HIPAA compliance has never been more enforced. In 2025, the HHS Office for Civil Rights issued more resolution agreements than any previous year, with fines ranging from $10,000 to $1.5 million per violation. Covered entities — hospitals, clinics, pharmacies, dentists, and health plans — accounted for 82% of all breach reports. The proposed 2025 Security Rule updates elevate previously “addressable” implementation specifications to required status, removing the flexibility that smaller organisations relied on to argue proportionality. HIPAA compliance is no longer a matter of having a privacy notice and a locked filing cabinet — it requires documented policies, annual risk assessments, workforce training, Business Associate Agreements with all relevant vendors, technical safeguards for electronic PHI, and a tested breach notification procedure. This free HIPAA compliance audit checklist gives healthcare compliance officers, privacy officers, and practice administrators a structured framework for assessing and maintaining HIPAA compliance across all three Rules and all three safeguard categories.
What it protects: All individually identifiable health information in any form — paper, electronic, or verbal — known as Protected Health Information (PHI).
What it requires: Policies governing how PHI may be used and disclosed; patient rights (access, amendment, accounting of disclosures); minimum necessary standard; Notice of Privacy Practices provided to patients.
Key compliance gap: Using or disclosing more PHI than the minimum necessary for the intended purpose.
What it protects: Electronic Protected Health Information (ePHI) — PHI created, received, maintained, or transmitted electronically.
What it requires: Administrative safeguards (risk analysis, workforce training, access management), physical safeguards (facility access controls, workstation security), and technical safeguards (access controls, encryption, audit controls).
Key compliance gap: Failing to conduct a documented annual risk analysis — the most cited OCR finding in audit results.
What it protects: Ensures patients and HHS are notified when PHI is breached.
What it requires: Individual notification within 60 days of discovery; HHS notification within 60 days for breaches affecting 500+ individuals (immediately); annual report to HHS for smaller breaches; media notification for large breaches.
Key compliance gap: Delays in breach identification and notification — many organisations do not discover breaches for months.
Seven phases covering the full HIPAA compliance programme — from administrative governance through Privacy Rule, Security Rule safeguards, breach notification, and business associate management.
The annual risk analysis is the most fundamental HIPAA requirement — and the most cited OCR finding when it is absent or inadequate. Everything else in the compliance programme should flow from the documented risk analysis.
Most cited finding in all OCR enforcement actions. The risk analysis must be comprehensive, documented, and regularly updated — not a one-time checkbox.
Patients have the right to their records within 30 days. Delays beyond 60 days are a common enforcement target. A defined records access process with tracked deadlines prevents this.
Many small practices have vendors with PHI access and no BAA in place. The vendor relationship inventory is the first step.
Training must be documented, role-specific, and conducted at least annually. “We told them about HIPAA at onboarding” is not sufficient documentation.
Unencrypted devices, no automatic logoff, shared passwords, and PHI transmitted via unencrypted email. Each is a readily discoverable technical gap.
Organisations that discover a breach without a documented response procedure consistently make avoidable notification timeline violations, compounding the original breach with a procedural violation.
HIPAA compliance is not a one-time project — it is an ongoing programme with annual requirements (risk analysis, workforce training, policy review) and continuous obligations (BAA management, access control auditing). CheckFlow’s recurring checklist feature schedules the annual HIPAA audit automatically, with all tasks assigned to Privacy Officer, Security Officer, and IT — ensuring the programme runs consistently every year.
An OCR audit begins with a documentation request — policies, risk analysis, training records, BAA inventory, and breach logs. Every completed task in CheckFlow is timestamped and attributed to a named person. The full compliance audit record is always current and immediately accessible — not reconstructed in a panic when the OCR letter arrives.
HIPAA compliance requires coordination between the Privacy Officer (policies, training, patient rights), the Security Officer (technical and physical safeguards), and the IT team (encryption, access controls, audit logs). CheckFlow assigns tasks to all three simultaneously, tracks their completion, and ensures no safeguard category is deferred while others advance.
HIPAA compliance intersects with broader compliance audit frameworks. For organisations managing multiple compliance frameworks, CheckFlow’s compliance template series includes HIPAA, ISO 27001, FedRAMP, and other standards. See the full HIPAA Compliance Audit Checklist →
Healthcare incidents involving PHI breaches trigger both incident reporting and HIPAA breach notification obligations. CheckFlow’s Healthcare Incident Reporting Checklist covers the incident management process that runs alongside the HIPAA breach response. See the Healthcare Incident Reporting Checklist →
A HIPAA compliance audit assesses whether a covered entity or business associate is meeting the requirements of the three HIPAA Rules: the Privacy Rule (governing how PHI may be used and disclosed, and patient rights), the Security Rule (governing administrative, physical, and technical safeguards for electronic PHI), and the Breach Notification Rule (governing notification to individuals, HHS, and the media when PHI is breached). An internal audit covers seven areas: administrative governance (officer appointments, risk analysis, policies, training), Privacy Rule compliance (NPP, patient rights, BAAs, minimum necessary), Security Rule administrative safeguards (risk management, contingency planning, access management), physical safeguards (facility access, workstation security), technical safeguards (access controls, encryption, audit logs), breach notification procedures, and Business Associate Agreement management.
HIPAA applies to two categories of organisations. Covered entities are healthcare providers who transmit health information electronically (doctors, hospitals, clinics, pharmacies, dentists, psychologists), health plans (insurance companies, HMOs, Medicare, Medicaid), and healthcare clearinghouses. Covered entities represented 82% of all breach reports in the first three quarters of 2025. Business associates are third parties who create, receive, maintain, or transmit PHI on behalf of a covered entity — including EHR vendors, billing companies, cloud storage providers, IT service providers, and coding services. All business associates must have a signed Business Associate Agreement (BAA) and must implement HIPAA-equivalent safeguards.
A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity and any third-party service provider who creates, receives, maintains, or transmits PHI on behalf of the covered entity. The BAA obligates the business associate to implement appropriate safeguards, report breaches, return or destroy PHI at the end of the relationship, and flow down HIPAA obligations to any subcontractors. Common business associates requiring BAAs include EHR software vendors, medical billing services, cloud storage providers that host PHI, IT support companies with access to clinical systems, transcription services, and accountants with access to patient billing records. BAAs must be in place before PHI is shared with the business associate.
HIPAA violations carry civil monetary penalties ranging from $100 to $50,000 per violation, with an annual cap per identical violation of $1.5 million. The penalty tier depends on culpability: unknowing violations carry lower penalties; wilful neglect not corrected carries the maximum. In 2025, the HHS Office for Civil Rights issued 19 resolution agreements totalling over $8 million in penalties — the highest number in a single year on record. Criminal charges can apply to wilful HIPAA violations, with penalties up to $250,000 and imprisonment for the most serious cases. Violations also appear on the HHS “Wall of Shame” breach portal, with significant reputational consequences.
You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.
