Cybersecurity
Feb 21, 2025
Dec 4, 2025
•
9 min read
Disclaimer: This article is for informational purposes only and does not constitute legal or professional advice. Laws and regulations, including HIPAA, may change, and interpretations can vary. For guidance on your specific situation, consult a qualified attorney or compliance profession.
Healthcare organizations, covered entities, and business associates all face the same challenge: turning complex rules into actionable steps. That’s why we’ve created this HIPAA compliance checklist—a practical, step-by-step guide to help you reduce risk, streamline compliance efforts, and protect patient data — with network security at the core of compliance.
1. Administrative safeguards
Administrative safeguards are the foundation of HIPAA compliance. They ensure that your organization has the right policies, procedures, and accountability structures in place. You may be thinking that administrative rules are a given in healthcare, but they may not be as clearly documented as you think, which is why they should be included in your checklist.
What administrative safeguards are needed? At minimum: documented privacy and security policies, internal audits, breach planning, and assigned leadership roles.
Administrative Safeguard Checklist:
Create and maintain privacy and security policies
Assign a HIPAA compliance officer and define leadership accountability
Regularly update documentation
Conduct annual internal audits
Set breach response protocols
Why it matters: Many healthcare organizations struggle with administrative safeguards because the rules can feel vague. But these processes bridge the gap between theory and real-world application. Leadership accountability, consistent audits, and a living set of policies help avoid confusion and prepare your team to respond effectively when challenges arise.
Action step: Outdated policies are a high-risk gap. If your documentation hasn’t been updated in the last year, now is the time. For more detailed HIPAA compliance insights, explore our in-depth guide.
2. Physical safeguards
This one may seem obvious to anyone who has ever worked in a healthcare facility, but it bears repeating. Physical safeguards protect against unauthorized, in-person access to sensitive health data. While digital security often takes center stage, on-site weaknesses remain a common cause of compliance failures. This includes locking up server rooms, as well as restricting access to printed patient records, printed financial records, hard copies of test results, and even copies of X-rays and other tests recorded on film.
How do I safeguard physical records for HIPAA? Use locked cabinets, enforce visitor sign-in protocols, restrict access to sensitive areas, and apply workstation security rules.
Checklist:
Secure access to physical facilities
Restrict areas with sensitive data (locked cabinets, server rooms)
Maintain visitor logs and surveillance
Why it matters: Even the most advanced firewalls can’t stop someone from walking into an unsecured server room. HIPAA requires healthcare organizations to take physical security just as seriously as IT safeguards.
Action step: Conduct a walkthrough of your facility to identify overlooked risks. For practical steps, check out our access control policies guide.
3. Technical safeguards
HIPAA’s technical safeguards address the systems, software, and digital protections that keep electronic PHI (ePHI) secure. Personal Health Information (PHI) is highly sought after by threat actors, because it can be used for extortion. This information commands a pretty penny on the dark web.
Data encryption and secure communications
How do I ensure encryption meets HIPAA requirements? You must apply industry-standard methods such as AES-256 encryption for storage and TLS for transmissions, then audit regularly.
Checklist:
Encrypt stored and transmitted ePHI
Use secure email and messaging protocols
Adopt TLS and AES-256 encryption
Regularly audit encryption methods
Stay aware of VPNs and network security best practices
Why it matters: Encryption is one of the most effective tools in healthcare security. It ensures that even if data is intercepted, it remains unreadable to unauthorized users.
Action step: Check your current encryption settings, including those in your VPN. You should also check out our SOC 2 and HIPAA adherence announcement.
Maintaining HIPAA compliant software
HIPAA compliance for software goes beyond choosing the right vendor—it also requires proper configuration and ongoing audits. The settings your vendor touts as HIPAA compliant should still be rigorously checked.
How do I ensure HIPAA compliance for software? Review your systems regularly, confirm vendors meet HIPAA standards, and configure role-based permissions to limit access.
Checklist:
Use certified HIPAA-compliant software vendors
Audit EHR and patient portal configurations
Set up role-based access and permissions
Schedule software updates and log reviews
Why it matters: All of your vendors must be HIPAA compliant. Compliance goes beyond your company’s borders, and if a breach happens, responsibility rests on both the vendor and your business.
Action step: Conduct an audit of all current software in use to check on data integrity and governance.
4. Ongoing risk assessment and employee training
Compliance isn’t a one-and-done task—it’s an ongoing process. The fact is, in 2024, 74% of CISOs cited human error as their company’s top cybersecurity risk, and another study found that somewhere around 95% of all data breaches were tied to human error in the same year.
