HIPAA Compliance Checklist
Comprehensive guide to HIPAA Security Rule and Privacy Rule compliance — administrative, physical, and technical safeguards with automated scanning.
On this page
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting individuals' medical records and personal health information (PHI). The HIPAA Security Rule specifically addresses electronic PHI (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards. The Privacy Rule governs the use and disclosure of PHI in any form.
- Applies to covered entities (healthcare providers, health plans, clearinghouses) and business associates
- Security Rule: 54 implementation specifications for ePHI protection
- Privacy Rule: governs use, disclosure, and individual rights over PHI
- Breach Notification Rule: requires notification within 60 days of discovering a breach
HIPAA in ComplyWise
ComplyWise includes 61 controls mapped to HIPAA Security Rule and Privacy Rule requirements. Controls are organized by safeguard type: Administrative (§164.308), Physical (§164.310), and Technical (§164.312). Automated scans evaluate technical safeguards including access controls, encryption, audit logging, and network security. Administrative and physical safeguards are assessed via manual attestation.
- 61 controls covering Administrative, Physical, and Technical safeguards
- Automated scanning for access control, encryption, audit, and transmission security
- Manual assessment for policies, training, physical security, and contingency planning
- Cross-mapped to UCF for SOC 2, ISO 27001, and NIST overlap
Risk Analysis (§164.308(a)(1))
HIPAA requires a documented risk analysis that identifies threats and vulnerabilities to ePHI. This is the foundational requirement — all other safeguards are informed by the risk analysis. ComplyWise's scan results feed into your risk assessment by identifying technical vulnerabilities, while the platform helps you document the risks, their likelihood, and impact.
- Identify all systems that create, receive, maintain, or transmit ePHI
- Assess threats (malicious, environmental, human) and vulnerabilities
- Determine the likelihood and impact of each threat exploiting each vulnerability
- Document risk levels and implement corresponding safeguards
- Review and update annually or after significant changes
Technical Safeguards
Technical safeguards are the technology-based protections that ComplyWise can evaluate automatically. These include access controls (unique user IDs, emergency access procedures, automatic logoff, encryption), audit controls (logging and monitoring), integrity controls (authentication of ePHI), and transmission security (encryption in transit).
- §164.312(a) — Access Control: unique user IDs, emergency access, automatic logoff, encryption
- §164.312(b) — Audit Controls: recording and examining access to ePHI systems
- §164.312(c) — Integrity: mechanisms to authenticate electronic PHI
- §164.312(d) — Person or Entity Authentication: verify identity of users accessing ePHI
- §164.312(e) — Transmission Security: encryption of ePHI transmitted over networks
Administrative Safeguards
Administrative safeguards are the policies, procedures, and organizational measures for managing HIPAA compliance. These include security management processes, workforce security, information access management, security awareness training, contingency planning, and security incident procedures. ComplyWise tracks these through manual assessments with evidence upload.
- §164.308(a)(1) — Security Management Process: risk analysis and risk management
- §164.308(a)(3) — Workforce Security: authorization, clearance, and termination procedures
- §164.308(a)(4) — Information Access Management: access authorization and establishment
- §164.308(a)(5) — Security Awareness and Training: training program, password management, login monitoring
- §164.308(a)(6) — Security Incident Procedures: incident response and reporting
- §164.308(a)(7) — Contingency Plan: backup, disaster recovery, and emergency mode operations
Business Associate Agreements
If your organization is a business associate or works with business associates, you must have Business Associate Agreements (BAAs) in place. ComplyWise helps you track which vendors have BAAs, their expiration dates, and which ePHI they access. This is tracked as part of the §164.308(b)(1) Business Associate Contracts control.
- Track all business associates and their BAA status
- Document which ePHI each business associate accesses
- Set reminders for BAA renewal before expiration
- Evidence collection for auditor review of BAA coverage