HIPAA Compliance Checklist (2026)

What is HIPAA and who must comply?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), sets national standards for protecting individually identifiable health information, known as Protected Health Information (PHI). Two categories of organisations are directly subject to HIPAA: covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates (any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a covered entity — such as cloud storage providers, billing companies, EHR vendors, and lawyers).

Modern health technology companies — including telehealth platforms, digital health apps, and health data analytics firms — frequently qualify as business associates and must sign a Business Associate Agreement (BAA) under 45 CFR §164.308(b) before handling any PHI. If your product touches patient data in any form, assume HIPAA applies and consult legal counsel to confirm your obligations.

HIPAA's three rules and their penalties

HIPAA comprises three main rules. The Privacy Rule (45 CFR Part 164, Subpart E) governs who may access PHI and grants patients rights to access and amend their health records. The Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI (ePHI). The Breach Notification Rule (45 CFR §§164.400–414) requires notification to affected individuals, HHS, and sometimes the media when unsecured PHI is breached.

Penalties under 45 CFR §160.404 are tiered by culpability: $100–$50,000 per violation for unknowing violations up to a $1.9 million annual cap; up to $1.9 million per violation category per year for willful neglect not corrected. The largest fine to date was $16 million (Anthem, 2018). HHS OCR investigations are frequently triggered by breach reports and patient complaints — the Security Risk Analysis is the single most frequently cited deficiency in enforcement actions.

How to use this HIPAA compliance checklist

Start with the Security Risk Analysis (item hipaa-sa-1) — it is the foundation of all HIPAA security compliance and legally required under 45 CFR §164.308(a)(1). The SRA identifies the specific risks to ePHI that other controls must address. Without a completed SRA, all downstream security controls are built on an unverified foundation.

Note that some Security Rule requirements are marked "addressable" rather than "required." You must implement addressable specifications if reasonable and appropriate given your risk, or document why an equivalent alternative is in place. If you also handle payment card data, review our PCI DSS checklist; if you serve EU patients, review the GDPR checklist as well. Use the PDF export to document your compliance programme for auditors and business partners.