Risk assessments and employee training are one of the most vital ways to ensure that security remains strong even as threats evolve.
How do I train staff for HIPAA compliance? Set up recurring workplace cybersecurity training sessions, track completion, and include simulations like phishing tests.
Checklist:
Conduct quarterly risk assessments
Keep documentation up to date
Train staff on HIPAA policies and phishing prevention
Track training completion
Why it matters: Human error is one of the leading causes of HIPAA breaches, and often these errors occur when employees are overwhelmed, rushing, or unaware of who in the company handles what. For example, if someone is phishing for patient data, they may pose as someone internal who needs the information, and if the employee doesn’t know who is actually in charge of that request, it may be easy to trust the wrong person. Regular training builds a culture of compliance, while risk assessments help uncover vulnerabilities before they turn into fines or data loss.
Action step: Create a training schedule or enroll your workforce in an accredited HIPAA training program. You can also check out our digital certificate best practices.
5. Business associate agreements and documentation
In healthcare, you very likely function through a variety of partners, vendors, and business associates like pharmacies and insurance carriers. Therefore, your compliance doesn’t stop at your organization—it extends to every partner that handles protected health information. That’s why you need a formal business associate agreement (BAA) policy. BAAs clarify responsibilities between you and your vendors, reducing liability in the event of a breach.
Are BAA documents needed for HIPAA compliance? Policies, risk assessments, BAAs, training logs, incident response plans, and version-controlled records are all needed for HIPAA compliance.
Formalizing BAA Requirements
Checklist:
Draft BAA contracts with all third-party vendors
Include breach notification and liability clauses
Review and update BAAs annually
Store signed copies securely
Accurate Record-Keeping and Policies
Checklist:
Use consistent naming conventions
Schedule documentation reviews
Maintain secure digital backups
Track document version history
Explore other compliance frameworks like SOX
Why it matters: Should a breach occur, you will want to have all of the previously agreed upon terms in writing to make sure that your patients have proper recourse and you can communicate clearly and quickly what their next steps are. Additionally, this can provide legal protection for your organization.
Action step: Audit your documentation today and reorganize it into a consistent, secure system.
6. Breach notification and incident response
Despite best efforts, breaches still occur. HIPAA requires that covered entities and business associates have a defined process for identifying, containing, and reporting incidents.
What should a HIPAA breach notification include? Notifications must explain what happened, what data was compromised, what containment actions were taken, and how individuals can protect themselves.
Checklist:
Build a written incident response plan
Establish breach containment protocols
Define notification timelines and templates
Assign response team responsibilities
Why it matters: If you fail to plan, you plan to fail (or so it’s been said). When an incident or breach has occurred, your team will be in crisis mode and knowing the correct legal way to handle the situation can be time consuming to research, discuss with your legal team, and enact. The time to make those decisions is now, before an incident or breach has occurred, so that you are prepared for the worst while hoping for the best.
Action step: Draft and distribute an incident response plan today.
7. Mobile devices and remote work compliance
As healthcare becomes more mobile and remote-friendly, protecting PHI outside of traditional office environments is critical. Whether you have roving team members, different office locations for different days, telehealth, virtual assistants and receptionists, remote medical billers and coders, or a hybrid environment, there are risks that differ from a fully protected, in-office and on-network environment.
How can I ensure HIPAA compliance in remote work? Use a HIPAA-compliant VPN, enforce MFA, and conduct regular endpoint audits to secure remote sessions.
Securing Mobile Workflows
Checklist:
Encrypt mobile devices and apps
Require passcodes and remote wipe capabilities
Prohibit storing PHI on unapproved devices
Audit mobile use regularly
Centralizing Remote Access Controls
Checklist:
Require VPN or secure tunneling
Implement MFA and endpoint verification
Maintain real-time session logs
Audit access by user and device
Why it matters: Bad actors are looking for telehealth and remote workers to attack first — especially from an unsecured network. Simple safeguards can help prevent breaches, and should an attacker gain access, prevent lateral movement.
Action step: Review our strategies for securing remote workforces and make sure that both the IT or security team and all remote or hybrid employees understand, and adhere to, said policy.
Ready to boost your HIPAA compliance?
Meeting HIPAA compliance doesn’t have to feel overwhelming. OpenVPN can help build the foundation of your HIPAA compliance with a Zero Trust VPN designed with compliance in mind. Explore HIPAA-compliant VPN solutions for healthcare.
Don’t forget to grab a copy of our HIPAA compliance checklist before you go!
