HIPAA Compliance Checklist: What Every Healthcare Practice Needs in 2026

If your healthcare practice handles protected health information (PHI) — and if you’re in healthcare, it does — HIPAA compliance isn’t optional. It’s a federal requirement with real teeth: fines range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. And those are just the financial penalties. A breach can destroy patient trust and your practice’s reputation.

The challenge is that HIPAA’s requirements are broad and sometimes vague. This checklist translates the regulation into concrete, actionable items your practice should have in place right now.

Administrative Safeguards

Risk Assessment (Required — Not Optional)

A HIPAA risk assessment is the foundation of your entire compliance program. It’s also the single most common deficiency cited in OCR (Office for Civil Rights) enforcement actions.

• ☐ Conduct a comprehensive risk assessment at least annually
• ☐ Document all identified risks and vulnerabilities
• ☐ Create a risk management plan with specific remediation steps and timelines
• ☐ Review and update the assessment when significant changes occur (new EHR system, office move, etc.)

Policies and Procedures

• ☐ Written privacy policies covering PHI use and disclosure
• ☐ Written security policies covering technical, physical, and administrative safeguards
• ☐ Breach notification procedures documented and tested
• ☐ Sanction policy for employees who violate HIPAA policies
• ☐ All policies reviewed and updated at least annually

Workforce Training

• ☐ All employees receive HIPAA training upon hire
• ☐ Annual refresher training for all staff
• ☐ Training documented with dates, topics, and attendee sign-off
• ☐ Security awareness training including phishing recognition
• ☐ Role-based training for staff with elevated access to PHI

Business Associate Agreements (BAAs)

• ☐ Inventory all vendors who access, store, or transmit PHI
• ☐ Signed BAA on file for every business associate
• ☐ BAAs reviewed and updated when vendor relationships change
• ☐ BAAs include breach notification requirements

Technical Safeguards

Access Controls

• ☐ Unique user ID for every employee (no shared logins)
• ☐ Role-based access controls — staff only access the minimum PHI necessary for their job
• ☐ Multi-factor authentication (MFA) on all systems containing PHI
• ☐ Automatic session timeout after period of inactivity
• ☐ Immediate access revocation process when employees leave

Encryption

• ☐ PHI encrypted at rest on all servers, workstations, and portable devices
• ☐ PHI encrypted in transit (TLS for email, HTTPS for web applications, VPN for remote access)
• ☐ Encrypted email solution for communicating PHI with patients and other providers
• ☐ Full-disk encryption on all laptops and mobile devices

Audit Controls

• ☐ Logging enabled on all systems that store or access PHI
• ☐ Logs include user access, modifications, and deletions
• ☐ Logs reviewed regularly for suspicious activity
• ☐ Log retention for a minimum of 6 years (HIPAA requirement)

Endpoint Security

• ☐ Endpoint detection and response (EDR) on all workstations and servers
• ☐ Automated patch management for operating systems and applications
• ☐ DNS filtering to block malicious websites
• ☐ Email security with anti-phishing and attachment scanning

Physical Safeguards

• ☐ Server rooms and network closets physically secured (locked, access-controlled)
• ☐ Workstations positioned so screens are not visible to unauthorized individuals
• ☐ Clean desk policy for areas where PHI might be visible
• ☐ Secure disposal procedures for devices and media containing PHI
• ☐ Visitor access controls and sign-in procedures

Backup and Disaster Recovery

• ☐ Daily backups of all systems containing PHI
• ☐ Backups stored in a geographically separate location
• ☐ Backup encryption in transit and at rest
• ☐ Regular backup restoration testing (at least quarterly)
• ☐ Documented disaster recovery plan with defined RTOs and RPOs
• ☐ Annual disaster recovery drill

The Most Common HIPAA Gaps We See

After working with dozens of healthcare practices across the East Coast, here are the compliance gaps we encounter most frequently:

1. No documented risk assessment. This is the #1 finding in OCR audits. Many practices think they’re compliant because they have antivirus software. That’s not how HIPAA works.
2. No BAAs with cloud vendors. Using Dropbox, Google Drive, or a cloud-based EHR without a signed BAA? That’s a violation — even if the vendor is willing to sign one.
3. Shared login credentials. When three front-desk staff share one EHR login, you’ve lost all accountability and audit trail capability.
4. No encryption on laptops. A lost or stolen laptop with unencrypted PHI is a reportable breach. Full-disk encryption eliminates this risk entirely.
5. No incident response plan. When a breach occurs (and eventually, something will happen), you need a documented plan — not panic.

HIPAA Compliance Is Not a One-Time Project

The biggest misconception about HIPAA compliance is that it’s something you “achieve” once and you’re done. In reality, compliance is an ongoing program that requires continuous monitoring, regular assessments, updated training, and adaptation to new threats and regulatory changes.

This is exactly why many healthcare practices partner with a compliance-focused IT provider — someone who understands both the technical requirements and the regulatory landscape, and can keep your practice compliant year after year.

Take the First Step: Assess Where You Stand

If this checklist revealed gaps in your compliance posture, you’re not alone — and you’re not in trouble yet. The best time to address compliance gaps is before an audit or breach forces the issue.

Schedule a free HIPAA readiness assessment with BrightWorks IT. We’ll evaluate your current security posture against HIPAA requirements and give you a clear, prioritized roadmap to full compliance.