HIPAA Compliance Checklist

Do you regularly handle protected health information (PHI)? If so, you might need to be HIPAA compliant—especially now that the Health Insurance Portability and Accountability Act rule covers both Covered Entities and their Business Associates. But HIPAA compliance, designed to protect the privacy and security of your patients and clients, can be complicated. To break it down, we’ve put together a handy HIPAA Compliance Checklist. Even better, we’re giving you insight into how you can actually cross things off using Sookasa.

Before we dive in, a quick word about requirements: One of the complexities of HIPAA compliance is that it’s not always clear what’s mandatory and what isn’t. You’ll notice that certain implementation standards are designated as required, while others are called “addressable.”

  • If the implementation specification is “addressable,” it’s up to the Covered Entity’s discretion whether or not to implement the standard.
  • To make this call, the Covered Entity is supposed to weigh whether the specifications are “reasonable and appropriate”—which admittedly sounds pretty vague.
  • Many times it’s best to err on the side of caution. If an addressable specification is “reasonable and appropriate,” the Entity is supposed to implement it. If not, the Entity better be prepared to prove it: The entity must document the rationale supporting its decision and either implement an equivalent measure or skip it if the standard can still be met and there’s no reasonable alternative.

Now, back to the HIPAA Compliance Checklist. There are two main rules that Covered Entities and their Business Associates should familiarize themselves with in order to be HIPAA compliant: HIPAA’s Privacy Rule and Security Rule.


The Privacy Rule sets national standards for who is allowed to have access to PHI, whether it’s found in electronic, paper, or oral form. In other words, it spells out guidelines for Covered Entities to consider as they share PHI with Business Associates.

The Privacy Rule is designed to ensure that PHI is properly protected. But it attempts to be practical, too, by allowing authorized parties to transmit and share PHI in order to provide proper care.

Here’s a checklist for the Privacy Rule:

  • Privacy policies and procedures. Develop and implement written privacy policies and procedures consistent with the Privacy Rule.
  • Privacy personnel. Appoint a privacy official to develop and implement the aforementioned privacy policies. Designate a contact person responsible for receiving complaints and providing individuals with information about privacy practices.
  • Workforce training and management. Train everyone on your workforce—including employees, volunteers, and others—on your privacy policies, and apply appropriate sanctions against those who violate the standards.
  • Mitigate any harmful effect that might be caused by an employee or Business Associate’s improper use or disclosure of PHI.
  • Data safeguards. Maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent use or disclosure of PHI—whether it’s intentional or not. Solutions might include shredding documents, employing pass codes, or limiting access to private information.
  • Complaints procedures. Implement procedures for individuals to complain to the Covered Entity about its HIPAA compliance, and inform people that complaints may also be submitted to the Secretary of the U.S. Department of Health & Human Services.
  • Retaliation and waiver. Don’t retaliate against anyone who exercises his or her Privacy Rule rights. Don’t ask people to waive their Privacy Rule rights as a condition for obtaining treatment, payment, or enrollment eligibility.
  • Documentation and record retention. Store records of your privacy policies, privacy practice notices, disposition of complaints, and other actions for six years after their creation.

In general, the Privacy Rule works to limit the disclosure of protected information. With these rules in place, it also grants individuals the opportunity to hold Covered Entities accountable for how they handle PHI.


While the Privacy Rule applies to PHI in any form, the Security Rule is tailored to protecting the growing proliferation of electronic protected health information (ePHI) at every part of its life cycle: from creation, storage, sharing, and disposal.

With cloud computing and BYOD culture on the rise in work environments everywhere, adhering to the Security Rule is more important than ever in order to ensure HIPAA compliance.

The HIPAA compliance checklist Security Rule is divided into three different safeguard categories: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Each of the safeguard categories is itself divided into standards for Covered Entities to follow to ensure HIPAA compliance. Each standard, in turn, contains several implementation specifications, or additional instructions to help implement the standard.

So: safeguards, standards, and specifications. It’s no wonder that complying with HIPAA seems daunting.

