HIPAA Security Rule Checklist

Covered entities and business associates can use the following HIPAA Security Rule Checklist as a way of self-auditing. The HIPAA Security Rule Checklist, broken down into specific categories, is below.

What are the HIPAA Security Rule Checklist Categories?

  1. HIPAA Security Rule Checklist: Annual audits/assessments. 6 audits must be performed each year. The required security rule assessments include (note that business associates need not conduct the Privacy Standards audit):
    1. Security Risk Assessment
    2. HITECH Subtitle D Audit
    3. Security Standards Audit
    4. Asset and Device Audit
    5. Physical Site Audit
    6. Privacy Standards Audit

Checklist Items:

  • Have you completed all six audits?
  • Can you provide documentation to show that you have conducted these audits annually?
  • Has your organization identified all administrative, physical, and technical gaps revealed in the audits?
  • Have you implemented remediation plans to address the gaps found in each audit?
  • Are each of the remediation plans documented in writing?
  • Do you review and update the remediation plans at least once a year?
  • Do you keep records of your annually documented remediation plans?

HIPAA Security Rule Checklist: Training Requirement

Checklist Items:

  • Have you implemented a security awareness and training program for all workforce members, including management?
  • Are ALL workforce members trained about security reminders and security updates, on a periodic basis? 
  • Are workforce members periodically trained about procedures for guarding against, detecting, and reporting malicious software?
  • Are workforce members periodically trained about proper login procedures and responsible password usage?
  • Does your organization maintain documentation to confirm each employee has completed their annual training?
  • Has your organization designated a Security Officer?
  • Do you maintain documentation that confirms each workforce member has completed security awareness training?
  • Does your organization provide periodic reminders to reinforce the training?

HIPAA Security Rule Checklist: Emergencies

Checklist Items:

  • Has your organization developed a contingency plan for emergencies?
  • Has your organization developed a disaster recovery plan for emergencies?
    • Do you have a data backup plan in place?
    • Are you creating backups of all ePHI to ensure an exact copy can be recovered in the event of a disaster?  
    • Have you developed policies and procedures for responding to emergency situations?  
  • Have you developed procedures (i.e., an emergency mode operation plan) to ensure critical business processes continue when you are operating in emergency mode?
  • Have employees received training about your organization’s contingency plan and disaster recovery plan?
  • Do you regularly review and update your contingency plan and run test exercises?
  • Do you regularly review and update your disaster recovery plan and run test exercises?
  • Do you test your backups periodically to ensure data can be successfully recovered?

HIPAA Security Rule Checklist: Encryption, Access, Logins

Checklist Items:

  • Using a risk analysis, have you assessed whether data encryption is appropriate?
  • If encryption is appropriate, have you deployed encryption measures?
  • Has the decision-making process governing use of encryption been documented?
  • Have you implemented controls to guard against unauthorized access of ePHI during electronic transmission?
  • Have you implemented identity management controls?
  • Have you implemented access controls?
  • Have you assigned unique usernames/numbers to all individuals who require access to ePHI?  
  • Have you implemented measures to verify the identity of any persons or entities seeking access to electronic protected health information?
  • Have you implemented technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network?
  • Is access to ePHI restricted to individuals that require access to perform essential work duties?  
  • Have you implemented policies and procedures to assess whether employee access to ePHI is appropriate? 
  • Have you developed policies and procedures for terminating access to ePHI when an employee leaves an organization or has a change in role?
  • Have you implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information?
  • Have you implemented physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
  • Do you have in place policies and procedures to recover all electronic devices containing ePHI when an employee leaves your organization?
  • Does your system automatically logout (logoff) a user after a period of inactivity? 
  • Do you create and monitor ePHI access logs? 
  • Are auditable ePHI access logs created for successful and unsuccessful login attempts? 
  • Are ePHI access logs routinely monitored to identify unauthorized access to ePHI?  

HIPAA Security Rule Checklist: Minimum Necessary Standard, ePHI Destruction, Facility Access Controls

Checklist Items:

  • Are all permitted uses and disclosures of ePHI limited to the minimum necessary information to achieve the purpose for which the ePHI is disclosed?
  • Have you implemented policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility?
  • Have you implemented controls to ensure ePHI cannot be altered or destroyed in an unauthorized manner?  
  • Have you developed policies and procedures that cover how to securely dispose of ePHI? 
  • Have you implemented procedures for removal of ePHI from electronic media before the media are made available for reuse?
  • Have you developed policies and procedures for the permanent erasure of ePHI on electronic devices when they are no longer required, or when the devices reach the end of their life?  
  • Are electronic devices containing ePHI and physical PHI stored securely until they are disposed of in a secure fashion?
  • Are mobile devices properly secured and stored?
  • Have you implemented policies and procedures to limit physical access to your electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed?

HIPAA Security Rule Checklist: Additional Administrative Safeguards

Checklist Items:

  • In addition to performing a risk analysis, does your organization also have in place a sanction policy, in which appropriate sanctions are applied against workforce members who fail to comply with your security policies and procedures? 
  • In addition to conducting a risk analysis, have you implemented an information system activity review, by implementing procedures to regularly review records of information system activity, such as:
    • Audit logs
    • Access reports
    • Security incident tracking reports
      • Does your organization have policies and procedures for how to identify and respond to suspected or known or suspected security incidents; to mitigate the harmful effects of known incidents; and document security incidents and their outcomes?
      • Does your organization perform a periodic technical and nontechnical evaluation, in response to environmental or operational changes affecting the security of ePHI?

HIPAA Security Rule Checklist: Business Associate Agreements

Checklist Items:

  • (For covered entities) Do you obtain satisfactory assurances from business associates that they will appropriately safeguard the ePHI that they create, maintain, receive, or transmit on your behalf?
  • (For business associates) Do you permit subcontractors to create, receive, maintain, or transmit ePHI on your behalf only if you obtain satisfactory assurances that the subcontractor will appropriately safeguard the information?
  • (For covered entities) Do you document the required satisfactory assurances through a written contract with the business associate?