Complete HIPAA Security Rule Checklist
All 38 implementation specifications across administrative, physical, and technical safeguards. Track your compliance progress systematically.
How to Use This Checklist
This checklist covers all 38 HIPAA Security Rule implementation specifications organized by safeguard type. Each item indicates whether it's Required (R) or Addressable (A). Use this to track your compliance progress, but remember: this doesn't replace a formal Security Risk Assessment. Get professional help for your first implementation with our HIPAA Security Assessment service.
Understanding the Requirements
Required
Must be implemented by all covered entities. No exceptions unless you document why the entire standard doesn't apply to your organization.
Addressable
Assess if reasonable and appropriate for your organization. If not implemented, document why and implement equivalent alternative measures.
Critical: "Addressable" Does Not Mean Optional
Many organizations incorrectly treat addressable specifications as optional. OCR requires you to either implement them OR document why they're not reasonable/appropriate AND implement equivalent alternatives. Most audits fail due to lack of documentation around addressable specifications.
Administrative Safeguards
20 implementation specifications (54% of total requirements)
164.308(a)(1) Security Management Process (R)
Conduct accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of ePHI. Must be comprehensive and organization-wide.
Implement security measures sufficient to reduce risks and vulnerabilities to reasonable and appropriate level. Document decisions and rationale for all risk management choices.
Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures. Must be documented, communicated, and consistently enforced.
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Minimum monthly review recommended.
164.308(a)(2) Assigned Security Responsibility (R)
Identify security official responsible for development and implementation of policies and procedures. Must be documented with specific individual named (can be outsourced to vCISO).
164.308(a)(3) Workforce Security (R)
Implement procedures for authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. Include role definitions and approval processes.
Implement procedures to determine that workforce member access to ePHI is appropriate. Background checks, reference verification, and security clearance processes.
Implement procedures for terminating access to ePHI when employment ends or as required by changes in job responsibilities. Must include same-day access removal and credential collection.
164.308(a)(4) Information Access Management (R)
If a health care clearinghouse is part of larger organization, implement policies and procedures to protect ePHI of clearinghouse from unauthorized access by larger organization. (Only applies to clearinghouses)
Implement policies and procedures for granting access to ePHI (e.g., through access to a workstation, transaction, program, process, or other mechanism). Formal approval and documentation required.
Implement policies and procedures that, based on workforce member access authorization, establish, document, review, and modify access rights. Periodic access reviews required.
164.308(a)(5) Security Awareness and Training (R)
Periodic security updates communicated to workforce. Can include email reminders, posters, newsletters about security threats and proper handling of ePHI. Quarterly minimum recommended.
Procedures for guarding against, detecting, and reporting malicious software. Train workforce on recognizing suspicious emails, safe browsing, and download restrictions.
Procedures for monitoring log-in attempts and reporting discrepancies. Train workforce to recognize unauthorized access attempts and report suspicious activity immediately.
Procedures for creating, changing, and safeguarding passwords. Train workforce on strong password creation, secure storage, and prohibition on sharing credentials.
164.308(a)(6) Security Incident Procedures (R)
Identify and respond to suspected or known security incidents; mitigate, to extent practicable, harmful effects; document incidents and outcomes.
Learn more: Incident Response Planning Guide
164.308(a)(7) Contingency Plan (R)
Establish and implement procedures to create and maintain retrievable exact copies of ePHI. Must include regular automated backups with verified restoration capability.
Establish procedures to restore any loss of data. Must define Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems.
Learn more: Business Continuity Planning
Establish procedures to enable continuation of critical business processes for protection of ePHI security while operating in emergency mode. Define minimum operational requirements.
Implement procedures for periodic testing and revision of contingency plans. Annual testing minimum; more frequent testing recommended for critical systems.
Assess relative criticality of specific applications and data in support of other contingency plan components. Prioritize systems by business impact and recovery requirements.
164.308(a)(8) Evaluation (R)
Perform periodic technical and non-technical evaluation based initially upon the standards implemented and subsequently in response to environmental or operational changes affecting security of ePHI. Annual minimum; after significant changes recommended.
164.308(b)(1) Business Associate Contracts and Other Arrangements (R)
Document satisfactory assurances that business associate will appropriately safeguard the information. Must include specific required provisions (permitted uses, security safeguards, breach notification, termination, subcontractor requirements).
Physical Safeguards
6 implementation specifications (8% of total requirements)
164.310(a)(1) Facility Access Controls (R)
Establish procedures that allow facility access in support of restoration of lost data under disaster recovery and emergency mode operations plan. Define who can access facilities during emergencies.
