HIPAA Compliance Requirements Checklist for 2026
A complete checklist of HIPAA requirements organized by rule. Items flagged with "2026 New" are additions from the proposed Security Rule update. Effort ratings help you prioritize implementation.
8
Privacy Rule Items
18
Security Rule Items
6
Breach Notification
7
2026 Additions
Privacy Rule Requirements
Designate a Privacy Officer responsible for privacy policy development and implementation
LowDevelop and distribute a Notice of Privacy Practices (NPP) to all patients
MediumImplement minimum necessary standard for all PHI use and disclosure
MediumEstablish patient rights procedures: access, amendment, accounting of disclosures, restriction requests
HighObtain valid authorizations for uses and disclosures not covered by treatment, payment, or healthcare operations
MediumImplement and document workforce sanctions policy for privacy violations
LowMaintain PHI accounting records for at least 6 years
MediumExecute Business Associate Agreements with all vendors that handle PHI
MediumSecurity Rule Requirements
Administrative Safeguards
Designate a Security Officer responsible for security policy development
LowConduct a comprehensive risk assessment covering all systems with ePHI
HighDevelop and implement a risk management plan addressing identified risks
HighImplement workforce security procedures: authorization, supervision, clearance, termination
MediumEstablish and enforce information access management controls
MediumProvide security awareness training to all workforce members
MediumDevelop incident response and reporting procedures
MediumEstablish contingency plan: data backup, disaster recovery, emergency mode operations
HighPhysical Safeguards
Implement facility access controls: locks, visitor management, workstation security
MediumEstablish device and media controls: disposal, re-use, accountability, data backup
MediumTechnical Safeguards
Implement unique user identification for all ePHI access
MediumEstablish emergency access procedures for ePHI during emergencies
MediumImplement automatic logoff after periods of inactivity
LowImplement audit controls to record and examine ePHI access activity
HighImplement integrity controls to protect ePHI from improper alteration
MediumImplement transmission security (encryption for ePHI in transit)
HighImplement person or entity authentication mechanisms
MediumImplement encryption for ePHI at rest on all systems and devices
High2026 Security Rule Additions
These items are from the proposed 2026 Security Rule update. All addressable safeguards become required, and these new requirements are added:
Implement multi-factor authentication for all ePHI access points2026 New
HighMandate encryption for all ePHI without risk-based exceptions2026 New
HighCreate and maintain a technology asset inventory with network maps2026 New
HighConduct vulnerability scanning at least every 6 months2026 New
MediumConduct penetration testing at least annually2026 New
HighAchieve 72-hour system restoration capability for all critical ePHI systems2026 New
HighConduct formal compliance audits at least annually2026 New
HighSee the full 2026 rule change analysis with cost estimates →
Breach Notification Rule Requirements
Establish procedures to detect and investigate potential breaches of unsecured PHI
MediumNotify affected individuals within 60 days of discovering a breach
MediumNotify HHS within 60 days for breaches affecting 500+ individuals, annually for smaller breaches
LowNotify prominent media outlets for breaches affecting 500+ individuals in a state or jurisdiction
LowNotify covered entity partners (if business associate) without unreasonable delay
LowMaintain breach documentation, risk assessments, and notification records for at least 6 years
MediumFrequently Asked Questions
What are the main HIPAA compliance requirements?
HIPAA compliance requires adherence to three main rules. The Privacy Rule governs how PHI is used and disclosed, including patient rights to access their records. The Security Rule establishes safeguards for electronic PHI across administrative, physical, and technical domains. The Breach Notification Rule requires timely notification to affected individuals, HHS, and media (for breaches affecting 500+ individuals) when unsecured PHI is compromised. Each rule contains specific implementation standards that organizations must meet.
What changes in the 2026 HIPAA Security Rule?
The proposed 2026 Security Rule eliminates the distinction between addressable and required safeguards, meaning all safeguards become mandatory. Key additions include mandatory encryption for all ePHI, multi-factor authentication for all ePHI access, technology asset inventories with network maps, vulnerability scanning every six months, annual penetration testing, 72-hour system restoration capability, and mandatory annual compliance audits. These changes represent the most significant HIPAA update in over a decade.
How do I know if my organization is HIPAA compliant?
Start with a risk assessment that evaluates your organization against all HIPAA requirements. Work through the checklist on this page, documenting your status for each item. Pay particular attention to the six items OCR requests most frequently: risk analysis documentation, risk management plan, policies and procedures, training records, BAA inventory, and breach notification procedures. If you can produce current documentation for all six, you have a strong compliance foundation.
Is there an official HIPAA compliance certification?
No. There is no official government-issued HIPAA compliance certification. Organizations that claim to be "HIPAA certified" are referring to third-party assessments or vendor compliance seals, which carry varying levels of credibility. What matters to OCR is documented evidence of compliance: a current risk assessment, implemented policies, training records, and evidence of ongoing monitoring. Third-party audits provide valuable validation but do not create a legal safe harbor.