HIPAA Compliance Checklist (2026)

What is HIPAA and who must comply?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), sets national standards for protecting individually identifiable health information, known as Protected Health Information (PHI). Two categories of organisations are directly subject to HIPAA: covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates (any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a covered entity — such as cloud storage providers, billing companies, EHR vendors, and lawyers).

Modern health technology companies — including telehealth platforms, digital health apps, and health data analytics firms — frequently qualify as business associates and must sign a Business Associate Agreement (BAA) under 45 CFR §164.308(b) before handling any PHI. If your product touches patient data in any form, assume HIPAA applies and consult legal counsel to confirm your obligations.

HIPAA's three rules and their penalties

HIPAA comprises three main rules. The Privacy Rule (45 CFR Part 164, Subpart E) governs who may access PHI and grants patients rights to access and amend their health records. The Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI (ePHI). The Breach Notification Rule (45 CFR §§164.400–414) requires notification to affected individuals, HHS, and sometimes the media when unsecured PHI is breached.

Penalties under 45 CFR §160.404 are tiered by culpability: $100–$50,000 per violation for unknowing violations up to a $1.9 million annual cap; up to $1.9 million per violation category per year for willful neglect not corrected. HHS OCR investigations are frequently triggered by breach reports and patient complaints. The Security Risk Analysis is the single most frequently cited deficiency in enforcement actions.

How to use this HIPAA compliance checklist

Start with the Security Risk Analysis (item hipaa-sa-1) — it is the foundation of all HIPAA security compliance and legally required under 45 CFR §164.308(a)(1). The SRA identifies the specific risks to ePHI that other controls must address. Without a completed SRA, all downstream security controls are built on an unverified foundation.

Note that some Security Rule requirements are marked "addressable" rather than "required." You must implement addressable specifications if reasonable and appropriate given your risk, or document why an equivalent alternative is in place. If you also handle payment card data, review our PCI DSS checklist; if you serve EU patients, review the GDPR checklist as well.

What this checklist is for, and what it is not

This checklist is for covered entities and business associates as defined under 45 CFR §160.103. It covers the administrative, physical, and technical safeguards of the Security Rule; the Privacy Rule's core notice, access, and minimum necessary requirements; and the Breach Notification Rule's reporting timelines. It addresses what an organisation's security or compliance team can self-assess in a structured review session.

What it does not cover: state privacy laws that impose stricter requirements than HIPAA (several states have stricter regulations for mental health records, HIV status, and substance abuse treatment records); the full scope of HHS guidance on telehealth, research exemptions, or marketing authorisations; formal HHS audit procedures; or the complete terms required in a Business Associate Agreement beyond the regulatory minimum. HIPAA compliance is inherently specific to your organisation's data flows, workforce, and technology stack. Last verified May 2026 against official text at hhs.gov/hipaa.

Real-world HIPAA enforcement cases

In October 2018, HHS OCR settled with Anthem Inc. for $16 million after a 2015 cyberattack exposed the ePHI of approximately 78.8 million individuals. OCR found that Anthem had failed to conduct an enterprise-wide risk analysis as required by 45 CFR §164.308(a)(1)(ii)(A), failed to implement a mechanism to authenticate ePHI, and had insufficient access controls. The Anthem case is the most-cited example of the Security Risk Analysis obligation in practice. Without a completed SRA, every downstream security decision lacks a documented foundation.

In September 2020, OCR settled with Premera Blue Cross for $6.85 million after a 2014 breach exposed ePHI of 10.4 million individuals. OCR found multiple violations: failure to conduct a risk analysis, failure to implement security measures to reduce identified risks, and failure to regularly review information system activity under 45 CFR §164.312(b). The breach went undetected for nine months following a spear-phishing attack. The case demonstrates that breach notification obligations are only the start of an OCR investigation, not the end.

In November 2021, OCR settled with the University of Rochester Medical Center for $3 million covering two incidents: the loss of an unencrypted flash drive and the theft of an unencrypted laptop, both containing ePHI. OCR cited failures under the encryption standard (45 CFR §164.312(a)(2)(iv)), the device and media controls standard (45 CFR §164.310(d)(1)), and the risk analysis standard. URMC had been notified of the encryption gap years before the incidents. The case makes clear that identified risks not remediated become aggravating factors in enforcement.

Common HIPAA mistakes

Treating Business Associate Agreements as paperwork. A BAA under 45 CFR §164.308(b) must identify the permitted uses and disclosures of PHI, require the BA to implement appropriate safeguards, require breach reporting, and require return or destruction of PHI at contract termination. Many covered entities use generic contract addenda that do not address these requirements. If your vendor declines to sign a BAA, you cannot use them for any activity involving PHI. Check whether existing cloud tools (Slack, Google Workspace, Dropbox, AWS) have executed BAAs.

Storing PHI in unencrypted formats. The Security Rule's encryption standard (45 CFR §164.312(a)(2)(iv)) is addressable, but choosing not to encrypt ePHI without a documented risk-based justification is an enforcement liability. Spreadsheets containing PHI emailed between staff, Google Sheets with patient appointment data shared by link, and USB drives with exported reports are recurring breach vectors in OCR enforcement actions.

Conducting a risk analysis once and not updating it. The Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A)) is the most frequently cited deficiency in OCR enforcement. It must be accurate and thorough, and must be updated when new systems are introduced, when the threat environment changes, or when an incident occurs. A risk analysis completed in 2020 that has never been updated does not satisfy the requirement.

What changed in HIPAA: 2024 to 2026

HHS published a Notice of Proposed Rulemaking (NPRM) in January 2025 proposing the first substantive update to the HIPAA Security Rule since 2013. Key proposed changes include: mandatory encryption of ePHI at rest and in transit (removing the "addressable" designation), stricter access control requirements, mandatory multi-factor authentication, and enhanced audit logging requirements. The NPRM was open for public comment; a final rule had not been published as of May 2026. Monitor hhs.gov for the final rule timeline.

The ransomware attack on Change Healthcare (a unit of UnitedHealth Group) in February 2024 disrupted healthcare payments and claims processing across the US, affecting an estimated 100 million individuals. It is the largest healthcare data breach in US history. OCR opened an investigation into Change Healthcare and UnitedHealth Group. The incident prompted HHS to issue guidance on HIPAA business associate relationships and third-party vendor risk. Monitor HHS for updates on OCR action and any legislative changes to HIPAA.

Since 2019, OCR has pursued a right of access initiative resulting in dozens of settlements for failure to provide patients timely access to their health records under 45 CFR §164.524. Fines have ranged from $3,500 to $240,000. As of 2025, OCR is continuing this enforcement priority. Covered entities must respond to patient access requests within 30 days (extendable by 30 days with written notice). Last reviewed May 2026 by the Zeta Solutions editorial team.