Practical checklist

HIPAA Security Checklist for Independent Practices

Use this checklist to review the administrative, physical, and technical security work needed to protect electronic protected health information.

Risk analysis and governance

  • Maintain an inventory of systems, devices, applications, vendors, and locations that create, receive, maintain, or transmit electronic protected health information.
  • Document threats, vulnerabilities, existing safeguards, likelihood, impact, priority, and responsible owner.
  • Record management decisions, accepted risks, remediation plans, and review dates.
  • Review the analysis after material changes and on a defined recurring schedule.

Access and workforce controls

  • Require unique accounts and multifactor authentication where supported.
  • Use least privilege and review privileged access regularly.
  • Document onboarding, role changes, termination, training, and sanction procedures.
  • Control remote access, shared devices, personal devices, and emergency access.

Technology, vendors, and recovery

  • Protect endpoints, email, wireless networks, cloud applications, backups, and logs.
  • Confirm encryption and secure transmission requirements based on risk and system capability.
  • Maintain business associate agreements and review vendor security responsibilities.
  • Test backups, downtime procedures, incident escalation, and recovery responsibilities.

Documentation and evidence

  • Keep policies aligned with actual practice operations.
  • Retain review records, reports, training evidence, access reviews, vendor records, and remediation status.
  • Identify who collected each record, from which system, and when it was reviewed.
  • Track exceptions and unresolved risks through accountable follow-up.

Use the checklist as a starting point

This checklist is operational guidance, not legal advice or a complete determination of HIPAA compliance. Requirements should be reviewed against the practice’s specific environment and qualified legal or privacy guidance.

Explore HIPAA security operations