HIPAA Compliance Checklist

A practical guide for healthcare and dental practices — LevoySec

Administrative Safeguards

• Designate a HIPAA Security Officer
• Conduct an annual risk assessment
• Document security policies and procedures
• Implement workforce training program
• Establish sanction policy for violations
• Review and update policies annually
• Maintain Business Associate Agreements (BAAs) with all vendors
• Develop contingency and disaster recovery plans

Physical Safeguards

• Restrict physical access to systems containing ePHI
• Implement workstation use and security policies
• Establish device and media disposal procedures
• Maintain visitor logs for server/network areas
• Use privacy screens on workstations in public areas

Technical Safeguards

• Implement unique user identification (no shared logins)
• Enable multi-factor authentication (MFA) for all users
• Enforce automatic session timeouts
• Encrypt ePHI at rest and in transit
• Implement audit logging and review logs regularly
• Deploy endpoint detection and response (EDR) on all devices
• Maintain up-to-date antivirus and anti-malware
• Implement network segmentation for clinical systems
• Conduct regular vulnerability scans

Breach Notification Readiness

• Document breach notification procedures
• Identify breach notification contacts (HHS, patients, media)
• Maintain breach log and incident response plan
• Train staff on breach identification and reporting