But let’s take a closer look at the following safeguard checklists, so you know what to do to make sure you’re following the Security Rule.

The HIPAA Compliance Checklist Administrative Safeguards

The Administrative Safeguards are just that: administrative policies to govern the workforce and ensure HIPAA compliance. There are nine of them, which we’ve listed below along with implementation guidelines for how to meet them.

Standard 1. Security Management Process

  • Risk Analysis (required) – Thoroughly assess potential risks and vulnerabilities concerning the confidentiality, integrity, and availability of ePHI.
  • Risk Management (required) – Implement security measures to keep ePHI violations to a minimum.
  • Sanction Policy (required) – Establish appropriate sanctions for employees who don’t comply with privacy and security policies.
  • Information System Activity Review (required) – Establish procedures for regularly reviewing records of information system activity.

Standard 2. Assigned Security Responsibility

  • Assigned Security Responsibility (required) – Appoint someone to develop and carry out privacy policies and procedures.

Standard 3. Workforce Security

  • Authorization and/or Supervision (addressable) – Establish procedures to supervise and oversee employees working with ePHI.
  • Workforce Clearance Procedure (addressable) – Establish procedures that ensure that an employee’s access to ePHI is authorized.
  • Termination Procedures (addressable) – Implement procedures to ensure that a terminated employee will no longer have access to ePHI.

Standard 4. Information Access Management

  • Isolating Health Care Clearinghouse Functions (required) – This applies specifically to clearinghouses that are part of larger organizations. In that case, make sure the clearinghouse has policies that ensure its ePHI isn’t compromised by unauthorized members of the broader organization.
  • Access Authorization (addressable) – Establish procedures for granting access to ePHI through particular workstations, processes, or programs.
  • Access Establishment and Modification (addressable) – Enact policies that will establish, document, and modify a user’s right to access ePHI.

Standard 5. Security Awareness and Training

  • Security Reminders (addressable) – Establish a method for periodic security updates.
  • Protection from Malicious Software (addressable) – Have procedures to guard against malicious software that may be able to access and compromise ePHI.
  • Log-in Monitoring (addressable) – Implement a method to monitor log-in attempts and keep track of any discrepancies.
  • Password Management (addressable) – Implement procedures for creating, changing, and safeguarding passwords.           

Standard 6. Security Incident Procedures

  • Response and Reporting (required) – Identify, mitigate, and document any security breaches or incidents and their effects.

Standard 7. Contingency Plan

  • Data Backup Plan (required) – Make sure there are ways to retrieve copies of ePHI in case of a breach or malfunction.
  • Disaster Recovery Plan (required) – Create plans around restoring any lost data.
  • Emergency Mode Operation Plan (required) – Establish how to continue critical business operations while protecting the privacy of ePHI in emergency conditions.
  • Testing and Revision Procedures (addressable) – Be able to periodically test and revise contingency plans.
  • Applications and Data Criticality Analysis (addressable) – Implement procedures to assess the relative importance of specific data and applications as part of contingency plans.           

Standard 8. Evaluation

  • Evaluation (required) – Periodically assess technical and non-technical elements of ePHI security, especially in response to environmental or operational changes.          

Standard 9. Business Associate Contracts and Other Arrangements

  • Written Contract or Other Arrangement (required) – Document in writing that business associates will comply with all ePHI protection procedures.

The HIPAA Compliance Checklist Physical Safeguards

There are four Physical Safeguards, which are geared toward protecting electronic systems and their data from outside threats, environmental hazards, and unauthorized intrusion.

Standard 1. Facility Access Controls

  • Contingency Operations (addressable) – Establish procedures that enable facility access and data restoration in case of emergency.
  • Facility Security Plan (addressable) – Establish procedures to safeguard the facility and its equipment from unauthorized access, tampering, and theft.
  • Access Control and Validation Procedures (addressable) – Implement procedures to control and validate a person’s facility access, and implement a way to control access to software programs for testing.
  • Maintenance Records (addressable) – Establish procedures to record repairs and modifications to physical components of the facility, like doors, locks, or walls.

