HIPAA compliance is not a one-time certification — it is an ongoing programme of risk assessment, policy maintenance, workforce training, technical safeguards, and breach preparedness. The Office for Civil Rights (OCR) enforces HIPAA through complaint investigations, compliance reviews, and periodic audit programmes — with penalties reaching $2.1 million per violation category per year and criminal liability for wilful neglect. This free HIPAA compliance audit checklist gives compliance officers, privacy officers, and health IT teams a structured framework for conducting an internal HIPAA audit — covering the Privacy Rule, all three Security Rule safeguard categories, Business Associate management, and Breach Notification Rule requirements.
A HIPAA compliance audit is a systematic internal review of whether a covered entity or business associate is meeting the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations — the Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule. Unlike an OCR audit (which is conducted externally by the Department of Health and Human Services), an internal HIPAA compliance audit is conducted by the organisation itself — or by an independent third party engaged for the purpose.
HIPAA applies to three categories of covered entities — healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses — and to business associates: organisations that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity. Business associates include IT vendors, cloud service providers, billing companies, legal firms, and any subcontractor that handles PHI. Business associates are directly liable under HIPAA — not just contractually — since the 2013 Omnibus Rule.
The OCR’s active 2024–2025 audit programme is reviewing 50 covered entities and business associates specifically on Security Rule provisions related to hacking and ransomware — the most significant enforcement focus of recent years, given that 186 million patient records were affected by breaches in 2024. A structured internal audit checklist is the most effective way to identify and remediate gaps before an OCR audit or a breach occurs.
This checklist is organised into six audit areas covering the full scope of HIPAA compliance obligations for covered entities and business associates.
The Security Risk Analysis is the single most commonly cited OCR enforcement action. A documented, organisation-wide risk analysis is required — not optional.
This checklist is available as a free, runnable template in CheckFlow — with tasks assigned across compliance, IT, HR, and legal teams, audit findings tracked to remediation, and a complete audit record for every review cycle.
Use This Template FreeHIPAA applies to two categories of organisations. Understanding which category applies determines your specific compliance obligations.
Organisations that directly handle patient health information as part of their core function. Includes:
Organisations that perform functions or activities involving PHI on behalf of a covered entity. Directly liable under HIPAA since the 2013 Omnibus Rule. Includes:
Both covered entities and business associates must conduct regular HIPAA compliance audits and maintain documentation demonstrating compliance. Business associates that fail to comply are directly liable to OCR — not just contractually liable to the covered entity.
The HHS proposed significant updates to the HIPAA Security Rule in 2025 that would substantially tighten ePHI protection requirements. While not yet final, compliance teams should assess current gaps now.
The distinction between “required” and “addressable” specifications would be eliminated — all Security Rule specifications would become mandatory. Organisations that previously treated addressable specifications as optional based on risk analysis must reassess their compliance posture.
MFA would be required for all access to ePHI systems — not merely addressable. Organisations should assess current MFA coverage across all systems handling ePHI and close any gaps.
Encryption of ePHI at rest and in transit would shift from addressable to required. Organisations relying on compensating controls in lieu of encryption should begin planning for full encryption implementation.
Notification timelines for certain high-severity security incidents would be reduced from 60 days to 24 hours. Incident response procedures and internal escalation paths would need to be significantly faster.
Organisations would be required to maintain a current technology asset inventory and a network map — updated at least annually — covering all systems that handle ePHI.
A HIPAA compliance audit spans multiple departments simultaneously. The Privacy Officer reviews Privacy Rule procedures; IT assesses technical safeguards; HR reviews workforce training records and termination procedures; legal reviews BAAs. CheckFlow assigns each section to the right team, notifies them when their tasks are due, and gives the compliance officer a real-time view of progress across the full audit — without a single status meeting.
Every gap identified during the audit becomes a trackable action in CheckFlow — assigned to a named owner with a due date and automatic reminders. Nothing sits in a report that nobody follows up on. When the next audit cycle begins, you have a complete record of what was found last time and what was done about it — the documentation OCR asks for when it reviews your compliance history.
HIPAA requires ongoing risk analysis, annual security reviews, and regular workforce training — not as a one-off exercise. CheckFlow’s recurring checklist feature schedules these activities automatically so nothing is missed or deferred. The same structured checklist, every year, with a fresh evidence trail that builds throughout each audit cycle.
