Free HIPAA compliance checklist

Work through the safeguards HIPAA asks for, one item at a time. This interactive checklist covers the administrative, physical, and technical safeguards of 45 CFR §164.308 and the surrounding rules, tracks your progress live, and downloads the completed checklist as Word or PDF. Everything runs in your browser, so nothing you check leaves your device and no sign-up is needed.

Checklist

Your organization

Administrative safeguards (§164.308)

Physical safeguards (§164.310)

Technical safeguards (§164.312)

Privacy & organizational (§164.520, §164.530)

Breach readiness (§164.400-414)

Preview

0 of 27 complete0%

HIPAA COMPLIANCE CHECKLIST

HIPAA COMPLIANCE CHECKLIST

Progress: 0/27 (0%)

Administrative safeguards (§164.308)

[ ] Conducted a security risk analysis of every system that creates, receives, maintains, or transmits ePHI (§164.308(a)(1)(ii)(A))

[ ] Put a risk management process in place to bring identified risks down to a reasonable and appropriate level (§164.308(a)(1)(ii)(B))

[ ] Assigned a HIPAA Security Officer responsible for developing and enforcing security policies (§164.308(a)(2))

[ ] Provided security awareness and training to every workforce member who handles ePHI (§164.308(a)(5))

[ ] Adopted a sanction policy for workforce members who violate security policies and procedures (§164.308(a)(1)(ii)(C))

[ ] Established procedures that authorize and control workforce access to ePHI (§164.308(a)(4))

[ ] Created a contingency plan covering data backup, disaster recovery, and emergency mode operation (§164.308(a)(7))

[ ] Run periodic technical and non-technical evaluations of your safeguards (§164.308(a)(8))

[ ] Signed a business associate agreement with every vendor that handles ePHI on your behalf (§164.308(b)(1))

Physical safeguards (§164.310)

[ ] Implemented facility access controls that limit physical entry to areas holding ePHI (§164.310(a)(1))

[ ] Set workstation use and security rules that position and protect devices with access to ePHI (§164.310(b)-(c))

[ ] Adopted procedures for the secure disposal of hardware and media that held ePHI (§164.310(d)(2)(i))

[ ] Remove ePHI from electronic media before that media is reused (§164.310(d)(2)(ii))

Technical safeguards (§164.312)

[ ] Assign a unique user ID to each person so activity on ePHI can be traced (§164.312(a)(2)(i))

[ ] Configured automatic logoff to end sessions after a set period of inactivity (§164.312(a)(2)(iii))

[ ] Encrypt ePHI at rest wherever it is stored (§164.312(a)(2)(iv))

[ ] Encrypt ePHI in transit as it moves across networks (§164.312(e)(2)(ii))

[ ] Implemented audit controls that record and let you examine activity in systems with ePHI (§164.312(b))

[ ] Put integrity controls in place to keep ePHI from being improperly altered or destroyed (§164.312(c)(1))

Privacy & organizational (§164.520, §164.530)

[ ] Give patients a Notice of Privacy Practices explaining how their PHI is used and disclosed (§164.520)

[ ] Designated a HIPAA Privacy Officer responsible for privacy policies and procedures (§164.530(a))

[ ] Apply the minimum necessary standard so staff reach only the PHI they need to do their work (§164.514(d))

[ ] Established a process for patients to access and get copies of their records within the required timeframe (§164.524)

[ ] Offer a process for individuals to file complaints about your privacy practices (§164.530(d))

Breach readiness (§164.400-414)

[ ] Documented a breach response plan covering detection, investigation, and containment (§164.400-414)

[ ] Established procedures to notify individuals, HHS, and the media within the required timeframes (§164.404-408)

[ ] Maintain a log of security incidents and breaches, including those affecting fewer than 500 people (§164.408(c))

Generated by BlockSurvey

How the HIPAA compliance checklist works

3 steps · runs entirely in your browser

1

Work through the items

Check off each safeguard your organization already has in place across the five HIPAA domains, from risk analysis to breach readiness.

2

Watch your progress

A live progress bar shows how many items are done, and the checklist document updates in real time as you check things off.

3

Download the checklist

Export your completed checklist as a PDF or an editable Word file. Nothing you enter ever leaves your device.

