HIPAA Compliance Checklist

Map every system that creates, receives, stores, or transmits ePHI — application databases, S3 buckets, log aggregators, backup snapshots, analytics warehouses, support ticket systems. Diagram the flows between them. Shadow stores in dev/staging are the most common audit finding.

Score threats × vulnerabilities × impact for each ePHI system identified in the inventory. HHS expects a documented methodology — NIST SP 800-30 is the safe choice. Attach the completed assessment so it lives in the evidence repository for the next audit.

Review the administrative, physical, and technical safeguard policies against §164.308–.312. Vanta, Drata, and Secureframe ship template policies; they still need to match how your team actually operates or auditors will catch the gap.

Push the approved versions to Notion, Confluence, or whichever handbook tool the team already uses. Version-control the policy source in git so changes have an audit trail.

Required for all workforce members, not just engineers who touch ePHI. Cover minimum-necessary access, phishing recognition, sanction policy, and breach reporting channels. KnowBe4 and Curricula are common LMS choices.

Backend, SRE, and on-call engineers need deeper coverage: secrets handling, break-glass production access, audit-log expectations, encryption requirements, and the scrubbing rules for support tickets and bug reports. Generic awareness training does not satisfy this for technical roles.

Cover infrastructure (AWS, GCP, Azure), data (Snowflake, MongoDB Atlas), observability (Datadog, Sentry), email (SendGrid, Postmark), support (Zendesk, Intercept), and any AI/ML APIs. Anything that processes or stores ePHI on your behalf needs a BAA — including Slack and Notion if PHI ever ends up in tickets or runbooks.

AWS, GCP, and Azure all require an active BAA flag on the account before HIPAA-eligible services may be used — and only specific services qualify. A BAA on the parent contract does not cover a non-eligible service.

The runbook lives next to the on-call docs in the team's runbook tool. It names the incident commander, the privacy officer, the legal contact, and the four-factor risk assessment used to decide whether an impermissible disclosure is a reportable breach.

Pick a realistic scenario — an exposed S3 bucket, a stolen laptop with cached PHI, a misconfigured IAM role granting a vendor access. Walk the on-call rotation and the privacy officer through the response. File the tabletop notes as evidence.

Apply the §164.402 four-factor analysis to each suspected impermissible use or disclosure logged this cycle. Capture the affected count tier — the 500-individual threshold drives different downstream notification obligations.

Written notice by first-class mail (or email if the individual agreed). The 60-day clock starts at discovery, not at confirmation — auditors look closely at the gap between first signal in your ticketing system and the notice timestamp.

For breaches affecting fewer than 500 individuals, file via the HHS OCR portal annually within 60 days of year-end. For breaches affecting 500 or more, file within 60 days of discovery — same portal, different timeline.

Quarterly access review covering AWS IAM, k8s RBAC, database roles, and the application's own admin tier. Engineers who left the team or changed roles are the typical findings — SCIM via the SSO provider closes most of the gap but never all of it.

KMS-backed encryption on RDS, S3, EBS, and any backup destination. ALB/CloudFront listeners enforce TLS 1.2 or higher with modern cipher suites — run an SSL Labs scan against the public endpoints and capture the report as evidence.

Jamf, Kandji, or Intune enforces full-disk encryption, screen lock, OS patch level, and remote wipe. Devices that fail compliance lose SSO access via the conditional access policy — the device-trust pattern, not just an honor-system policy doc.

NIST SP 800-88 sanitization for any device that held ePHI. Keep the certificate of destruction for laptops returned through the IT asset offboarding flow — auditors ask for samples.

Risk assessments, policies, training rosters, BAAs, access reviews, vulnerability scans, and incident logs all land in one place — Vanta, Drata, or a tightly-permissioned bucket. Auditors ask for the artifact, not the description of the artifact.

§164.316(b)(2) sets the floor at six years from creation or last-effective date, whichever is later. Lifecycle policies on S3 and equivalent stores enforce the minimum without manual tracking — verify the rule is actually configured, not just drafted.