Standard 2. Workstation Use

  • Workstation Use (required) – Enact policies that specify functions, how those functions are performed, and the physical attributes of workstations from which ePHI can be accessed.

Standard 3. Workstation Security

  • Workstation Security (required) – Implement physical safeguards for all workstations that access ePHI in order to limit access solely to authorized users.

Standard 4. Device and Media Controls

  • Disposal (required) – Implement policies for the final disposal of ePHI or the hardware and electronic media on which it is stored.
  • Media Re-use (required) – Establish policies concerning how ePHI should be removed from electronic media before it can be reused.
  • Accountability (addressable) – Create policies to track movements of hardware and electronic media.
  • Data Backup and Storage (addressable) – Implement policies to create retrievable, exact copies of ePHI before any equipment is moved.

The HIPAA Compliance Checklist Technical Safeguards

Five Technical Safeguards are put in place to protect data and access to it.

Standard 1. Access Control

  • Unique User Identification (required) – Establish procedures to assign a unique name and/or number to identify and track user identity and usage.
  • Emergency Access Procedure (required) – Establish procedures for obtaining necessary ePHI in an emergency.
  • Automatic Logoff (addressable) – Establish procedures to automatically log users off after a certain period of inactivity.
  • Encryption and Decryption (addressable) – Establish policies to ensure encryption and decryption of ePHI.

Sookasa can help give these policies teeth, making it possible—not to mention easy—to enforce them. Sookasa assigns unique credentials to users based on their email addresses and secure passwords to identify and track user identities.Sookasa provides emergency access to ePHI via its centralized web-based dashboard. To protect files, Sookasa automatically logs users off after a period of inactivity. Administrators can also set log-off times so users will have to sign in before opening files. Sookasa’s encryption and decryption solution is seamless, and can be accomplished via its PC, Mac, iOS, and Android clients as well as on its web browser interface.

Standard 2. Audit Controls

  • Audit Controls (required) – Implement hardware, software, or other mechanisms that will record and examine activity in the systems containing ePHI.

Sookasa audits every access to encrypted files, even after they’ve been downloaded to devices or shared externally. And our centralized dashboard gives administrators a lens into the entire organization, making it possible to quickly and easily audit the life of every file for every user and device.

Standard 3. Integrity

  • Mechanism to Authenticate Electronic Protected Health Information (addressable) – Implement electronic mechanisms to corroborate that ePHI has not been inappropriately altered or destroyed.

Sookasa validates the integrity of each version by using a hash-based message authentication code (HMAC), rendering it impossible to modify files without access to the private encryption keys.

Standard 4. Person or Entity Authentication

  • Person or Entity Authentication (required) – Implement procedures to verify that a user requesting access to ePHI is the correct user.

Standard 5. Transmission Security

  • Integrity Controls (addressable) – Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
  • Encryption (addressable) – Implement a mechanism to encrypt ePHI whenever appropriate.

Sookasa encrypts the files before they are transmitted via secure HTTP (HTTPS) to Dropbox, thereby protecting the files in transit and at rest. The encryption scheme employs an HMAC to ensure that the data cannot be modified or destroyed without detection.

Following steps outlined in these HIPAA Compliance Checklists is a good place to start, but we recommend asking an attorney or privacy officer to review each rule in its entirety.

Checklist in hand, you might now be clearer on the policies you’re supposed to establish, but a little lost when it comes to actually implementing them—never mind actually protecting PHI.

That’s where Sookasa comes in. Sookasa is the only solution that provides end-to-end encryption for cloud-based file-sharing services. What’s that mean? By encrypting files individually and granting access exclusively based on authenticated credentials, Sookasa ensures that only authorized people can access electronic protected health information. What’s more, Sookasa gives administrators a lens into just what’s happening with ePHI by tracking every encrypted file. It logs every modification, copy, access, or share operation made to encrypted files and associates each with a user, so there’s never any doubt about what’s going on with your organization. After all, isn’t doubt the thing that makes HIPAA compliance so hard?