HIPAA Compliance Checklists
The HIPAA Security Rule establishes national standards to protect electronic protected health information (ePHI). These checklists enumerate each implementation specification organized by safeguard category as codified in 45 CFR Part 164, Subpart C.
Required specifications must be implemented as stated. Addressable specifications must be assessed and either implemented as-is, implemented with an equivalent alternative measure, or documented as to why implementation is not reasonable and appropriate.
Technical Safeguards
45 CFR 164.312| # | Standard | CFR Section | Type | Description |
|---|---|---|---|---|
| 1 | Unique User Identification | 164.312(a)(2)(i) | Required | Assign a unique name and/or number for identifying and tracking user identity. |
| 2 | Emergency Access Procedure | 164.312(a)(2)(ii) | Required | Establish procedures for obtaining necessary ePHI during an emergency. |
| 3 | Automatic Logoff | 164.312(a)(2)(iii) | Addressable | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
| 4 | Encryption and Decryption | 164.312(a)(2)(iv) | Addressable | Implement a mechanism to encrypt and decrypt electronic protected health information. |
| 5 | Audit Controls | 164.312(b) | Required | Implement hardware, software, and/or procedural mechanisms that record and examine activity in systems that contain or use ePHI. |
| 6 | Mechanism to Authenticate ePHI | 164.312(c)(2) | Addressable | Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. |
| 7 | Person or Entity Authentication | 164.312(d) | Required | Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. |
| 8 | Integrity Controls (Transmission) | 164.312(e)(2)(i) | Addressable | Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection. |
| 9 | Encryption (Transmission) | 164.312(e)(2)(ii) | Addressable | Implement a mechanism to encrypt ePHI whenever deemed appropriate during transmission over electronic networks. |
Administrative Safeguards
45 CFR 164.308| # | Standard | CFR Section | Type | Description |
|---|---|---|---|---|
| 1 | Risk Analysis | 164.308(a)(1)(ii)(A) | Required | Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. |
| 2 | Risk Management | 164.308(a)(1)(ii)(B) | Required | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. |
| 3 | Sanction Policy | 164.308(a)(1)(ii)(C) | Required | Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures. |
| 4 | Information System Activity Review | 164.308(a)(1)(ii)(D) | Required | Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |
| 5 | Authorization and/or Supervision | 164.308(a)(3)(ii)(A) | Addressable | Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. |
| 6 | Workforce Clearance Procedure | 164.308(a)(3)(ii)(B) | Addressable | Implement procedures to determine that the access of a workforce member to ePHI is appropriate. |
| 7 | Termination Procedures | 164.308(a)(3)(ii)(C) | Addressable | Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends. |
| 8 | Security Awareness and Training | 164.308(a)(5)(i) | Required | Implement a security awareness and training program for all members of the workforce, including management. |
| 9 | Security Reminders | 164.308(a)(5)(ii)(A) | Addressable | Implement periodic security updates. |
| 10 | Log-in Monitoring | 164.308(a)(5)(ii)(C) | Addressable | Implement procedures for monitoring log-in attempts and reporting discrepancies. |
| 11 | Password Management | 164.308(a)(5)(ii)(D) | Addressable | Implement procedures for creating, changing, and safeguarding passwords. |
| 12 | Security Incident Procedures | 164.308(a)(6)(i) | Required | Implement policies and procedures to address security incidents. |
| 13 | Contingency Plan | 164.308(a)(7)(i) | Required | Establish policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI. |
| 14 | Data Backup Plan | 164.308(a)(7)(ii)(A) | Required | Establish and implement procedures to create and maintain retrievable exact copies of ePHI. |
| 15 | Disaster Recovery Plan | 164.308(a)(7)(ii)(B) | Required | Establish procedures to restore any loss of data. |
| 16 | Emergency Mode Operation Plan | 164.308(a)(7)(ii)(C) | Required | Establish procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode. |
| 17 | Evaluation | 164.308(a)(8) | Required | Perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting ePHI security. |
Physical Safeguards
45 CFR 164.310| # | Standard | CFR Section | Type | Description |
|---|---|---|---|---|
| 1 | Contingency Operations | 164.310(a)(2)(i) | Addressable | Establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan. |
| 2 | Facility Security Plan | 164.310(a)(2)(ii) | Addressable | Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. |
| 3 | Access Control and Validation Procedures | 164.310(a)(2)(iii) | Addressable | Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. |
| 4 | Maintenance Records | 164.310(a)(2)(iv) | Addressable | Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security. |
| 5 | Workstation Use | 164.310(b) | Required | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. |
| 6 | Workstation Security | 164.310(c) | Required | Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. |
| 7 | Disposal | 164.310(d)(2)(i) | Required | Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. |
| 8 | Media Re-use | 164.310(d)(2)(ii) | Required | Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. |
| 9 | Accountability | 164.310(d)(2)(iii) | Addressable | Maintain a record of the movements of hardware and electronic media and any person responsible therefor. |
| 10 | Data Backup and Storage | 164.310(d)(2)(iv) | Addressable | Create a retrievable, exact copy of ePHI, when needed, before movement of equipment. |
Additional Requirements
Beyond these safeguards, covered entities must also comply with Organizational Requirements (45 CFR 164.314) covering business associate contracts, and Documentation Requirements (45 CFR 164.316) mandating retention of policies and procedures for six years from the date of creation or the date when last in effect.