Free HIPAA compliance checklist
Work through the safeguards HIPAA asks for, one item at a time. This interactive checklist covers the administrative, physical, and technical safeguards of 45 CFR §164.308 and the surrounding rules, tracks your progress live, and downloads the completed checklist as Word or PDF. Everything runs in your browser, so nothing you check leaves your device and no sign-up is needed.
Checklist
Your organization
Administrative safeguards (§164.308)
Physical safeguards (§164.310)
Technical safeguards (§164.312)
Privacy & organizational (§164.520, §164.530)
Breach readiness (§164.400-414)
HIPAA COMPLIANCE CHECKLIST
HIPAA COMPLIANCE CHECKLIST
Progress: 0/27 (0%)
Administrative safeguards (§164.308)
[ ] Conducted a security risk analysis of every system that creates, receives, maintains, or transmits ePHI (§164.308(a)(1)(ii)(A))
[ ] Put a risk management process in place to bring identified risks down to a reasonable and appropriate level (§164.308(a)(1)(ii)(B))
[ ] Assigned a HIPAA Security Officer responsible for developing and enforcing security policies (§164.308(a)(2))
[ ] Provided security awareness and training to every workforce member who handles ePHI (§164.308(a)(5))
[ ] Adopted a sanction policy for workforce members who violate security policies and procedures (§164.308(a)(1)(ii)(C))
[ ] Established procedures that authorize and control workforce access to ePHI (§164.308(a)(4))
[ ] Created a contingency plan covering data backup, disaster recovery, and emergency mode operation (§164.308(a)(7))
[ ] Run periodic technical and non-technical evaluations of your safeguards (§164.308(a)(8))
[ ] Signed a business associate agreement with every vendor that handles ePHI on your behalf (§164.308(b)(1))
Physical safeguards (§164.310)
[ ] Implemented facility access controls that limit physical entry to areas holding ePHI (§164.310(a)(1))
[ ] Set workstation use and security rules that position and protect devices with access to ePHI (§164.310(b)-(c))
[ ] Adopted procedures for the secure disposal of hardware and media that held ePHI (§164.310(d)(2)(i))
[ ] Remove ePHI from electronic media before that media is reused (§164.310(d)(2)(ii))
Technical safeguards (§164.312)
[ ] Assign a unique user ID to each person so activity on ePHI can be traced (§164.312(a)(2)(i))
[ ] Configured automatic logoff to end sessions after a set period of inactivity (§164.312(a)(2)(iii))
[ ] Encrypt ePHI at rest wherever it is stored (§164.312(a)(2)(iv))
[ ] Encrypt ePHI in transit as it moves across networks (§164.312(e)(2)(ii))
[ ] Implemented audit controls that record and let you examine activity in systems with ePHI (§164.312(b))
[ ] Put integrity controls in place to keep ePHI from being improperly altered or destroyed (§164.312(c)(1))
Privacy & organizational (§164.520, §164.530)
[ ] Give patients a Notice of Privacy Practices explaining how their PHI is used and disclosed (§164.520)
[ ] Designated a HIPAA Privacy Officer responsible for privacy policies and procedures (§164.530(a))
[ ] Apply the minimum necessary standard so staff reach only the PHI they need to do their work (§164.514(d))
[ ] Established a process for patients to access and get copies of their records within the required timeframe (§164.524)
[ ] Offer a process for individuals to file complaints about your privacy practices (§164.530(d))
Breach readiness (§164.400-414)
[ ] Documented a breach response plan covering detection, investigation, and containment (§164.400-414)
[ ] Established procedures to notify individuals, HHS, and the media within the required timeframes (§164.404-408)
[ ] Maintain a log of security incidents and breaches, including those affecting fewer than 500 people (§164.408(c))
Generated by BlockSurvey
How the HIPAA compliance checklist works
3 steps · runs entirely in your browser
Work through the items
Check off each safeguard your organization already has in place across the five HIPAA domains, from risk analysis to breach readiness.
Watch your progress
A live progress bar shows how many items are done, and the checklist document updates in real time as you check things off.
Download the checklist
Export your completed checklist as a PDF or an editable Word file. Nothing you enter ever leaves your device.
Free, secure, and HIPAA-standard by default
Compliance work is stressful enough without a paywall or a form that ships your answers to someone else's server. This checklist mirrors the safeguards in 45 CFR §164.308 and the rules around it:
100% in-browser
The checklist runs on your device; nothing is uploaded.
No account required
No sign-up, no email wall, no tracking.
Free, real download
Your completed checklist as Word or PDF at no cost, not a watermarked sample.
What a HIPAA compliance checklist should cover
A complete checklist walks through the Security Rule and Privacy Rule safeguards, which include:
- Administrative safeguards, including a security risk analysis, a named security officer, and a risk management process.
- Physical safeguards, including facility access controls, workstation security, and secure device and media disposal.
- Technical safeguards, including unique user IDs, encryption at rest and in transit, automatic logoff, and audit logs.
- Your Notice of Privacy Practices and patient rights, such as the right to access records and to file complaints.
- Workforce training and a sanction policy for staff who handle protected health information.
- Business associate agreements with every vendor that touches your PHI.
- Breach readiness, including a response plan, notification procedures, and an incident log.
- Documentation and periodic evaluation, so you can show the work behind each item.
Built for every healthcare organization
Whether you are setting up HIPAA for the first time or reviewing a program you already run, the checklist gives you one clear place to see where you stand. It works alongside HIPAA-compliant survey software when you collect health data through forms.
New practices
See everything HIPAA expects before you open the doors.
Office managers
Run an annual review without hunting through the regulations.
Business associates
Confirm the safeguards you owe the practices you serve.
Audit prep
Walk in with a documented, item-by-item self-assessment.
Behavioral health
Cover the sensitive records therapy and counseling practices hold.
IT teams & MSPs
Map the technical safeguards you manage for healthcare clients.
Collecting PHI through forms or surveys?
HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.