Healthcare Onboarding Checklist

Covers minimum necessary standard, patient rights, permitted uses and disclosures of PHI, and Notice of Privacy Practices requirements.

Covers electronic PHI (ePHI) safeguards — access controls, password policies, workstation security, and encryption requirements.

Understand how to identify a potential breach, the 60-day reporting window, and internal escalation chain for suspected incidents.

Sign acknowledgment that you will access only the minimum PHI required to perform your job duties. No browsing patient records.

Common violation: looking up records of family, friends, or VIP patients. This is grounds for immediate termination and OCR investigation.

Legally binding agreement covering PHI, proprietary business information, and patient identifiers. Must be signed before first day of clinical access.

No patient information on personal devices, social media, or unsecured messaging. Understand what constitutes a HIPAA violation in digital communications.

Even posting a photo from the workplace that shows a patient chart in the background is a reportable breach.

Covers exposure control plan, universal precautions, proper PPE use, sharps handling, and post-exposure protocol including PEP evaluation within 2 hours.

GHS label reading, Safety Data Sheet (SDS) access, chemical storage protocols, and spill response procedures for clinical cleaning agents and disinfectants.

Location of fire extinguishers, pull stations, and exits. RACE protocol (Rescue, Alarm, Contain, Extinguish) and PASS technique for extinguisher use.

Complete two-step TB skin test (TST) or single IGRA blood test. Required for all staff with patient contact. Document results in employee health file.

If prior positive TST, a chest X-ray within the past 12 months satisfies the requirement.

Multi-state criminal background check, sex offender registry, and federal exclusion list (OIG LEIE) verification. Some states require fingerprinting.

Verify employee is not on the HHS Office of Inspector General List of Excluded Individuals/Entities (LEIE) or the System for Award Management (SAM) exclusion list.

Must be re-checked monthly. Hiring an excluded individual can result in $100K+ CMP per item/service.

Verify active, unrestricted state license through the primary source (state licensing board). Confirm license type, expiration date, and any disciplinary actions.

Board certification, BLS/ACLS/PALS, specialty certifications. Verify through issuing organization and document expiration dates for tracking.

Assign unique username and temporary password. No shared logins. Multi-factor authentication (MFA) must be enabled before first login.

Restrict access to only the modules and patient populations required for the employee's job function. Front desk sees scheduling, not clinical notes.

Document the access level granted and the business justification. Audit logs should be reviewed within 30 days of provisioning.

Hands-on training with the specific EHR platform (Epic, Cerner, Athena, etc.). Covers charting, order entry, e-prescribing, and secure messaging.

Covers active shooter, severe weather, utility failure, bomb threat, and mass casualty incident response. Know primary and secondary evacuation routes.

Understand facility code system: Code Blue (cardiac arrest), Code Red (fire), Code Silver (weapon/hostage), Code Pink (infant abduction), and overhead paging protocol.

Physical walk-through to identify AED locations, crash carts, fire extinguishers, emergency exits, and designated assembly points for your department.

Covers attendance, dress code, PTO, grievance procedures, and anti-harassment policy. Sign acknowledgment of receipt.

Federal and state-required training on workplace harassment, discrimination, ADA accommodations, and reporting procedures.

How to report suspected fraud, waste, abuse, or compliance violations. Anonymous hotline number. Non-retaliation protections under False Claims Act.