office of Civil Rights branch of the United States Department of Health and Human Services has begun heavily scrutinizing covered entities and their business associates in terms of HIPAA compliance.

The following HIPAA checklist will provide a summary of policies, procedures, and protocol your organization needs to have in place in order to maintain the level of compliance being sought by the OCR.

But before we dive into the checklist, let’s take a look at the four major rules that fall under HIPAA’s umbrella.

Four Major HIPAA Rules

The four main rules this checklist will cover are:

  • The Security Rule, which deals with protocol for the storage and transfer of protected health information (PHI)
  • The Privacy Rule, which deals with the protocol for the use and disclosure of PHI
  • The Breach Notification Rule, which deals with the protocol to follow in case of a HIPAA violation or breach
  • The Omnibus Rule, which amends the above rules to include business associates and subcontracted organizations within the rules’ guidelines

HIPAA Checklist for Covered Entities and Business Associates

While the subject matter in each of these rules often overlaps, we’ll discuss each of them separately in order to make the mandates of HIPAA law as clear as possible.

Security Rule Checklist

Administrative Safeguards

Security Management

  • Risk analysis assessment
  • Risk management assessment
  • Protocol for reviewing records over time (monthly or quarterly)
  • Designate personnel to develop, implement, and assess these safeguards

Information Access Management

  • Define who can and cannot access PHI
  • Define authorization process
  • Define appropriate access
  • Termination of access protocol/procedure
  • If a clearinghouse or subset of a larger organization, process for protecting PHI from umbrella organization
  • Procedures for granting access through “workstation, transaction, program or process”

Awareness Training

  • Periodic refresher sessions
  • Malicious software protection protocol
  • Login monitoring and discrepancy protocol
  • Password maintenance
  • Policies and procedures to address incidents relating to above, and mitigating damage caused by such incidents

Disaster Protocol

  • Procedure to retrieve exact copies of e-PHI
  • Procedure to restore lost e-PHI
  • Protocol for continuing business during mitigation of disaster
  • Testing/Assessment of above plans

BA Protocol

  • Forging and maintaining trustful relationship with business associates
  • Forging and maintaining trustful relationship with business associates

Physical Safeguards

Policies/Procedures for limiting physical access to PHI

  • Allow facility access in support of restoration of lost data under disaster recovery plan/emergency mode
  • Safeguard against physical tampering, theft, unauthorized access
  • Control, limit, and validate personnel
  • Document repairs to physical locks and storage space

Assess functionality of workstations where e-PHI is accessible

Assess physical safeguards for these workstations to restrict use/access to authorized personnel only

Protocol for physical transfer of devices, computers, etc.

  • “Final disposition of e-PHI and hardware”
  • Removal of e-PHI from devices before reuse of hardware in another capacity
  • Hardware chain of custody
  • Creation of copy of data before physical relocation

Technical Safeguards

Technical policies and procedures allowing only designated persons/software access to PHI

  • Assign unique name/number to track user ID
  • Policies/procedures for obtaining info in case of emergency
  • Ensuring electronic sessions are automatically terminated after period of inactivity
  • Encryption and decryption process

Implementing software that records activity when PHI is accessed

Implementing software that protects against improper alteration or destruction of PHI

Implementing software to prove the above has or has not occurred

Policies for validating personnel

Implementing protection against unauthorized access when transmitting across e-communication network

  • Software to detect modifications
  • Software to encrypt data when necessary

Privacy Rule Checklist

General Use and Disclosure of Information

  • Provide opportunity for patient to agree/object to disclosure to family, caregiver, facility directory, business associates
  • Notify patient of disclosures mandated by law
  • Authorization request needed for other uses (marketing, sales, published data, etc.)

Special Circumstances for Use and Disclosure

  • Need authorization when using information for fundraising or research
  • Protection of privacy for 50 years after death of patient
  • Ensure parents/guardians/legal patient representatives have access to PHI and patient rights
  • If PHI is requested by above, covered entity must validate/verify requester’s ID
  • Process for “de-identifying” individuals, ensuring anonymity when PHI is used for research, fundraising, etc.

Minimum Necessary Standard

  • Limit personnel access to PHI to need-to-know basis
  • Only release pertinent info to personnel, business associates, and other third parties

Patient Rights

  • Provide patient opportunity to request additional restrictions on release of PHI
  • Provide alternate means of communication for patient
  • Provide access to patient’s PHI
  • Provide patient the right to amend PHI on as-needed basis
  • Provide opportunity for patient to request chain of custody report of PHI
  • For above, define timeline and process for response to request

Notice of Privacy Practices

  • Posting of notice
  • Good faith effort to obtain acknowledgement from patients

Relating to Business Associates

  • Obtain signature on contracts from all business associates
  • Covered entity to take action against business associate if business associate causes violation
  • Covered entity ensures compliance of business associate

Notification of Breach

  • Identifying when breach occurs
  • Securing PHI after breach
  • Notification protocol (notifying affected individuals)
  • Notifying HHS
  • Notifying media
  • Notification from business associate if breach happened on their end
  • Delay in notice to affected individuals/media if requested by law enforcement

Administrative Requirements

  • Designation of personnel to handle privacy protocol
  • Training of all personnel with regard to PHI
  • Policies and procedures for safeguarding and mitigation against disclosures
  • Procedures for enacting sanctions against negligent personnel
  • Protocol for handling patient complaints
  • Protocol for correcting violations
  • Policies ensuring equal patient treatment
  • Protocol for retention of documents and data relating to PHI

Breach Notification Rule

Individual Notice: Patients must be notified of breach:

  • In written form, delivered by first-class mail or, if previously agreed to by patient, by email.
  • If the contact info of 10 or more patients is out of date, covered entity or business associate must post notice of breach on website for 90 or more days, or provide info to local print or broadcast media
  • Include toll-free number for individual to call in order to learn more

Above must be done within 60 days of breach

Info to include in above notification:

  • Description of breach
  • Types of information involved
  • Steps affected individuals can take on their end to minimize damage
  • What covered entity or business associate is doing to:
  1. Investigate breach
  2. Mitigate damage
  3. Prevent further damage
  • Contact info for covered entity and business associates

Note: If the breach was caused by business associate (or happened on business associate’s end), either the covered entity or business associate may take up above responsibilities

  • Responsibility falls to whoever is in more capable position of contacting affected individuals and mitigating damage

Omnibus Rule

Regarding Covered Entities

  • Update and post notice of privacy practices
  • Update and post patient authorization form
  • Implement disclosure processes as required by law
  • Offer form for patient request to restrict disclosure to Health Plan
  • Option of providing electronic PHI to patient
  • Update list of business associates
  • Update and post business associate agreement documentation
  • Update brief notification compliance plan
  • Ensure business associates use written contracts with sub-contracted hires

Regarding Business Associates

  • Privacy Policies (Access, disclosure, non-disclosure agreements)
  • Security (As defined by Security Rule)
  • Designate personnel as Security Officer
  • Implement training and safety security programs
  • Have written contract with sub-contracted hires
  • Have breach notification compliance plan in place


HIPAA laws work to ensure patients’ health information remains private and secure at all times - whether being stored or transferred, and whether it exists in physical or electronic form.

This checklist provides an overview of the mandates required of a healthcare organization and its business associates with regard to HIPAA law, policies, and protocol.

For more help keeping your employees - and your organization - HIPAA-compliant, check out Accountable’s on-demand training courses. And be sure to come back to our blog in the coming months, as we’ll continue to provide advice and information on each of the areas mentioned above, and more.