ComplianceDirectory
Back to Blog
HIPAA

HIPAA Security Rule Checklist: Administrative, Physical, and Technical Safeguards

Complete checklist for implementing HIPAA Security Rule safeguards to protect electronic protected health information (ePHI).

December 31, 20250 min read

HIPAA Security Rule Checklist: Administrative, Physical, and Technical Safeguards

The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI). This comprehensive checklist covers all required and addressable safeguards.

Administrative Safeguards

Administrative safeguards are policies and procedures designed to clearly show how your organization will comply with HIPAA.

Security Management Process (Required)

Risk Analysis (Required) [§164.308(a)(1)(ii)(A)]

  • Conduct organization-wide risk analysis
  • Identify all ePHI locations and flows
  • Document potential threats and vulnerabilities
  • Assess current security measures
  • Determine likelihood and impact of risks
  • Document risk analysis findings
  • Update risk analysis annually or when environment changes

Risk Management (Required) [§164.308(a)(1)(ii)(B)]

  • Develop risk management strategy
  • Prioritize risks by severity
  • Implement security measures to reduce risks
  • Document risk management decisions
  • Monitor effectiveness of implemented measures

Sanction Policy (Required) [§164.308(a)(1)(ii)(C)]

  • Create workforce sanction policy
  • Define violations and corresponding sanctions
  • Communicate policy to all workforce members
  • Apply sanctions consistently
  • Document sanction applications

Information System Activity Review (Required) [§164.308(a)(1)(ii)(D)]

  • Implement audit logging systems
  • Define log review procedures
  • Assign responsibility for log review
  • Establish review frequency
  • Document findings and follow-up actions

Assigned Security Responsibility (Required)

Security Officer [§164.308(a)(2)]

  • Designate qualified Security Officer
  • Define Security Officer responsibilities
  • Provide adequate resources and authority
  • Document designation
  • Ensure ongoing training

Workforce Security (Required)

Authorization and/or Supervision (Addressable) [§164.308(a)(3)(i)]

  • Establish workforce authorization procedures
  • Define supervision requirements
  • Document authorization decisions
  • Monitor workforce compliance

Workforce Clearance Procedure (Addressable) [§164.308(a)(3)(ii)(A)]

  • Implement pre-employment screening
  • Verify credentials and references
  • Conduct background checks as appropriate
  • Document clearance decisions

Termination Procedures (Addressable) [§164.308(a)(3)(ii)(B)]

  • Create termination checklist
  • Revoke system access immediately
  • Collect company property
  • Conduct exit interview
  • Document termination actions

Information Access Management (Required)

Isolating Healthcare Clearinghouse Functions (Required) [§164.308(a)(4)(i)]

  • Identify clearinghouse functions
  • Implement logical isolation
  • Prevent unauthorized access between functions
  • Document isolation measures

Access Authorization (Addressable) [§164.308(a)(4)(ii)(A)]

  • Implement access request process
  • Define approval workflow
  • Document access authorizations
  • Review access periodically

Access Establishment and Modification (Addressable) [§164.308(a)(4)(ii)(B)]

  • Create access provisioning procedures
  • Document access modifications
  • Implement role-based access control
  • Review access rights regularly

Security Awareness and Training (Required)

Security Reminders (Addressable) [§164.308(a)(5)(i)]

  • Send periodic security updates
  • Share security tips and best practices
  • Remind about policy requirements
  • Document reminder distribution

Protection from Malicious Software (Addressable) [§164.308(a)(5)(ii)]

  • Implement anti-malware solutions
  • Keep signatures updated
  • Train workforce on malware threats
  • Monitor for malware infections

Log-in Monitoring (Addressable) [§164.308(a)(5)(iii)]

  • Implement login attempt monitoring
  • Set up alerts for suspicious activity
  • Review failed login attempts
  • Lock accounts after repeated failures

Password Management (Addressable) [§164.308(a)(5)(iv)]

  • Establish password requirements
  • Implement password complexity rules
  • Require periodic password changes
  • Prohibit password sharing

Security Incident Procedures (Required)

Response and Reporting (Required) [§164.308(a)(6)]

  • Develop incident response plan
  • Define incident classification levels
  • Establish reporting procedures
  • Assign incident response team
  • Conduct incident response training
  • Test incident response procedures
  • Document all incidents and responses

Contingency Plan (Required)

Data Backup Plan (Required) [§164.308(a)(7)(i)]

  • Create data backup procedures
  • Define backup frequency
  • Implement automated backups
  • Store backups securely
  • Test backup restoration

Disaster Recovery Plan (Required) [§164.308(a)(7)(ii)]

  • Develop disaster recovery procedures
  • Define recovery priorities
  • Establish alternate processing site
  • Document recovery procedures
  • Test disaster recovery annually

Emergency Mode Operation Plan (Required) [§164.308(a)(7)(iii)]

  • Create emergency procedures
  • Define critical functions
  • Establish emergency communication
  • Train workforce on emergency procedures

Testing and Revision Procedures (Addressable) [§164.308(a)(7)(iv)]

  • Schedule contingency plan testing
  • Document test results
  • Revise plans based on lessons learned
  • Update plans when environment changes

Applications and Data Criticality Analysis (Addressable) [§164.308(a)(7)(v)]

  • Identify critical applications
  • Prioritize data by importance
  • Document criticality analysis
  • Update analysis periodically

Evaluation (Required)

Periodic Evaluation [§164.308(a)(8)]

  • Conduct annual security evaluation
  • Assess technical and non-technical controls
  • Evaluate compliance with Security Rule
  • Document evaluation findings
  • Implement improvements

Business Associate Contracts and Other Arrangements (Required)

BAAs [§164.308(a)(4)]

  • Identify all business associates
  • Execute BAAs before sharing ePHI
  • Include required HIPAA provisions
  • Monitor BA compliance
  • Update BAAs as needed

Physical Safeguards

Physical safeguards protect electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.