HIPAA Security Rule Administrative Safeguards (45 CFR § 164.308) require documented workforce termination procedures — ensuring ePHI access is revoked and devices are returned when employment ends. CheckFlow’s IT offboarding checklist provides a structured, automated process for every leaver, with a timestamped audit trail that directly satisfies the workforce security safeguard evidence requirement. Learn more about CheckFlow for IT offboarding →
HIPAA requires a documented contingency plan covering data backup, disaster recovery, and emergency mode operations — and evidence that the plan is tested. CheckFlow’s Disaster Recovery Audit Checklist provides a structured framework for auditing your contingency planning controls and documenting test evidence. See the Disaster Recovery Audit Checklist →
A HIPAA compliance audit is a systematic review of whether a covered entity or business associate meets the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. While HIPAA does not explicitly mandate that covered entities conduct their own internal compliance audits, the Security Rule requires organisations to conduct periodic technical and non-technical evaluations of their security practices (45 CFR § 164.308(a)(8)), and the documentation standards throughout HIPAA require that policies, risk analyses, and corrective actions be documented and available for review. In practice, regular internal audits are the most effective way to identify and remediate gaps before OCR does — and documented evidence of proactive compliance is the strongest mitigating factor in OCR enforcement actions.
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that directly handles patient health information as part of its core function. A business associate is any organisation that performs functions or activities involving PHI on behalf of a covered entity — including IT vendors, cloud service providers, billing companies, law firms, and medical transcription services. Since the 2013 HIPAA Omnibus Rule, business associates are directly liable to OCR for HIPAA violations — not just contractually liable to the covered entity. Business associates must comply with all Security Rule requirements and relevant Privacy Rule provisions, and must have Business Associate Agreements (BAAs) in place with covered entities and with their own subcontractors who handle PHI.
A Security Risk Analysis (also called a risk assessment) is the foundational requirement of the HIPAA Security Rule — required under 45 CFR § 164.308(a)(1). It involves identifying all ePHI the organisation creates, receives, maintains, or transmits; identifying the threats and vulnerabilities to that ePHI; assessing the likelihood and impact of those threats; and documenting the results as the basis for the organisation’s risk management programme. Failure to conduct a proper, documented Security Risk Analysis is the single most commonly cited HIPAA violation in OCR enforcement actions. It is not a one-time activity — it must be reviewed and updated regularly, and whenever significant changes occur to the organisation’s systems or environment.
The HIPAA Security Rule organises ePHI protection requirements into three safeguard categories. Administrative safeguards cover the policies, procedures, and management practices that govern how ePHI is protected — including risk analysis, workforce training, access management, and incident response. Physical safeguards cover the physical measures protecting ePHI systems from unauthorised physical access — including facility access controls, workstation security, and device and media controls. Technical safeguards cover the technology and technology policies that protect ePHI and control access to it — including access controls, audit controls, integrity controls, authentication, and transmission security. Under proposed 2025 Security Rule updates, all specifications in all three categories would become mandatory rather than addressable.
When a breach of unsecured PHI occurs, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. HHS must also be notified within 60 days — immediately for breaches affecting 500 or more individuals, and annually for breaches affecting fewer than 500. For breaches affecting 500 or more residents of a state or jurisdiction, prominent media notice is also required. Business associates must notify covered entities without unreasonable delay and within 60 days of discovering a breach. Before determining whether notification is required, organisations must conduct a four-factor risk assessment to determine whether the breach poses a significant risk of financial, reputational, or other harm to affected individuals.
HIPAA civil monetary penalties are tiered by culpability — from $100–$50,000 per violation for unknowing violations to $50,000 per violation (with a maximum of $2.1 million per violation category per year) for wilful neglect that is not corrected. Criminal penalties apply to individuals who knowingly obtain or disclose PHI in violation of HIPAA — up to 10 years imprisonment for offences committed with intent to sell, transfer, or use PHI for personal gain or malicious harm. In addition to financial penalties, OCR may require corrective action plans that impose significant operational burdens. Reputational damage from publicised enforcement actions and breach notifications can be equally significant.
You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.
