HIPAA & Privacy
HIPAA Compliance Checklist
33 items across the Privacy Rule, Security Rule, and Breach Notification Rule. Check off each item as you go, track your compliance percentage, and print a summary report for your records.
Click any item to mark it complete
0%
0 of 33 items completed
Privacy Rule
13 items
Security Rule
15 items
Breach Rule
5 items
Privacy Policies & Procedures
0/5 complete
Patient Rights
0/5 complete
Business Associate Agreements
0/3 complete
Administrative Safeguards
0/6 complete
Physical Safeguards
0/4 complete
Technical Safeguards
0/5 complete
Breach Notification
0/5 complete
Generated on March 9, 2026 via HipaaKit (hipaakit.co)
What Is a HIPAA Compliance Checklist?
A HIPAA compliance checklist is a structured audit tool that healthcare organizations use to verify they meet every requirement of the Health Insurance Portability and Accountability Act. It covers three core rules — the Privacy Rule (how PHI is used and disclosed), the Security Rule (safeguards for electronic PHI), and the Breach Notification Rule (what happens when things go wrong).
For small practices especially, a checklist helps ensure nothing falls through the cracks. The Office for Civil Rights (OCR) has settled cases against solo practitioners for as little as one missing safeguard.
HIPAA Penalty Tiers (2026)
OCR enforces four penalty tiers based on level of negligence. Even "did not know" violations carry significant fines.
| Tier | Per Violation | Annual Max |
|---|---|---|
| Did not know and would not have known by exercising reasonable diligence | $145–$73,011 | $2,190,294 |
| Reasonable cause but not willful neglect | $1,461–$73,011 | $2,190,294 |
| Willful neglect, corrected within 30 days | $14,602–$73,011 | $2,190,294 |
| Willful neglect, not corrected within 30 days | $73,011–$2,190,294 | $2,190,294 |
How to Use This Checklist
- 1
Work through each section
Items are organized by HIPAA rule. Start with the Privacy Rule if you're just beginning — it's the most common area for small practice violations.
- 2
Check off completed items
Click each item as you verify compliance. Your overall score updates in real time. Items with a blue tip icon include important implementation notes.
- 3
Print or copy your report
Use the Print or Copy buttons to generate a compliance summary. Keep this with your documentation — OCR auditors look for evidence of ongoing self-assessment.
HIPAA Compliance Tips for Small Practices
Budget realistically
A 5-10 person practice should budget 3-6 months and $15,000-$35,000 for initial compliance. The biggest cost is usually the risk analysis — but skipping it is the #1 reason practices fail OCR audits.
Don't skip the risk assessment
The Security Rule risk analysis is the single most-cited deficiency in OCR enforcement actions. HIPAA Risk Assessment Template →
Document everything
HIPAA requires six-year retention for policies, training records, and BAAs. OCR investigators ask for documentation first. Clinical Documentation Improvement Guide →
Key Changes in the Proposed 2026 Security Rule Update
- All safeguards become required — the "addressable" vs. "required" distinction is eliminated
- Mandatory encryption for all ePHI at rest and in transit
- Multi-factor authentication required for all ePHI system access
- 72-hour restoration requirement after security incidents
- Annual penetration testing and semi-annual vulnerability scanning
These changes are proposed and may be finalized in 2026. Practices using HIPAA-compliant video conferencing and platforms like Zoom should review their telehealth BAAs.
Related Tools & Guides
HIPAA Risk Assessment Template
Identify and evaluate potential risks to PHI with a structured risk analysis.
BAA Template Generator
Create compliant Business Associate Agreements for your vendors.
HIPAA Release Form Generator
Generate patient authorization forms for PHI disclosure.
Who Does HIPAA Apply To?
Find out if your practice qualifies as a covered entity under HIPAA.
Notice of Privacy Practices Template
Draft a compliant NPP for your patients.