Free, secure, and HIPAA-standard by default

Compliance work is stressful enough without a paywall or a form that ships your answers to someone else's server. This checklist mirrors the safeguards in 45 CFR §164.308 and the rules around it:

01

100% in-browser

The checklist runs on your device; nothing is uploaded.

02

No account required

No sign-up, no email wall, no tracking.

03

Free, real download

Your completed checklist as Word or PDF at no cost, not a watermarked sample.

What a HIPAA compliance checklist should cover

A complete checklist walks through the Security Rule and Privacy Rule safeguards, which include:

  1. Administrative safeguards, including a security risk analysis, a named security officer, and a risk management process.
  2. Physical safeguards, including facility access controls, workstation security, and secure device and media disposal.
  3. Technical safeguards, including unique user IDs, encryption at rest and in transit, automatic logoff, and audit logs.
  4. Your Notice of Privacy Practices and patient rights, such as the right to access records and to file complaints.
  5. Workforce training and a sanction policy for staff who handle protected health information.
  6. Business associate agreements with every vendor that touches your PHI.
  7. Breach readiness, including a response plan, notification procedures, and an incident log.
  8. Documentation and periodic evaluation, so you can show the work behind each item.

Built for every healthcare organization

Whether you are setting up HIPAA for the first time or reviewing a program you already run, the checklist gives you one clear place to see where you stand. It works alongside HIPAA-compliant survey software when you collect health data through forms.

New practices

See everything HIPAA expects before you open the doors.

Office managers

Run an annual review without hunting through the regulations.

Business associates

Confirm the safeguards you owe the practices you serve.

Audit prep

Walk in with a documented, item-by-item self-assessment.

Behavioral health

Cover the sensitive records therapy and counseling practices hold.

IT teams & MSPs

Map the technical safeguards you manage for healthcare clients.

Collecting PHI through forms or surveys?

HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.

More free HIPAA tools

Explore more

Frequently asked questions

What's on a HIPAA compliance checklist?

A HIPAA compliance checklist walks through the safeguards the Security Rule and Privacy Rule require. It covers administrative safeguards such as a security risk analysis, a named security officer, workforce training, and business associate agreements; physical safeguards such as facility access and secure device disposal; and technical safeguards such as unique user IDs, encryption at rest and in transit, automatic logoff, and audit logs. It also covers privacy items such as your Notice of Privacy Practices, a privacy officer, the minimum necessary standard, and patient access, plus breach readiness. This tool groups all of that into five domains you can check off one by one.

Is a checklist enough to be compliant?

No. A checklist helps you see where you stand and what is missing, but compliance is the underlying work, not the ticks in the boxes. Each item points to something real you have to implement, document, and maintain, like an actual risk analysis under 45 CFR 164.308(a)(1)(ii)(A), signed business associate agreements, and encryption on the systems that hold ePHI. Use this checklist to organize the effort and track progress, then do the work behind each item and keep the evidence.

How often should we run through it?

Treat it as a living document rather than a one-time exercise. At a minimum, review the full checklist once a year and after any material change, such as a new system that handles PHI, a merger, a move, or a new vendor. HIPAA expects periodic evaluations under 45 CFR 164.308(a)(8), and your risk analysis should be revisited as your environment changes. Many organizations run a quick check each quarter and a full review annually.

Does the checklist get saved anywhere?

No. Everything runs in your browser. The items you check and the organization details you enter are never sent to or stored on any server, which is why no sign-up is required. When you download the completed checklist as Word or PDF, the file is generated on your device. If you close the tab without downloading, your progress is not kept, so export a copy when you are done.

Who should fill this out?

Usually the person responsible for HIPAA in your organization, such as your security or privacy officer, an office manager, or a compliance lead. In a small practice that may be the owner. In a larger group it is often a team effort, with IT confirming the technical safeguards and administration confirming the training, policies, and agreements. The point is that whoever fills it out can honestly confirm each item is actually in place, not just planned.

Is this a substitute for legal advice?

No. This checklist is a starting point that reflects the safeguards HIPAA calls for, but it is not legal advice and is not guaranteed to be complete or suitable for your specific situation. Your services, your state's laws, and the findings of your own risk analysis can add requirements. Have your compliance program reviewed by qualified counsel or a compliance professional before you rely on it.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.