Free Resource

The 10 HIPAA Requirements
Small Practices Miss Most

See exactly where your practice stands. Check off what you've done — and spot the gaps before an auditor does.

✓ Free  ·  No login required  ·  Takes 3 minutes

HIPAA Compliance Checklist

Click each item to mark it complete — track your score below

📋
Risk Assessment
Most Missed
  • Formal risk assessment completed within the last 12 months
    OCR's #1 cited violation — required annually under the Security Rule
  • Risk assessment results are documented and retained
    Must be retained for 6 years per HIPAA documentation requirements
📄
Business Associate Agreements (BAAs)
Most Missed
  • Signed BAA on file with every vendor that handles PHI
    EHR, billing company, IT support, cloud storage, transcription services
  • BAA inventory is up to date — no expired or missing agreements
    Review annually; vendor list changes faster than most practices realize
🎓
Employee HIPAA Training
Required
  • All staff completed HIPAA training at hire and annually thereafter
    Training must cover Privacy Rule, Security Rule, and breach procedures
  • Training completion is documented with dates and names
    Certificates or sign-off sheets count — verbal acknowledgment does not
🔒
Physical Safeguards
Required
  • Workstation use policy in place (screen locks, privacy screens, clean desk)
    Unattended screens with patient data visible = Security Rule violation
  • Device disposal policy documented (hard drives wiped, paper shredded)
    PHI on a recycled hard drive is a reportable breach
🛡️
Technical Safeguards
Required
  • PHI is encrypted at rest and in transit
    Email, cloud storage, EHR data — all need encryption
  • Unique user accounts and role-based access controls in place
    Shared logins are not compliant — each user needs individual credentials
  • Audit logging enabled on systems that access PHI
    You need to know who accessed what, and when
🚨
Breach Notification Procedures
Most Missed
  • Written breach notification policy exists and staff know how to invoke it
    60-day notification window to patients and HHS after discovery
👤
HIPAA Privacy & Security Officers
Required
  • A designated Privacy Officer and Security Officer are named in writing
    Can be the same person in small practices — but must be formally designated
📝
Patient Rights Procedures
Required
  • Process in place for patients to request record access within 30 days
    2021 HIPAA updates tightened this window — review your procedures
  • Notice of Privacy Practices (NPP) is current and given to all patients
    Must include how PHI is used, patient rights, and your contact info
💾
Contingency / Disaster Recovery Plan
Required
  • Data backup plan documented and tested
    Know where backups live, how to restore, and how long it takes
  • Disaster recovery procedures cover ransomware and system failure scenarios
    Ransomware now accounts for over 50% of healthcare breaches
🗂️
Documentation Retention
Required
  • All HIPAA policies, procedures, and training records retained for 6+ years
    Includes risk assessments, BAAs, workforce training logs, and incident reports
Your compliance score 0 / 17 complete

Get Your Full Results

Enter your details to save your score and get a personalized summary of your compliance gaps — free, no spam.

No spam. Unsubscribe anytime.

You're all set!

Keep working through the checklist. Your next step based on your current score:

Book a Free Discovery Call →

No commitment. 30 minutes. We'll review your score together.

Why this checklist matters

OCR Audits Are Increasing

The Office for Civil Rights has ramped up enforcement. Fines start at $100 per violation and can reach $1.9M per category per year.

Small Practices Are Targeted

Smaller organizations are easier targets for hackers and receive the same compliance requirements as large health systems — with fewer resources.

Most Gaps Are Fixable Fast

The majority of common violations can be addressed with updated policies and training — not expensive technology. Know what to prioritize.

Found gaps in your checklist?

Book a free 30-minute discovery call. We'll walk through your score, identify your highest-risk areas, and explain exactly what it takes to get compliant.

Book a Free Discovery Call →