Facility Access Controls (Addressable)

Contingency Operations (Addressable) [§164.310(a)(2)(i)]

  • Establish facility access during emergencies
  • Define emergency access procedures
  • Document contingency operations

Facility Security Plan (Addressable) [§164.310(a)(2)(ii)]

  • Develop physical security procedures
  • Implement access barriers
  • Monitor facility access
  • Document security measures

Access Control and Validation Procedures (Addressable) [§164.310(a)(2)(iii)]

  • Implement badge or keycard access
  • Validate visitor access
  • Escort visitors in sensitive areas
  • Log facility access

Maintenance Records (Addressable) [§164.310(a)(2)(iv)]

  • Document facility maintenance
  • Track repairs and modifications
  • Maintain equipment logs

Workstation Use (Required)

Workstation Security [§164.310(c)]

  • Define appropriate workstation functions
  • Establish physical security requirements
  • Implement screen locks
  • Position workstations to prevent shoulder surfing

Workstation Security (Required)

Physical Safeguards [§164.310(c)]

  • Secure workstations in accessible areas
  • Implement automatic logoff
  • Use privacy screens where appropriate
  • Control physical access to workstations

Device and Media Controls (Required)

Disposal (Required) [§164.310(d)(2)(i)]

  • Establish media disposal procedures
  • Use certified disposal vendors
  • Document media disposal
  • Verify data destruction

Media Re-use (Required) [§164.310(d)(2)(ii)]

  • Implement media sanitization procedures
  • Verify data removal before re-use
  • Document media re-use

Accountability (Addressable) [§164.310(d)(2)(iii)]

  • Track device and media movements
  • Maintain asset inventory
  • Assign responsibility for devices

Data Backup and Storage (Addressable) [§164.310(d)(2)(iv)]

  • Backup data before equipment movement
  • Secure media during transport
  • Verify data integrity after movement

Technical Safeguards

Technical safeguards control access to ePHI and protect communications containing ePHI transmitted over electronic networks.

Access Control (Required)

Unique User Identification (Required) [§164.312(a)(1)]

  • Assign unique IDs to all users
  • Prohibit shared accounts
  • Track user activities by ID
  • Document user assignments

Emergency Access Procedure (Required) [§164.312(a)(2)]

  • Create break-glass procedures
  • Define emergency access scenarios
  • Document emergency access use
  • Review emergency access regularly

Automatic Logoff (Addressable) [§164.312(a)(2)(iii)]

  • Implement session timeouts
  • Configure automatic logoff
  • Set appropriate timeout periods
  • Test logoff functionality

Encryption and Decryption (Addressable) [§164.312(a)(2)(iv)]

  • Encrypt ePHI at rest
  • Encrypt ePHI in transit
  • Implement key management
  • Test encryption effectiveness

Audit Controls (Required)

System Activity Audit [§164.312(b)]

  • Implement audit logging
  • Log access to ePHI
  • Record system events
  • Protect audit logs from tampering
  • Retain logs per policy
  • Review audit logs regularly

Integrity Controls (Required)

Mechanism to Authenticate ePHI (Addressable) [§164.312(c)(1)]

  • Implement data integrity checks
  • Use checksums or hashes
  • Verify data integrity periodically
  • Alert on integrity violations

Authentication (Required)

Entity Authentication [§164.312(d)]

  • Implement authentication mechanisms
  • Require passwords or tokens
  • Consider multi-factor authentication
  • Verify entity identity before access

Transmission Security (Addressable)

Integrity Controls (Addressable) [§164.312(e)(1)]

  • Protect data integrity during transmission
  • Use secure protocols (TLS, SFTP)
  • Verify data integrity on receipt

Encryption (Addressable) [§164.312(e)(2)(ii)]

  • Encrypt ePHI transmitted electronically
  • Use TLS 1.2+ for web communications
  • Encrypt email containing ePHI
  • Secure file transfer mechanisms

Implementation Guidance

Required vs. Addressable Specifications

Required specifications must be implemented as stated.

Addressable specifications require you to:

  1. Assess whether the specification is reasonable and appropriate
  2. If yes, implement the specification
  3. If no, document why and implement an equivalent alternative measure

Documentation Requirements

All safeguards require documentation:

  • Policies and procedures
  • Risk assessments
  • Training records
  • Incident reports
  • Audit logs
  • Business associate agreements
  • Evaluation results

Conclusion

The HIPAA Security Rule provides a comprehensive framework for protecting ePHI. Use this checklist to assess your current compliance status and identify gaps requiring remediation. Remember that HIPAA compliance is ongoing—regularly review and update your safeguards to address new threats and changes in your environment.

For official HIPAA Security Rule guidance, visit HHS.gov HIPAA Security Rule.