IT KORR Knowledge Center
HIPAA Compliance Checklist
A checklist organized by the three HIPAA Security Rule safeguard categories — Administrative, Physical, and Technical.
Administrative Safeguards
- A formal risk analysis covering all systems that create, receive, maintain, or transmit ePHI has been performed and documented.
- A risk management plan addresses identified risks with defined remediation timelines.
- A designated security official is responsible for developing and implementing security policies.
- Workforce security training on HIPAA and ePHI handling is documented at onboarding and periodically thereafter.
- Business associate agreements (BAAs) are in place with all applicable vendors handling ePHI.
Physical Safeguards
- Facility access controls limit physical access to systems and areas containing ePHI to authorized personnel.
- Workstations that access ePHI are positioned and configured to minimize unauthorized viewing.
- A documented process governs the disposal and reuse of hardware and media containing ePHI.
- Device and media controls track movement of hardware containing ePHI in and out of facilities.
Technical Safeguards
- Unique user IDs are assigned to every individual accessing ePHI — no shared logins.
- Automatic logoff is configured on workstations and systems accessing ePHI.
- Encryption is enabled for ePHI at rest and in transit.
- Audit logging is enabled on systems handling ePHI, and logs are reviewed periodically.
- Integrity controls are in place to ensure ePHI is not improperly altered or destroyed.
Related Resources
- HIPAA Security Rule Explained — /knowledge-center/compliance/compliance-governance/hipaa-security-rule-explained
- Compliance Fundamentals — /knowledge-center/compliance/compliance-governance/compliance-fundamentals