The HIPAA Compliance Checklist Your Practice Needs to Follow

When it comes to HIPAA laws, health care providers can’t afford to drop the ball.

Confidentiality and security are the meat of HIPAA Privacy Regulations.

Use the questions and HIPAA compliance checklist below and see how your current practice measures up.

HIPAA Compliance Checklist


HIPAA laws are centered around the importance of patient privacy. To ensure that your practice is properly complying with the privacy portion of HIPAA, consider the following questions:

  1. Does our organization have the most up to date information regarding HIPAA laws?
  2. Is there a Notice of Information Practices posted in our office and given to each patient?
  3. Is there a designated Information Privacy and Security Officer in our organization?
  4. Does our organization have procedures in place for the receiving, documentation, and investigation of individual complaints?
  5. Is our organization using current patient consent forms and notices of privacy practices in compliance with HIPAA regulations?
  6. Are the consent forms and notices available in other languages that might be best spoken and understood by certain patients?
  7. Do the consent forms and notices include the following information:
    1. An explanation of patient’s rights
    2. How patients’ rights can be exercised
    3. Details about the covered organization’s legal responsibilities
    4. The contact information for someone who can provide more information to the patient

A HIPAA compliance checklist for front office staff is a great way to make sure no patient goes without receiving this required information.

The concept of patient confidentiality is widely known and at least partially understood. However, privacy violations can be a common misstep for many employees within the medical field.

Most often, these violations occur by an employee who has not been properly trained and can be prevented.

Avoiding these simple violations is key to staying within compliance. The best way to do so is through recurring education and training for everyone on your staff.

Providing a HIPAA compliance checklist for each employee as it pertains to their job duties can be helpful.

The importance of training also implies the importance of having an Information Privacy and Security Officer. The IPSO should be responsible for ensuring that all employees are aware of HIPAA regulations and how to avoid breaking them.


We live in the information age. Breaches of digital security happen every day. Don’t think they can’t happen to you!

Some questions to review regarding whether or not your security is HIPAA compliant are:

  1. Does our organization have proper IT security software including:
    1. Virus protection
    2. Firewalls
    3. Encryption software
    4. Passwords and authentication measures
  2. Do we have an IT professional managing our network or do they only fix issues?
  3. Does our organization have a backup system for digitally stored data?
  4. Are there capabilities in place to trace back a potential digital HIPAA violation to a specific username or login ID?
  5. Are there automatic “timeouts” on computers within our organization?

Having security screen covers for computer monitors are recommended. These prevent other unauthorized personnel or patients from seeing information from the side of the workstation.

A specific HIPAA compliance checklist for your IT department will keep them on track.

In addition, there are security issues surrounding your practice’s physical location, including paper records like files and patient charts.

See if you are using the following “best practices”:

  1. Does our organization have a Disaster Recovery and Contingency Plan?
  2. Are there substantial physical security measures in place for our offices and the files in our care including:
    1. Fire prevention systems
    2. Alarm systems
    3. Security cameras
    4. Backup or duplicates of physical files
    5. Shredding of paper files

Having a Disaster Recovery Procedure is important in the case of natural or manmade disasters. Employees should be trained on this as well.

Other Considerations

Your employees

As previously mentioned, training of your staff will be key to avoiding HIPAA violations.

Common infractions can simply occur because employees are not made aware of what those infractions look like.

To avoid those types of infractions, employees should know that the following “simple” mistakes are considered HIPAA violations:

  • Sharing patient information with family members or friends
  • Posting photos of patients on social media, even if used anonymously
  • Texting patient information
  • Social breaches

Each of these items should be noted on your HIPPA compliance checklist, as they are common problem areas.

All staff training on HIPAA law should be documented. You should also have written policies and procedures for how violations are dealt with within your organization.

These policies and procedures should be distributed to each employee as part of new-hire training and updated periodically as required by HIPAA regulations.

Employees should also sign an acknowledgment form, stating that they have been trained on HIPAA standards and how they apply to your organization.

Finally, it is considered “best practices” to also make sure your employees only have access to the information they need. If their job is to make appointments, they will not need access to as much information as someone who handles billing.

Some employees may not require access to any patient information for their job duties at all. However, purchasing clerks, maintenance staff, etc. will still need to be trained on HIPAA compliance.

These employees will be in the vicinity of private patient information, whether they have to use it in their jobs or not.

Written policies

Privacy and security policies should be written and updated as often as necessary to maintain HIPAA compliance, but also as a means of internal control.

Specific policies should also be in place in regard to incident response, as well as a breach log for auditing purposes.

Written policies for the process of providing medical records to patients and other positions are also necessary to avoid potential infractions.

In short, the best way to ensure compliance with HIPAA across the board is to document, document, document. It is much better to be safe than sorry.

Compliance Necessity

HIPAA Regulations are complex and detailed. Compliance can seem like a tall order, even for a small medical practice.

Lack of compliance can and does lead to fines, sanctions, or loss of licenses.

A HIPAA compliance checklist for each employee is a great beginning, but wouldn’t it be great if compliance was easier?

Lucky for you, there are ways to simplify HIPAA compliance while giving you peace of mind about your internal controls.

Have you answered the questions above and still find yourself feeling uncertain about your current HIPAA policies and procedures?

Good news! We can help you perform a risk assessment to help pinpoint possible weaknesses in your compliance measures.

Contact us today for a consultation!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top