HIPAA Compliance Checklist

Map every system that creates, receives, stores, or transmits ePHI — application databases, S3 buckets, log aggregators, backup snapshots, analytics warehouses, support ticket systems. Diagram the flows between them. Shadow stores in dev/staging are the most common audit finding.

Score threats × vulnerabilities × impact for each ePHI system identified in the inventory. HHS expects a documented methodology — NIST SP 800-30 is the safe choice. Attach the completed assessment so it lives in the evidence repository for the next audit.

For each high or medium risk, name an owner, a target completion date, and the chosen treatment (mitigate, accept, transfer). Track tickets in Jira or Linear so progress is visible — a treatment plan that lives only in a Word doc is the failure mode auditors flag.

Review the administrative, physical, and technical safeguard policies against §164.308–.312. Vanta, Drata, and Secureframe ship template policies; they still need to match how your team actually operates or auditors will catch the gap.

Push the approved versions to Notion, Confluence, or whichever handbook tool the team already uses. Version-control the policy source in git so changes have an audit trail.

Every workforce member — employees, contractors, interns — signs the acknowledgment within their onboarding window or 30 days of policy revision. Compliance platforms automate this; otherwise track signed forms in the HR system.

Required for all workforce members, not just engineers who touch ePHI. Cover minimum-necessary access, phishing recognition, sanction policy, and breach reporting channels. KnowBe4 and Curricula are common LMS choices.

Backend, SRE, and on-call engineers need deeper coverage: secrets handling, break-glass production access, audit-log expectations, encryption requirements, and the scrubbing rules for support tickets and bug reports. Generic awareness training does not satisfy this for technical roles.

Pull the completion roster and chase the laggards. Workforce members who have not completed training within the policy window need a documented sanction action — auditors check that the sanction policy is actually applied, not just written down.

Cover infrastructure (AWS, GCP, Azure), data (Snowflake, MongoDB Atlas), observability (Datadog, Sentry), email (SendGrid, Postmark), support (Zendesk, Intercept), and any AI/ML APIs. Anything that processes or stores ePHI on your behalf needs a BAA — including Slack and Notion if PHI ever ends up in tickets or runbooks.

AWS, GCP, and Azure all require an active BAA flag on the account before HIPAA-eligible services may be used — and only specific services qualify. A BAA on the parent contract does not cover a non-eligible service.

Pull the latest Type II report for each in-scope vendor; check the audit period covers your reporting window with no gap. Note any qualified opinions or carve-outs in the vendor risk file.

The runbook lives next to the on-call docs in the team's runbook tool. It names the incident commander, the privacy officer, the legal contact, and the four-factor risk assessment used to decide whether an impermissible disclosure is a reportable breach.

Pick a realistic scenario — an exposed S3 bucket, a stolen laptop with cached PHI, a misconfigured IAM role granting a vendor access. Walk the on-call rotation and the privacy officer through the response. File the tabletop notes as evidence.

Apply the §164.402 four-factor analysis to each suspected impermissible use or disclosure logged this cycle. Capture the affected count tier — the 500-individual threshold drives different downstream notification obligations.

Written notice by first-class mail (or email if the individual agreed). The 60-day clock starts at discovery, not at confirmation — auditors look closely at the gap between first signal in your ticketing system and the notice timestamp.

For breaches affecting fewer than 500 individuals, file via the HHS OCR portal annually within 60 days of year-end. For breaches affecting 500 or more, file within 60 days of discovery — same portal, different timeline.

Required only for breaches affecting more than 500 residents of a single state or jurisdiction (§164.406). Coordinate with legal and PR before issuing the press release; the wording must include the same elements as the individual notice.

Quarterly access review covering AWS IAM, k8s RBAC, database roles, and the application's own admin tier. Engineers who left the team or changed roles are the typical findings — SCIM via the SSO provider closes most of the gap but never all of it.

KMS-backed encryption on RDS, S3, EBS, and any backup destination. ALB/CloudFront listeners enforce TLS 1.2 or higher with modern cipher suites — run an SSL Labs scan against the public endpoints and capture the report as evidence.

CloudTrail, k8s audit, application access logs, and database audit streams all flow into the SIEM (Splunk, Datadog, or similar) with at least six years of retention to match the §164.316 documentation requirement. Verify the log integrity check actually runs — silent ingestion failures are common.

Jamf, Kandji, or Intune enforces full-disk encryption, screen lock, OS patch level, and remote wipe. Devices that fail compliance lose SSO access via the conditional access policy — the device-trust pattern, not just an honor-system policy doc.

NIST SP 800-88 sanitization for any device that held ePHI. Keep the certificate of destruction for laptops returned through the IT asset offboarding flow — auditors ask for samples.

For cloud-hosted ePHI you inherit physical controls from AWS, GCP, or Azure. File the relevant section of their SOC 2 Type II as evidence; note the carve-out clearly so your auditor sees the inheritance is intentional.

Risk assessments, policies, training rosters, BAAs, access reviews, vulnerability scans, and incident logs all land in one place — Vanta, Drata, or a tightly-permissioned bucket. Auditors ask for the artifact, not the description of the artifact.

§164.316(b)(2) sets the floor at six years from creation or last-effective date, whichever is later. Lifecycle policies on S3 and equivalent stores enforce the minimum without manual tracking — verify the rule is actually configured, not just drafted.

The privacy officer and security lead walk the evidence repository quarterly to catch stale artifacts before the auditor does. Stale access reviews and expired BAAs are the most common findings at this checkpoint.