Implement policies and procedures to safeguard facility and equipment therein from unauthorized physical access, tampering, and theft. Include access controls, surveillance, and security personnel.
Implement procedures to control and validate person's access to facilities based on role or function. Badge systems, visitor logs, escorts for non-employees.
Implement policies and procedures to document repairs and modifications to physical components of facility related to security (e.g., hardware, walls, doors, locks). Log all maintenance activities.
164.310(b) Workstation Use (R)
Implement policies and procedures that specify proper functions to be performed, manner in which functions are performed, and physical attributes of surroundings of specific workstation or class of workstation that can access ePHI. Privacy screens, positioning, clean desk policy.
164.310(c) Workstation Security (R)
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. Cable locks, secured mounting, theft deterrents, automatic screen locks.
164.310(d)(1) Device and Media Controls (R)
Implement policies and procedures to address final disposition of ePHI and/or hardware or electronic media on which it is stored. NIST 800-88 compliant wiping for electronic media; cross-cut shredding for paper.
Implement procedures for removal of ePHI from electronic media before media is made available for re-use. Secure wiping before repurposing; verification of complete data removal.
Maintain record of movements of hardware and electronic media and any person responsible therefore. Asset tracking system, chain of custody documentation.
Create retrievable, exact copy of ePHI when needed before movement of equipment. Backup before maintenance, repairs, or relocation of equipment containing ePHI.
Technical Safeguards
12 implementation specifications (38% of total requirements)
164.312(a)(1) Access Control (R)
Assign unique name and/or number for identifying and tracking user identity. No shared accounts; each person must have unique credentials for audit trail purposes.
Establish procedures for obtaining necessary ePHI during emergency. Break-glass accounts with elevated privileges, documented and monitored for misuse.
Implement electronic procedures that terminate electronic session after predetermined time of inactivity. 15-minute standard for high-risk areas; 30 minutes acceptable for lower-risk.
Implement mechanism to encrypt and decrypt ePHI. AES-256 minimum for data at rest; TLS 1.2+ for data in transit. Encryption provides safe harbor from breach notification.
Note: While technically "addressable," encryption is effectively required in practice due to breach notification rules and OCR enforcement patterns.
164.312(b) Audit Controls (R)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems containing or using ePHI. Must log: user ID, timestamp, action performed, patient record accessed, success/failure. Minimum 6-year retention.
164.312(c)(1) Integrity (R)
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in unauthorized manner. Digital signatures, checksums, hash functions to detect tampering.
164.312(d) Person or Entity Authentication (R)
Implement procedures to verify that person or entity seeking access to ePHI is the one claimed. Multi-factor authentication strongly recommended for remote access; required for high-privilege accounts.
Learn more: 30-Day MFA Implementation Guide
164.312(e)(1) Transmission Security (R)
Implement security measures to ensure electronically transmitted ePHI is not improperly modified without detection until disposed of. Checksums, error detection, secure protocols (HTTPS, SFTP).
Implement mechanism to encrypt ePHI whenever deemed appropriate. TLS 1.2+ for web traffic; VPN for remote access; encrypted email for patient communications. Effectively required in practice.
Compliance Summary
Required vs. Addressable: 24 specifications are Required (R), 14 are Addressable (A). Remember: Addressable does NOT mean optional - you must assess each one and either implement it OR document why it's not reasonable/appropriate AND implement an equivalent alternative.
How to Use This Checklist
Start with Risk Assessment
Complete a comprehensive Security Risk Assessment first - it's the foundation that informs all other decisions. Our HIPAA Security Assessment service can help.
Prioritize Required Specifications
Focus on all Required (R) specifications first. These must be implemented without exception.
Assess Addressable Specifications
For each Addressable (A) specification, document your assessment. If you don't implement it, document why and what alternative you're using.
Document Everything
OCR requires documentation of your decision-making process. Keep records of what you implemented, when, and why.
Review Annually
HIPAA compliance is ongoing. Review and update your compliance program at least annually or after significant changes.
Related HIPAA Resources
HIPAA Security Rule Compliance Guide
Complete implementation guide with timelines and budget estimates
HIPAA Compliance for AI Systems
Special considerations for AI/ML in healthcare
30-Day MFA Rollout Guide
Step-by-step multi-factor authentication implementation
Healthcare Cybersecurity Solutions
Comprehensive security services for healthcare organizations
Need Help Implementing HIPAA Compliance?
This checklist tracks requirements, but you need professional guidance to implement them correctly. Our HIPAA Security Assessments provide comprehensive evaluation, gap analysis, and remediation roadmap.
HIPAA Security Assessment: $15,000 fixed fee • 3-4 week delivery • Comprehensive gap analysis • Prioritized remediation roadmap • Implementation support